How to load iptables rules to firewalld?

Question

I've got centos 6 running server. It uses iptables. I want to migrate to centos 7. Centos 7 uses firewalld.
My aim is to download iptables configuration(rules) and apply to firewalld. I can download iptables rules like this:

iptables-save

I don't know how to apply iptables-save's output to firewalld. I hope there is automated way. Question: How can I apply current iptables rules to firewalld? I don't like to configure manually because there might be many server with big iptables rules/configs.

Nathanael · Answer 1 · 2018-05-07T13:22:44.720

Inside SSH CentOS 6 execute these commands :

sudo iptables-save > iptables-export

cat iptables-export

scp iptables-export user@server_b_ip_address:/tmp

Firewalld stores its configuration in /etc/firewalld and within that directory you can find various configuration files:

firewalld.conf provides overall configuration.
Files in the zones directory provide your custom firewall rules for each zone.
Files in the services directory provide custom services you have defined.
Files in the icmptypes directory provide custom icmptypes you have defined.

There is a matching directory structure in /usr/lib/firewalld which provides the defaults for zones, services and icmptypes, in case you want to start customizing from a template, or simply see what the files look like.

The firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.

Have great day future friend .! ;-)

If you're going to copy someone else's work word-for-word you should at least give credit https://serverfault.com/questions/655851/is-there-a-simple-way-to-export-import-firewalld-settings — parttimeturtle, Feb 10 '22 at 18:01

score 1 · Accepted Answer · answered May 07 '18 at 13:17

A good place to start is the RHEL 6 --> 7 migration planning guide but in short:

If you configured your RHEL/CentOS 6 firewall with system-config-firewall, you can use the firewall-offline-cmd tool to migrate the configuration from /etc/sysconfig/system-config-firewall into the default zone of firewalld.
If you used any other method to configure your current firewall there is, as far as I know, no practical migration to firewalld and your options are:
- either create a new configuration with firewall-cmd or firewall-config
- disable firewalld and continue to use the old iptables and ip6tables services. That allows you to keep the existing firewall rules. Copy the iptables-save export and load it with iptables-restore. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_iptables

The first link is broken. – MAChitgarha Mar 06 '21 at 17:58 — MAChitgarha, Mar 06 '21 at 17:58

How to load iptables rules to firewalld?

2 Answers2