0

I read here that iptables package is part of the Linux Kernel and that every GUI firewall tools are in the end translated in some kind of iptable rules.

Now I am setting up Centos 8 server folowing this guide which sets up firewall settings using these lines: 

sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --reload

Prior to this I could not visit my index page /var/www/html/index.html using http://xxx.xxx.xxx.xxx/index.html in my browser. But after this I could visit the site.

I was surprised that there was nothing appended to any of the three chains inside iptables table. In other words table was completely empty:

[ziga@localhost ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

[ziga@localhost ~]$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

It looks like firewall-cmd is doing something I don't understand and I want to avoid this. Is there a way to achieve exactly the same result that firewall-cmd by only using iptable commands?

71GA
  • 313
  • 3
  • 8
  • Isn't firewalld directly "talking" to netfilter, just like iptables? – Lenniey Jan 23 '20 at 15:24
  • @Lenniey You are right! So how would I achieve same thing with `iptables`? – 71GA Jan 23 '20 at 16:30
  • 1
    And the iptables policy on the INPUT chain is ACCEPT so *all* traffic should go though it. Can you get the output from `iptables -S` ? – sensadrome Jan 23 '20 at 17:05
  • 1
    If you want to switch to using iptables (I've been using it for years and I find it way easier than firewalld!) there's a pretty good tutorial here: https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7 – sensadrome Jan 23 '20 at 17:11
  • @sensadrome I added the output of `iptables -S`. – 71GA Jan 23 '20 at 17:15
  • 2
    The reason of your empty rules is explained there: [firewalld is not working in CentOS 8: no rule at all is created in iptables](https://serverfault.com/questions/996664/firewalld-is-not-working-in-centos-8-no-rule-at-all-is-created-in-iptables/) . So either use the generated nftables rules instead, or train in using directly iptables commands (but the focus is shifting slowly to nftables now, so this might be time not well spent). – A.B Jan 23 '20 at 22:35

0 Answers0