Hey everyone,
I recently installed CentOS 7.3.1611 on my Raspberry Pi 3. Looking into the iptables I see there are so many user-defined Chains created in them. I deleted all of them but after a restart they are loaded back in.
Has anyone encountered this behavior ?
Default in-built rules in iptables
Re: Default in-built rules in iptables
The default firewall in CentOS 7 is firewalld and it controls all the iptables rules. If you want to use plain iptables then you need to disable or uninstall firewalld and revert to using iptables-services instead.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Default in-built rules in iptables
Thanks a lot. It worked fine, I did try to disable it first but still the default rules were getting loaded. Removing the package solved the problem.TrevorH wrote:The default firewall in CentOS 7 is firewalld and it controls all the iptables rules. If you want to use plain iptables then you need to disable or uninstall firewalld and revert to using iptables-services instead.
But here I can still see few iptables default rules as shown below. I tried executing 'iptables-save' and directing the output to a file in /etc/ipv4.rules but still no luck. I thought it is because of 'netfilter-persistent', but it's not present in this distribution.
Any idea, where these default-rules are coming from ?
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Re: Default in-built rules in iptables
CentOS's iptables service stores its saved rules in /etc/sysconfig/iptables as it has done on all versions I've ever used from 3.x onwards.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Default in-built rules in iptables
The rules that you see are the "default ruleset" that the iptables.service is installed with.
Seemingly different from the default ruleset created by firewalld, but effectively the same.
Command 'service iptables save' writes in-kernel active ruleset into /set/sysconfig/iptables.
(The service script calls iptables-save. When the service starts, it loads rules atomically from that file.)
CentOS 7 does use systemd. The 'service' seems to be a mere warpper for 'systemctl'. I haven't actually
tested the 'service iptables save' in 7, because I use firewalld in 7.
If you want to see the rules that are in kernel, in format you would use with 'iptables',
then invoke:
If you want to see the rules with some statistics etc, invoke:
Seemingly different from the default ruleset created by firewalld, but effectively the same.
Command 'service iptables save' writes in-kernel active ruleset into /set/sysconfig/iptables.
(The service script calls iptables-save. When the service starts, it loads rules atomically from that file.)
CentOS 7 does use systemd. The 'service' seems to be a mere warpper for 'systemctl'. I haven't actually
tested the 'service iptables save' in 7, because I use firewalld in 7.
If you want to see the rules that are in kernel, in format you would use with 'iptables',
then invoke:
Code: Select all
iptables -S
iptables -t nat -S
iptables -t mangle -SCode: Select all
iptables --lin -vnL
iptables -t nat --lin -vnL
iptables -t mangle --lin -vnL