Centos 7 save iptables settings

Question

Problem: iptables resets to default settings after server reboot.

I'm trying to set rule like this:

iptables -I INPUT -p tcp --dport 3000 -j ACCEPT

after that I do:

service iptables save

and it writes back something like this

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

and after this I just ran (this was done once):

chkconfig iptables on (I have read that this has to be done in order to restore settings after reboot)

After that I reboot and run this command:

systemctl list-unit-files | grep iptables

and I see that iptables.service is enabled, however, the rule (to open port 3000) does not work anymore.

How do I persist these settings?

Why didn't you just use firewalld? It is probably still running. — Michael Hampton, Sep 05 '14 at 14:06
Probably because firewalld is not suited for server environments... — Juan Jimenez, Apr 11 '17 at 07:29

score 101 · Answer 1 · edited Aug 26 '17 at 17:40

101

Disable firewalld by the following command:

systemctl disable firewalld

Then install iptables-service by following command:

yum install iptables-services

Then enable iptables as services:

systemctl enable iptables

Now you can save your iptable rules by following command:

service iptables save

edited Aug 26 '17 at 17:40

peterh

4,914
13
29
44

answered Nov 28 '15 at 12:58

HosseinGBI

1,131
1
7
5

Works a treat, thanks – pcdev Apr 08 '20 at 09:51

score 74 · Accepted Answer · edited Jul 01 '20 at 10:42

74

CentOS 7 is using FirewallD now! Use the --permanent flag to save settings.

Example:

firewall-cmd --zone=public --add-port=3000/tcp --permanent

Then reload rules:

firewall-cmd --reload

edited Jul 01 '20 at 10:42

Skippy le Grand Gourou

1,145
14
23

answered Sep 05 '14 at 14:13

sgohl

1,373
1
11
16

2

any idea why centos7 image from AWS AMI does not have firewallD. – Saad Masood Sep 07 '15 at 08:32
6

OR you can disable firewalld and install "iptables-services" package to achieve near native iptables compatibility :) – vagarwal Jun 22 '16 at 15:12
1

I tried configuring port forwarding 80 -> 8180 for lo (`--zone=trusted`) with firewalld-cmd but it does not work (it works in `--zone=public`) Doing so with iptables `sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8180 ; sudo /sbin/iptables -t nat -I OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8180` works (but each `firewalld --reload` loses undoes this) – djb Apr 25 '17 at 13:37
@saad: because aws already provides a firewall service hence the ami can be kept small – sgohl Mar 27 '18 at 14:57
It is not! I have ordered a Centos 7 VPS and it has iptables by default! The OS version: 7.5.1804 (Core) – Mehdi Haghgoo Sep 28 '18 at 19:30

score 31 · Answer 3 · edited Apr 13 '17 at 12:14

31

On CentOS 7 Minimal you may need to install the iptables-services package (thanks to @RichieACC for the suggestion):

sudo yum install -y iptables-services

And then enable the service using systemd:

sudo systemctl enable iptables.service

And run the initscript to save your firewall rules:

sudo /usr/libexec/iptables/iptables.init save

edited Apr 13 '17 at 12:14

Community

1

answered Jan 04 '15 at 17:19

qris

1,151
11
18

stormdrain · Answer 4 · 2020-06-30T15:34:07.657

7

iptables-save > /etc/sysconfig/iptables

will save the current configuration without the need to install any other libraries or services.

edited Jun 30 '20 at 15:34

answered Nov 06 '19 at 17:24

stormdrain

1,377
7
28
51

1

From its `manpage` : `iptables-save — dump iptables rules to stdout`. It doesn’t save anything unless you redirect it to some file. – Skippy le Grand Gourou Jun 30 '20 at 13:50

score 2 · Answer 5 · edited Jun 04 '22 at 17:04

2

You can modify directly the /etc/sysconfig/iptables file. Reload the iptables service to reload the rules from that file.

Yet, as you were told already, firewalld is the new default firewall system for Centos, and this is a good chance to learn how to use it, don't you think?

edited Jun 04 '22 at 17:04

StackzOfZtuff

1,754
12
21

answered Sep 05 '14 at 15:29

stoned

808
5
10

7

in CentOS7 there is no more a /etc/sysconfig/iptables file – sgohl Sep 06 '14 at 09:07
1

Sorry @roothahn , but it definitely exists... unless you miss some packages of course. From /usr/lib/systemd/system/iptables.service you can see that what's actually launched is "/usr/libexec/iptables/iptables.init start", which is the usual old and dear script looking for the usual old configuration file in /etc/sysconfig – stoned Sep 06 '14 at 15:52
1

Yeah `/etc/sysconfig/iptables` doesn't exist for me either. However, `/etc/sysconfig/iptables-config` does exist. But it does not have firewalls rules inside of it as it the `iptables` file had before. – Kentgrav Sep 30 '14 at 19:03
Pretty strange, have you got a default install? The iptables solution is still officially supported, as even stated on the RHEL7 manual. Do you have the iptables package installed? What about the systemd service? By the way, iptables-config should contain only parameters relevant to the service, such as the iptables modules to load, or options like saving the rules upon service restart. – stoned Oct 01 '14 at 08:39
2

I found that the file was not there on a default, minimal install either. CentOS 7 does not install iptables.service by default, it seems. "yum install -y iptables.service" installed the service and created a default /etc/sysconfig/iptables for me. – Richard C Dec 04 '14 at 08:33
4

That should be "yum install iptables-services" – qris Jan 04 '15 at 17:15

score 2 · Answer 6 · answered Jan 11 '19 at 10:02

Maybe a script like this would have been helpful to anyone?

Beware that you will loose anything currently configured because it removes firewalld and flushes any current rules in the INPUT table:

yum remove firewalld && yum install iptables-services

iptables --flush INPUT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT            # Any packages related to an existing connection are OK
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT   # ssh is OK
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT   # Port 3000 for IPv4 is OK
iptables -A INPUT -j REJECT # any other traffic is not welcome - this should be the last line
service iptables save       # Save IPv4 IPTABLES rules van memory naar disk
systemctl enable iptables   # To make sure the IPv4 rules are reloaded at system startup

I guess you want the same in case your system might be reached (now or anytime later) by IPv6 traffic:

ip6tables --flush INPUT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT            # Any packages related to an existing connection are OK
ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT   # ssh is OK
ip6tables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT   # Port 3000 for IPv6 is OK
ip6tables -A INPUT -j REJECT # any other traffic is not welcome - this should be the last line
service ip6tables save       # Save IPv6 IPTABLES rules van memory naar disk
systemctl enable ip6tables   # To make sure the IPv6 rules are reloaded at system startup

Centos 7 save iptables settings

6 Answers6

Linked