Est. reading time: 3 minutes
Convert CentOS 7 FirewallD to iptables

Convert CentOS 7 FirewallD to iptables

On Centos 7, the default firewall is firewalld. Even though this is just a shell interface to configure iptables, it has its limits when it comes to applying advanced rules and customizing your firewall.

You can fix this by getting rid of firewalld and only using iptables rules. Do not uninstall firewalld as fail2ban has a built-in dependency on firewalld. We can bypass this, but in this case, we will just disable firewalld.


Convert to iptables

The following steps need to be followed by running the commands below.

  1. Save your existing firewall rules
    iptables -S |tee ~/fwd_oldiptables.rules
  2. Install iptables services
    yum install iptables-services
  3. Create a new ruleset with your old
    cat ~/fwd_oldiptables.rules > /etc/sysconfig/iptables
  4. And edit it if needed

  5. Stop and disable your firewalld
    systemctl stop firewalld
    systemctl disable firewalld
    systemctl mask firewalld
  6. Enable and start iptables
    systemctl enable iptables
    systemctl start iptables
  7. Check firewalld status
    firewall-cmd --state

iptables Rules

Remember the basic principle of all good firewalls – DENY ALL, ALLOW SOME.

First, make a list of service ports you need open. SSH (port 22) and the ping/traceroute protocol (ICMP) are a good starting point. While we are at it, lets rate limit ICMP so that we are less susceptible to a ping flood. We must also allow any traffic that has been requested by our server, back in with an ACCEPT for RELATED or ESTABLISHED traffic. All OUTBOUND traffic is ok and all FORWARD will get dropped as we are not a router or a switch.

 

We must put the following in our /etc/sysconfig/iptables file.

### Set Policies ###
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
### Set Rules ###
## ICMP ##
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT 
## SSH ##
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
## Local Loop ##
-A INPUT -i lo -j ACCEPT 
## Returning Traffic ##
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
## Deny all else ##
-A INPUT -j DROP 
##############################################################################

Now run

systemctl restart iptables

You can check your rules with

iptables -nvL

As a test, you can run

ping -f -c 100 x.x.x.x

where x.x.x.x represents your server IP. Be sure to do this from a different server and run the ping command as root. What you should see is a high rate of packet loss. Then try a normal ping and you should see no loss. You can increase the acceptable ping rate if you feel you need to. Ping rates between 1 and 5 per second are ok, although most legitimate tests should never need more than 1 ping per second.


Fixing fail2ban

Fail2ban on CentOS is installed to use firewalld. To change this, we have to change the default “action” in our “jail” definitions.

First, copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local with the command below

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now use your favourite editor (vi, vim, pico, nano or joe) to edit the jail.local file. Find the lines that read:

banaction = firewallcmd-multiport
banaction_allports =firewallcmd-allports

The line may be slightly different, but the important parts are banaction = firewallcmd. Now change those two lines to read as follows:

banaction = iptables-multiport
banaction_allports = iptables-allports

Next, we must activate the ssh jail. We can do this in one of two ways.

  1. Move down in our jail.local file until we locate the [ssh] block marker and insert
    enabled = true
  2. below the [ssh] block marker (not the example which is at the beginning of the file).

    OR

  3. Cut the [ssh] block out of the jail.local file, with it’s attending lines and create a new file under /etc/fail2ban/jail.d/sshd.conf and paste the block in there. Remember to add the enabled = true below the [ssh] block marker. The sshd.conf file should contain the following:
  4. [sshd]
    enabled = true
    port = ssh
    logpath = %(sshd_log)s
    backend = %(sshd_backend)s

    You may now restart the fail2ban service by running

    systemctl restart fail2ban

    Check that it works by running the following

    iptables -nvL |grep f2b

    You should see a few rules appear.

    Happy Hosting!

Related posts