hello guys:
my understanding is that firewalld on centos and iptables are actually the same. where does this default rule sets come from? how could i change this almost "accept all" behavior? i checked /etc/sysconfig and the default file iptables-config is more like sample config.
[user@localhost ~]$ sudo iptables -L
[sudo] password for user:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
[user@localhost ~]$
firewall rules and iptables
Re: firewall rules and iptables
No, firewalld and iptables are not the same thing. If you use firewalld then you cannot reliably use any iptables command which might change the rules. You can use it to inspect what is running but you cannot change it. When firewalld is running, it "knows" how the rules are and it thinks it controls them. If you change them, it will notice and back your change out.
However, from your rules it is apparent that you're not using firewalld as your list of rules is not approaching 200 lines long!
Your FORWARD rules look like those inserted by libvirtd and/or gnome-boxes. The rest look like they've been put there by hand as they don't resemble those set by a CentOS installed without firewalld either. Since your INPUT chain policy is ACCEPT, anything that isn't explicitly rejected or dropped is allowed and since you on;y have ACCEPT lines, everything is accepted and nothing is denied. You have no fireall at present.
The default rules set up by a non-firewalld install look like
Those will still allow ssh access on the default port but at least other things are not.
However, from your rules it is apparent that you're not using firewalld as your list of rules is not approaching 200 lines long!
Your FORWARD rules look like those inserted by libvirtd and/or gnome-boxes. The rest look like they've been put there by hand as they don't resemble those set by a CentOS installed without firewalld either. Since your INPUT chain policy is ACCEPT, anything that isn't explicitly rejected or dropped is allowed and since you on;y have ACCEPT lines, everything is accepted and nothing is denied. You have no fireall at present.
The default rules set up by a non-firewalld install look like
Code: Select all
# Generated by xtables-save v1.8.2 on Sat Nov 16 21:12:20 2019
*filter
:INPUT DROP [1:48]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:1080]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 16 21:12:20 2019
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: firewall rules and iptables
thanks trevor for clarifications.
i have not configured any rules from iptables, nor have i configured any other firewall rules for firewalld except opened one port. basically i installed centos 8 and started playing security first (trying to secure the server first). so i have no clues where those rules come from, especially this ip address range 192.168.122.0/24.
everything now under firewalld is default except one port opened (associated with selinux).
[user@localhost ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: cockpit dhcpv6-client ssh
ports: 6553/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
i have not configured any rules from iptables, nor have i configured any other firewall rules for firewalld except opened one port. basically i installed centos 8 and started playing security first (trying to secure the server first). so i have no clues where those rules come from, especially this ip address range 192.168.122.0/24.
everything now under firewalld is default except one port opened (associated with selinux).
[user@localhost ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: cockpit dhcpv6-client ssh
ports: 6553/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Re: firewall rules and iptables
But, you posted to centos 7 forum. What have you, 7 or 8?
Kernel in 7 has netfilter. Userland tool 'iptables' interacts with netfilter. Services, like iptables.service and firewalld.service use the iptables to load rules.
Kernel in 8 has nftables. Userland tool 'nft' interacts with nftables. The firewalld.service uses the nft to load rules. There is tool 'iptables' in 8, but it is a mere wrapper for 'nft'. There is iptables.service too, which uses the iptables wrapper to update nftables.
The output of "iptables -L" lacks details. IMHO, "iptables -S" is much more informative (in centos 7).
The default rules are rather secure. Your "play" (if the rules posted in OP are in effect) has moved from "ssh allowed" to "all open". Wrong direction.
Some of the environment groups (i.e. package selections in installer) do include virtualization, libvirtd. Libvirtd.service is set to start by default. Libvirtd is configured to create a virtual network "default". The 192.168.122.0/24 sounds like subnet of that network.