Iptables-Firewalld Conversion

[merveyil]

Hello, We are using Centos7.9. Since Centos7 will end of life we are moving to Centos8. So we decided to convert iptables rules to firewalld rules.
I am new in firewalld. I think i get the concepts but since we have complex rules in our system i am struggling to convert them to firewalld rules. For example i have bunch of rules like below:

Code: Select all

iptables -A INPUT -i eth1 -p tcp -m tcp --sport 1024:65535 -m multiport --dports 8080,10077 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --dport 161:162 -j ACCEPT

As you can see we have source and destination ports here. So i decided to create a service for each one. For the first one i created a service like this:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<service>
  <description>description</description>
  <port protocol="tcp" port="8080"/>
  <port protocol="tcp" port="10077"/>
  <protocol value="tcp"/>
  <source-port protocol="tcp" port="1024-65535"/>
</service>

But i am not sure this is right because as you can see we have destionation ports in our iptables rules but i cannot find "a destination port configuration" for a firewalld service. By the way my default zone is public right now. So eth1 interface zone is public. I am not even sure it needs to be public. As you can see, I'm quite confused. I need some help converting these rules. Thank you for your help

[TrevorH]

Do not convert to CentOS Linux 8 as it is ALREADY dead. There is no CentOS 8 or 9, only the beta known as Stream. There are other rebuilds of RHEL 8 and 9 by Alma, Rocky and Oracle, use one of those.

[jlehtone]

First, the kernel in RHEL 8 has nf-tables. (Actually, RHEL 7 kernel has it too, since ~7.4.)
Therefore, the tool 'iptables' is not the legacy iptables that talks to netfilter in the kernel, but a
wrapper/translator that accompanies tool 'nft' that talks to nf-tables. The translation does not cover 100%.

You can see all the rules that are in the kernel with: nft list ruleset

The RHEL 8 and 9 have two mutually exclusive services: firewalld.service and nftables.service,
just like RHEL 7 had firewalld.service and iptables.service (and now also nftables.service).

we have complex rules in our system

You are new to FirewallD and nf-tables, so you could choose either one. The nftables.service
is like iptables.service; it loads ruleset at boot; no daemon that runs in the background.

There should be a translator script that takes your iptables ruleset and attempts to write
equivalent nftables rules. See https://access.redhat.com/documentation ... networking


Summary:

1. Do as Trevor recommends and pick one of the rebuilds
2. Check whether the nftables is less confusing than the FirewallD

(I do assume that you know why you have what you have in iptables, so picking equivalent bits with nftables
should be doable -- starting to think the "FirewallD way" and to get it do all the things you need is what it is.)

[jlehtone]

For completeness:

But i am not sure this is right because as you can see we have destionation ports in our iptables rules but i cannot find "a destination port configuration" for a firewalld service. By the way my default zone is public right now. So eth1 interface zone is public. I am not even sure it needs to be public. As you can see, I'm quite confused. I need some help converting these rules. Thank you for your help

https://firewalld.org/documentation/how ... rvice.html says that "port" is destination port, and "source-port" is source port, so that part looks ok?

The FirewallD is around concept of "zone". A zone is a set of remote machines, clients. Each zone has its own set of rules.
If same rules are applied to all machines that connect this host, then they are all in same zone. One just has to give right rules for that zone.

The https://access.redhat.com/documentation ... _on_source does also show that "source port" can be part of definition of zone, rather than of rule.

[merveyil]

Do not convert to CentOS Linux 8 as it is ALREADY dead. There is no CentOS 8 or 9, only the beta known as Stream. There are other rebuilds of RHEL 8 and 9 by Alma, Rocky and Oracle, use one of those.

Sorry i made a mistake actually we are moving Rhel8 not Centos8.

[merveyil]

For completeness:

But i am not sure this is right because as you can see we have destionation ports in our iptables rules but i cannot find "a destination port configuration" for a firewalld service. By the way my default zone is public right now. So eth1 interface zone is public. I am not even sure it needs to be public. As you can see, I'm quite confused. I need some help converting these rules. Thank you for your help

https://firewalld.org/documentation/how ... rvice.html says that "port" is destination port, and "source-port" is source port, so that part looks ok?

The FirewallD is around concept of "zone". A zone is a set of remote machines, clients. Each zone has its own set of rules.
If same rules are applied to all machines that connect this host, then they are all in same zone. One just has to give right rules for that zone.

The https://access.redhat.com/documentation ... _on_source does also show that "source port" can be part of definition of zone, rather than of rule.

Which part of documentation says it is destination port? I am sorry i couldnt find it.

[merveyil]

First, the kernel in RHEL 8 has nf-tables. (Actually, RHEL 7 kernel has it too, since ~7.4.)
Therefore, the tool 'iptables' is not the legacy iptables that talks to netfilter in the kernel, but a
wrapper/translator that accompanies tool 'nft' that talks to nf-tables. The translation does not cover 100%.

You can see all the rules that are in the kernel with: nft list ruleset

The RHEL 8 and 9 have two mutually exclusive services: firewalld.service and nftables.service,
just like RHEL 7 had firewalld.service and iptables.service (and now also nftables.service).

we have complex rules in our system

You are new to FirewallD and nf-tables, so you could choose either one. The nftables.service
is like iptables.service; it loads ruleset at boot; no daemon that runs in the background.

There should be a translator script that takes your iptables ruleset and attempts to write
equivalent nftables rules. See https://access.redhat.com/documentation ... networking


Summary:

1. Do as Trevor recommends and pick one of the rebuilds
2. Check whether the nftables is less confusing than the FirewallD

(I do assume that you know why you have what you have in iptables, so picking equivalent bits with nftables
should be doable -- starting to think the "FirewallD way" and to get it do all the things you need is what it is.)

I had to convert the rules to firewalld. It is already chosen not by me. Thank you for your answer.

[jlehtone]

Which part of documentation says it is destination port? I am sorry i couldnt find it.

My bad, that is not written explicitly.

We do know that the (xml) definition can have attributes "port" and "source-port".
Can we be confident that the "source-port" is a source port? I think so.
That leaves the "port". What is it, if not destination port?


We can also look at the pre-defined services, like ssh, (with firewall-cmd or the files in
/usr/lib/firewalld/services/) then we see that it has (only) the "port" attribute.
(Note: All customizations belong to /etc/firewalld/.)

The ssh service is in the zone public by default. If you have not changed that yet
and look at the rules with nft list ruleset, then you will see the rule for 22/tcp and that is
a destination port match. (Assuming you learn to read the nf-tables rules.)

Your own custom service has two types of ports, and once in use you would see what type of matches
generate.

[jlehtone]

I had to convert the rules to firewalld. It is already chosen not by me. Thank you for your answer.

Although you have to use FirewallD, that does not dictate how to configure it.
Rather than talking directly to firewalld, one can use an Ansible playbook.
See https://www.redhat.com/en/blog/automati ... stem-roles
and https://access.redhat.com/documentation ... stem-roles

That is obviously a yet another layer of abstraction (and a thing to learn) on top of the abstration that is the FirewallD.
On the bright side, if you can express your setup as Ansible inventory, then you don't need to learn how to configure
FirewallD directly. Furthermore, the play and inventory (with version control) is easy to backup and reapply,
which is awesome automation.


The only question remains, can you reproduce your "complex rules"? The "System Roles" may not support all the
FirewallD's features and the FirewallD has not supported all the kernel's possiblities. On the other hand,
if your rules are "too" complex, are they actually unnecessarily complex?

---

Red Hat documentation for RHEL 9 https://access.redhat.com/documentation ... o-nftables still writes:

2.1.1. When to use firewalld, nftables

The following is a brief overview in which scenario you should use one of the following utilities:

• firewalld: Use the firewalld utility for simple firewall use cases. The utility is easy to use and covers the typical use cases for these scenarios.
• nftables: Use the nftables utility to set up complex and performance-critical firewalls, such as for a whole network.

In other words, the ones that made the choice -- were they aware of that?