9

I've recently upgraded a clean install CentOS 7 to CentOS 8 using this tutorial:

https://www.tecmint.com/upgrade-centos-7-to-centos-8/

I had no extra software installed, only the base install. After upgrading, the first thing I tried to do was to open doors only to SSH and HTTP, so I enabled and start firewalld:

systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-12-24 11:05:50 -02; 10min ago
     Docs: man:firewalld(1)
 Main PID: 7620 (firewalld)
    Tasks: 2 (limit: 17886)
   Memory: 22.1M
   CGroup: /system.slice/firewalld.service
           └─7620 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

dez 24 11:05:49 renie.cc systemd[1]: Stopped firewalld - dynamic firewall daemon.
dez 24 11:05:49 renie.cc systemd[1]: Starting firewalld - dynamic firewall daemon...
dez 24 11:05:50 renie.cc systemd[1]: Started firewalld - dynamic firewall daemon.

Then added ssh and http services:

firewall-cmd --add-service http
firewall-cmd --add-service http --permanent
firewall-cmd --add-service ssh
firewall-cmd --add-service ssh --permanent
firewall-cmd --add-service ssh
firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: http ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

But I see no rule at all in IPTables:

iptables -nvL
Chain INPUT (policy ACCEPT 143 packets, 13998 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 114 packets, 13295 bytes)
 pkts bytes target     prot opt in     out     source               destination

Even after rebooting the server, no rules are created. Could this be caused by the CentOS 7 → CentOS 8 upgrade?

I did not tested or used firewalld before upgrading this server, but I have others CentOS 7 servers which have working firewalld.

Is there any log I can analyse in order to debug the problem?

Thanks in advance.

Rodrigo Renie
  • 107
  • 1
  • 6
  • firewalld is not using iptables; check firewall-cmd --list-ports ; add specific port instead of service if something is wrong – Overmind Dec 24 '19 at 13:58

1 Answers1

11

Because you don't see any iptables rule, doesn't mean firewalld is not working. Actually firewalld switched to using nftables as backend. So you can find your rules with for example:

nft list ruleset

The rules you added for ssh and http would likely be in the chain filter_IN_public_allow:

        chain filter_IN_public_allow {
                tcp dport ssh ct state new,untracked accept
                tcp dport http ct state new,untracked accept
        }

You will probably also find empty iptables rules (but seen as nftables rules) in the output of nft list ruleset, because iptables is using the nftables compatibility kernel API:

# iptables -V
iptables v1.8.2 (nf_tables)

useful link: Redhat - Firewalld: The Future is nftables

A.B
  • 9,037
  • 2
  • 19
  • 37