RHEL 7 / CentOS 7 Disable Firewalld and use iptables

Firewalld is bit complicated so it is better to continue with  iptables.

Here I am describing, how to disable Firewalld and use iptables.

1. Disable Firewalld Service.

[root@rhel-centos7-tejas-barot-linux ~]# systemctl mask firewalld

2. Stop Firewalld Service.

[root@rhel-centos7-tejas-barot-linux ~]# systemctl stop firewalld

3. Install iptables service related packages.

[root@rhel-centos7-tejas-barot-linux ~]# yum -y install iptables-services

4. Make sure service starts at boot:

[root@rhel-centos7-tejas-barot-linux ~]# systemctl enable iptables

# If you do not want ip6tables, You can skip following command.

[root@rhel-centos7-tejas-barot-linux ~]# systemctl enable ip6tables

5. Now, Finally Let’s start the iptables services.

[root@rhel-centos7-tejas-barot-linux ~]# systemctl start iptables

# If you do not want ip6tables, You can skip following command.

[root@rhel-centos7-tejas-barot-linux ~]# systemctl start ip6tables

Firewalld Service is now disabled and stop, You can use iptables.

Advertisements

IPtables Rules

1. Displaying the Status of Your Firewall

iptables  -L -n -v

===

-L : List rules.
-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

==

To display INPUT or OUTPUT chain rules

iptables -L INPUT -n -v –line-numbers

iptables -L OUTPUT -n -v –line-numbers

2. Delete Existing Rules

iptables -F  or iptables –flush

3. How to block an IP Address.

iptables -A INPUT -s “IP ADDRESS” -j DROP

iptables -A INPUT -i eth0 -s “IP ADDRESS” -j DROP  (Mentioned eth0)

iptables -A INPUT -i eth0 -p tcp -s “IP ADDRESS” -j DROP (Mentioned eth0 and protocol )

4. Allow ALL Incoming SSH

iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

5. Allow Incoming SSH only from a Sepcific Network

iptables -A INPUT -i eth0 -p tcp -s  192.168.100.0/24 –dport 22 -m stare –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

The syntax is as follows to block incoming port using IPtables:

/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
 
### interface section use eth1 ###
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
 
### only drop port for given IP or Subnet ##
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP