How can I use iptables on centos 7?

Question

I installed CentOS 7 with minimal configuration (os + dev tools). I am trying to open 80 port for httpd service, but something wrong with my iptables service ... what's wrong with it? What am I doing wrong?

# ifconfig/sbin/service iptables save
bash: ifconfig/sbin/service: No such file or directory


# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

# sudo service iptables status
Redirecting to /bin/systemctl status  iptables.service
iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

# sudo service iptables start
Redirecting to /bin/systemctl start  iptables.service
Failed to issue method call: Unit iptables.service failed to load: No such file or directory.

I got the answer [here](http://serverfault.com/questions/470287/how-to-enable-iptables-instead-of-firewalld-services-on-rhel-7-and-fedora-18). RHEL 7 uses **firewalld** instad of **iptables** — Meiblorn, Jul 15 '14 at 12:01
IMO firewalld is more user friendly than iptables. First install and start firewalld service `sudo yum install -y firewalld && sudo systemctl start firewalld`. Then add service HTTP `sudo firewall-cmd --permanent --add-service=http` (also add service _https_ to open port 443 if needed). And finally load new configuration into firewalld `sudo firewall-cmd --reload` — Takman, Mar 15 '21 at 08:26

Sgaduuw · Accepted Answer · 2014-10-31T08:22:05.180

342

With RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. IMHO, firewalld is more suited for workstations than for server environments.

It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:

systemctl stop firewalld
systemctl mask firewalld

Then, install the iptables-services package:

yum install iptables-services

Enable the service at boot-time:

systemctl enable iptables

Managing the service

systemctl [stop|start|restart] iptables

Saving your firewall rules can be done as follows:

service iptables save

or

/usr/libexec/iptables/iptables.init save

edited Oct 31 '14 at 08:22

answered Jul 18 '14 at 14:29

Sgaduuw

3,560
1
15
11

5

It's not saving the iptables. Rebooting the server loses all changes. – roosevelt Jul 20 '14 at 05:37
2

On my system the iptables are saved correctly. Have you made sure the iptables service is started at boot? You can do this by running 'systemctl enable iptables' – Sgaduuw Jul 21 '14 at 10:01
1

You may also have firewalld running which will add additional iptables rules to the list (every time you reboot the system). To stop firewalld run "systemctl mask firewalld" – TroodoN-Mike Aug 16 '14 at 06:12
Added the info about masking firewalld to the answer, as @TroodoN-Mike suggested – Sgaduuw Aug 29 '14 at 07:31
Great post, but do you think its worth investing in learning how firewalld or shorewall does things instead of iptables? (to me iptables just seems straight forward though) – wired00 Sep 23 '14 at 12:44
@wired00 sure, it never hurts to diversify and learn new stuff, though never lose track of the basic commands and concepts that are used by the higher level tools that make life easy. – Sgaduuw Oct 06 '14 at 12:00
8

@Sgaduuw Can you please elaborate on why you think fitewalld is not/less suitable for servers? – Alexander Groß Nov 17 '14 at 16:35
After `yum install iptables`, when I do `systemctl enable iptables`, it shows me an error: "Failed to execute operation: No such file or directory". I'm logged in as root user. What could be the issue? – PKHunter Apr 01 '17 at 07:50
@PKHunter iptables and iptables-service are two different things. You will have to do `yum install iptables-services` as well. – Rumesh Eranga Hapuarachchi Jan 31 '19 at 09:33

score 103 · Answer 2 · edited Aug 11 '14 at 16:25

103

RHEL and CentOS 7 use firewall-cmd instead of iptables. You should use that kind of command:

# add ssh port as permanent opened port
firewall-cmd --zone=public --add-port=22/tcp --permanent

Then, you can reload rules to be sure that everything is ok

firewall-cmd --reload

This is better than using iptable-save, espacially if you plan to use lxc or docker containers. Launching docker services will add some rules that iptable-save command will prompt. If you save the result, you will have a lot of rules that should NOT be saved. Because docker containers can change them ip addresses at next reboot.

Firewall-cmd with permanent option is better for that.

Check "man firewall-cmd" or check the official firewalld docs to see options. There are a lot of options to check zones, configuration, how it works... man page is really complete.

I strongly recommand to not use iptables-service since Centos 7

edited Aug 11 '14 at 16:25

mikemaccana

110,530
99
389
494

answered Aug 10 '14 at 15:12

Metal3d

2,905
1
23
29

1

firewall-cmd --reload is not working. I had to restart using "systemctl restart firewalld" for changes to take effect. – Basil Musa Nov 11 '15 at 09:33
"Because firewalld is dynamic, changes to its configuration can be made at any time, and are implemented immediately. No part of the firewall needs to be reloaded, so there is no unintentional disruption of existing network connections" -- from [the official firewalld docs](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Migration_Planning_Guide/sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-Security_and_Access_Control.html) – yicone Jul 20 '16 at 14:23

par · Answer 3 · 2014-08-06T20:01:58.673

18

I had the problem that rebooting wouldn't start iptables.

This fixed it:

yum install iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables
systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables

edited Aug 06 '14 at 20:01

answered Aug 04 '14 at 03:23

par

17,361
4
65
80

1

On CentOS 7 doesn't work: `# systemctl start iptables` gives `Failed to start iptables.service: Unit not found.` And `# systemctl start ip6tables` gives `Failed to start ip6tables.service: Unit not found.` – PKHunter Mar 30 '17 at 11:57

score 18 · Answer 4 · edited Sep 11 '14 at 14:51

18

Try the following command iptables-save.

edited Sep 11 '14 at 14:51

Lkopo

4,798
8
35
60

answered Sep 11 '14 at 14:30

João Chambel

207
1
2

man iptables-save - dump iptables rules to stdout. – Paul Hargreaves Apr 19 '17 at 06:32
2

then we can use `iptables-save > /etc/sysconfig/iptables` – dgregory Dec 11 '17 at 06:15

score 5 · Answer 5 · edited Oct 07 '14 at 22:53

5

I modified the /etc/sysconfig/ip6tables-config file changing:

IP6TABLES_SAVE_ON_STOP="no"

To:

IP6TABLES_SAVE_ON_STOP="yes"

And this:

IP6TABLES_SAVE_ON_RESTART="no"

To:

IP6TABLES_SAVE_ON_RESTART="yes"

This seemed to save the changes I made using the iptables commands through a reboot.

edited Oct 07 '14 at 22:53

bjb568

11,089
11
50
71

answered Oct 07 '14 at 22:24

Dug

67
1
1

This doesn't work on RHEL 7. – pacoverflow Jun 10 '22 at 15:23

score 1 · Answer 6 · answered Nov 22 '14 at 08:40

1

Put the IPtables configuration in the traditional file and it will be loaded after boot:

/etc/sysconfig/iptables

answered Nov 22 '14 at 08:40

BVB Media

307
3
4

score 1 · Answer 7 · answered Apr 05 '17 at 06:53

1

Last month I tried to configure iptables on a LXC VM container, but every time after reboot the iptables configuration was not automatically loaded.

The only way for me to get it working was by running the following command:

yum -y install iptables-services; systemctl disable firewalld; systemctl mask firewalld; service iptables restart; service iptables save

answered Apr 05 '17 at 06:53

BVB Media

307
3
4

I believe that's because containers don't persist anything unless it's in a persistent volume on the host OS. Most of the container OS and config typically isn't in a volume, so is reset every time the container is restarted. – Graham Lea Dec 19 '20 at 04:53

score 0 · Answer 8 · answered Apr 06 '15 at 04:33

0

And to add, you should also be able to do the same for ip6tables after running the systemctl mask firewalld command:

    systemctl start ip6tables.service
    systemctl enable ip6tables.service

answered Apr 06 '15 at 04:33

jman594

1
2

score 0 · Answer 9 · answered Nov 13 '15 at 16:54

If you do so, and you're using fail2ban, you will need to enable the proper filters/actions:

Put the following lines in /etc/fail2ban/jail.d/sshd.local

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5
bantime = 86400

Enable and start fail2ban:

systemctl enable fail2ban
systemctl start fail2ban

Reference: http://blog.iopsl.com/fail2ban-on-centos-7-to-protect-ssh-part-ii/

How can I use iptables on centos 7?

9 Answers9

Linked