Replace IPTables with Firewalld?

acidblue · 08-06-2015, 03:24 PM

I have an unusual situation that I have a VPS with CentOS 7 installed, but it has
iptables instead of firewalld.
I want to repalce iptabels with firewalld, but I dont think simply removing iptabels and installing firwalld is a good solution.
I should disable iptables and then install firewalld.
but not sure how to do that, could i get some advice

Ztcoracat · 08-06-2015, 05:54 PM

Hi:

Quote:

I dont think simply removing iptabels and installing firwalld is a good solution.

No, it's not.
I've learned at least that much from watching other threads here over the years in regard to ip tables.

-::-Yeah most likely you would disable the iptables and than install firewalld.-::-

I'm not your ip table expert but I found some documentation that could help you to understand things until a member with the experience can help you.

http://www.shellhacks.com/en/HowTo-D...in-CentOS-RHEL
http://www.certdepot.net/rhel7-disab...-use-iptables/
http://www.putorius.net/2015/01/disa...tables-on.html

Hope that helps.

unSpawn · 08-06-2015, 06:00 PM

Quote:

Originally Posted by acidblue

I have an unusual situation that I have a VPS with CentOS 7 installed, but it has iptables instead of firewalld.

Congratulations, that's one of the sane changes I apply to any new RHEL / CentOS-7...

Quote:

Originally Posted by acidblue

I want to repalce iptabels with firewalld

First of all please note that under the hood nothing has changed at all (yet) and any user land tool still interfaces with the in-kernel Netfilter framework. Secondly if you potentially misread this kind of deliberately crippled "information":

Quote:

With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables while with firewalld there is no re-creating of all the rules; only the differences are applied. Consequently, firewalld can change the settings during run time without existing connections being lost.

then you might argue "the iptables service" isn't any good. Well thats nice but its wrong as you can easily and dynamically change iptables rule sets from the command line without having to reload the complete rule set. Third: have you read any firewalld documentation or firewalld vs iptables comparisons? Are there any features you likely need on your server? Have you checked apps you regularly use (like for example fail2ban) if they already support firewalld?

Quote:

Originally Posted by acidblue

could i get some advice

If your current iptables setup doesn't require any features firewalld uniquely offers then why use it?..

acidblue · 08-06-2015, 06:56 PM

Quote:

If your current iptables setup doesn't require any features firewalld uniquely offers then why use it?..

Because I hate iptables, plus all the tutorials for CentOS 7 are for firewalld.

Doug G · 08-06-2015, 07:25 PM

Quote:

systemctl stop iptables.service
systemctl disable iptables.service
systemctl enable firewalld.service
systemctl start firewalld.service

Use firewall-cmd to configure firewalld. You should have recorded your iptables settings before switching firewalls.

Also, make sure your computer isn't exposed during the time you are firewall-less.

acidblue · 08-06-2015, 07:39 PM

Quote:

Originally Posted by Doug G

Use firewall-cmd to configure firewalld. You should have recorded your iptables settings before switching firewalls.

Also, make sure your computer isn't exposed during the time you are firewall-less.

Thanks Doug,
Kinda figured thats the way it should be done, just wanted to make sure.
Better to be sure than to hose my server.