Fedora's firewalld vs iptables

I am on Fedora 19. Is my understanding correct that as long as firewalld is up and running (and properly configured using firewall-config) the contents of the /etc/sysconfig/iptables has no meaning?

I am asking because when I run 'iptables -L' I can see:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

I don't really like this one in particular:

"ACCEPT     all  --  anywhere"

user2433984

Posted 2013-09-15T19:18:09.723

Reputation: 27

Please have a look at our formatting help and indent code or console output by 4 spaces (Ctrl-K). Thanks.

– slhck – 2013-09-15T19:21:22.080

Answers

This can be confusing because there is an iptables tool, an iptables service, and an /etc/sysconfig/iptables configuration file.

The iptables tool communicates directly with the kernel's packet filter, and this command works whether you are using service iptables or firewalld.

Based on the documentation here, firewalld does not use (and presumably ignores) /etc/sysconfig/iptables. This file normally does not exist on a system configured to use firewalld. Instead, firewalld uses "various XML files" to permanently save the firewall configuration.

The ACCEPT all -- anywhere report from iptables -L can be alarming without the -v option, which displays the full rule. In this case, the second rule is restricted to the lo loopback interface:

$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
38844   20M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
...

Fred Schleifer

Posted 2013-09-15T19:18:09.723

Reputation: 111

That particular line can be just for the loopback interface. It isn't visible in this output. Try looking into /etc/sysconfig/iptables or run iptables-save to get the complete configuration including interfaces.

Fiisch

Posted 2013-09-15T19:18:09.723

Reputation: 161

nn, the only difference between the /etc/sysconfig/iptables contents and iptables -L command is that the command shows you the settings for the filter routing table unless you specify explicitly that you want to see the nat, mangle, raw tables...etc if that line were for the loopback that it would contain also -i lo – user2433984 – 2013-09-19T12:05:34.577