Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.
Starting with RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. As such, you will either need to use firewall-cmd commands or disable firewalld and enable iptables. If you prefer to use the classic iptables setup, then this article will show you how to do just that.
The first step is to stop and mask the firewalld service (i.e., the service you do not want to use):
$ systemctl stop firewalld $ systemctl mask firewalld
Then, install the "iptables-services" package (if it is not already installed):
$ yum install iptables-services
Enable the service to start at boot-time:
$ systemctl enable iptables$ systemctl enable ip6tables
You can now either add iptables rules from the CLI (e.g., `iptables -I INPUT ...`) or create/edit your /etc/sysconfig/iptables file to look something like the following (very basic with ports 22 and 80 open):
`iptables -I INPUT ...`
/etc/sysconfig/iptables
$ cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [214:43782] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT $cat /etc/sysconfig/ip6tables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [214:43782] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT
If you are saving your rules in the /etc/sysconfig/ip{,6}tables files, you will then need to run the following commands:
/etc/sysconfig/ip{,6}tables
$ systemctl restart iptables$ systemctl restart ip6tables
Next, check that the iptables service is "active" with:
$ systemctl status iptables$ systemctl status ip6tables
Check your iptables rules with:
$ iptables -L$ ip6tables -L
and that your server is listening on those ports you opened (22 and 80 in the above example):
$ netstat -plant
and you can query the systemd journal for a "log" of the changes you made to the iptables service with:
$ journalctl -f -u iptables.service$ journalctl -f -u ip6tables.service
If you reboot your server after the above, your iptables rules should be saved and automatically re-loaded again.
That's it!
Hello Jamie!
Thanks for your response. You are correct on both counts. If only iptables rules are created, any IPv6 addresses will be left open with unimpeded access, and the sample rules were missing a REJECT rule.
I have edited the original article to reflect this information. Thanks for bringing that to our attention!
Russell T.