Convert CentOS 7 FirewallD to iptables
How to convert your CentOS 7 firewall from FirewallD to iptables, and fix fail2ban
On Centos 7, the default firewall is firewalld. Even though this is just a shell interface to configure iptables, it has its limits when it comes to applying advanced rules and customizing your firewall. You can fix this by getting rid of firewalld and only using iptables rules. Do not uninstall firewalld as fail2ban has a built-in dependency on firewalld. We can bypass this, but in this case, we will just disable firewalld.
Convert to iptables
The following steps need to be followed by running the commands below.
Step 1. Save your existing firewall rules
iptables -S |tee ~/fwd_oldiptables.rules
Step 2. Install iptables services
yum install iptables-services
Step 3. Create a new ruleset with your old
cat ~/fwd_oldiptables.rules > /etc/sysconfig/iptables
And edit it if needed
Step 4. Stop and disable your firewalld
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
Step 5. Enable and start iptables
systemctl enable iptables
systemctl start iptables
Step 6. Check firewalld status
firewall-cmd --state
iptables Rules
Remember the basic principle of all good firewalls – DENY ALL, ALLOW SOME.
First, make a list of service ports you need open. SSH (port 22) and the ping/traceroute protocol (ICMP) are a good starting point. While we are at it, lets rate limit ICMP so that we are less susceptible to a ping flood. We must also allow any traffic that has been requested by our server, back in with an ACCEPT for RELATED or ESTABLISHED traffic. All OUTBOUND traffic is ok and all FORWARD will get dropped as we are not a router or a switch.
We must put the following in our /etc/sysconfig/iptables file.
### Set Policies ### -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT ### Set Rules ### ## ICMP ## -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT ## SSH ## -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT ## Local Loop ## -A INPUT -i lo -j ACCEPT ## Returning Traffic ## -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ## Deny all else ## -A INPUT -j DROP ##############################################################################
Now run
systemctl restart iptables
You can check your rules with
iptables -nvL
As a test, you can run
ping -f -c 100 x.x.x.x
where x.x.x.x represents your server IP. Be sure to do this from a different server and run the ping command as root. What you should see is a high rate of packet loss. Then try a normal ping and you should see no loss. You can increase the acceptable ping rate if you feel you need to. Ping rates between 1 and 5 per second are ok, although most legitimate tests should never need more than 1 ping per second.
Fixing fail2ban
Fail2ban on CentOS is installed to use firewalld. To change this, we have to change the default “action” in our “jail” definitions.
First, copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local with the command below
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now use your favourite editor (vi, vim, pico, nano or joe) to edit the jail.local file. Find the lines that read:
banaction = firewallcmd-multiport banaction_allports =firewallcmd-allports
The line may be slightly different, but the important parts are banaction = firewallcmd. Now change those two lines to read as follows:
banaction = iptables-multiport banaction_allports = iptables-allports
Next, we must activate the ssh jail. We can do this in one of two ways.
1. Move down in our jail.local file until we locate the [ssh] block marker and insert
enabled = true
below the [ssh] block marker (not the example which is at the beginning of the file).
OR
2. Cut the [ssh] block out of the jail.local file, with it’s attending lines and create a new file under /etc/fail2ban/jail.d/sshd.conf and paste the block in there. Remember to add the enabled = true below the [ssh] block marker. The sshd.conf file should contain the following:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
You may now restart the fail2ban service by running
systemctl restart fail2ban
Check that it works by running the following
iptables -nvL |grep f2b
You should see a few rules appear.
Happy Hosting!