14

I'm starting to use RHEL7 and learning a little about the changes that come with systemd.

Is there a way to perform /sbin/service iptables save in firewalld?

$ /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

The closest parallel I can find from the Documentation is --reload:

Reload the firewall without loosing state information:
$ firewall-cmd --reload

But it doesn't explicitly say if it's saving or not.

Peter Souter
  • 641
  • 1
  • 4
  • 13

2 Answers2

28

The version of firewalld in RHEL 7.0 has no "save" script and no way to copy the running firewall configuration to the permanent configuration. You save a firewall change with firewalld by adding --permanent to the command line making the change. Without it, any change you make is temporary and will be lost when the system restarts.

For example:

firewall-cmd --add-service=http                 # Running config
firewall-cmd --add-service=http --permanent     # Startup config

Later (post-RHEL 7) versions of firewalld do include a way to save the running configuration, and this is available now in Fedora and in RHEL 7.1. In this case the command is simply:

firewall-cmd --runtime-to-permanent
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 2
    To continue on Michael Hampton's comment, I found that I had to restart the firewalld service ("systemctl restart firewalld") after running "firewall-cmd --runtime-to-permanent" in order for the firewall rules to be saved correctly, especially after having to remove some rules manually via iptables. It appears firewalld caches some rules, so a "firewall-cmd --reload" may re-institute rules from firewalld that should have been removed via the "--runtime-to-permanent" command. – Antony Nguyen Nov 04 '15 at 02:03
  • 2
    Note that the --runtime-to-permanent command does not show up in tab completion, but it is, in fact, there (tested on a CentOS 7.5 system). – dodexahedron Sep 26 '18 at 03:59
  • @AntonyNguyen you shouldn't use iptables commands when firewalld is managing the rules. FIrewalld has no way of knowing of the change (it would need to poll periodically and that would kill the performance of the firewall because of its design, which btw. is fixed by nftables) use 'firewall-cmd --direct --passthrough ipv4 -A FORWARD ... -j DROP' – AdamKalisz Nov 14 '18 at 17:12
0

I needed to add SIP service and some IPs

in the directory /usr/lib/firewalld/services/ I added sip.xml based on other xml service files. 

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SIP</short>
  <description>This is SIP, Yo! </description>
  <port protocol="udp" port="5060"/>
</service>

Then I added sip service to a firewalld

# firewall-cmd --add-service=sip --permanent

Then I added IPs to service in /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description></description>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="ssh"/>
  <service name="https"/>

  <rule family="ipv4">
    <source address="x.x.x.x/32"/>
    <service name="sip"/>
    <accept/>
  </rule>

</zone>

you can also add LOG if you add level of logging 

  <rule family="ipv4">
    <source address="x.x.x.x/32"/>
    <service name="sip" 
    <log prefix="sip" level="info"/>
    <accept/>
  </rule>

after you added rules to your zone, execute 

# firewall-cmd --reload

check your iptables - you should be all set.

Alex N
  • 1