IPTables not showing firewall rules

[wolfrR1der]

CentOS Linux release 8.1.1911 (Core) - no GUI installed

Previous versions of CentOS used to show the firewall rules that FirewallD was set up to use however my current CentOS8 (first time I've installed 8) does not show anything in IPTables. In fact it shows IPTables is wide open:

[root@Server user]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

However clearly the server is not wide open. Is this by design or is something broken on my CentOS8 build? I can manipulate FirewallD and get what I need done. I am just curious as to why IPTables is showing what it is.

[TrevorH]

CentOS 8 uses nftables not native iptables. Try `nft ruleset list` instead. However, the iptables commands are still present and are meant to be a translation layer between nftables and iptables so something does sound a bit whacky. Are you using the CentOS supplied kernel?

[jlehtone]

Netfilter (aka iptables) had (empty) builtin "chains in tables" in the kernel memory. For example, the INPUT, FORWARD, and OUTPUT in table filter.

Nftables has nothing by default. Nftables follows "add only what you need" philosophy.

The nft wrapper "iptables" does actually add equivalents of those empty default chains, if you just look with "iptables -L" or "iptables -S". This is easy to verify by not starting firewalld and then running:

Code: Select all

nft list ruleset ; iptables -S ; nft list ruleset

When firewalld does start, it does add both all the equivalents of netfilter default chains (as rulesets) and firewalld's own rulesets. The firewalld inserts its own rules into its own rulesets. However, some concepts, like the direct rules are still in iptables syntax and are put into the familiar "netfilter chains".

Firewalld does not follow "add only what you need" philosophy.

[wolfrR1der]

Thanks for all the help!

Not sure if I should open a new post but FirewallD isn't showing any of the new services I've added to it. When I look at /etc/firewalld/zones/public.xml I see this:
<service name="ssh"/>
<service name="smtp.xml"/>
<service name="ftp.xml"/>
<service name="rsyncd.xml"/>
<service name="cockpit"/>

However when I run firewall-cmd --list-all I see this:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Note that none of the other services are active yet and thus not listening. Is that why they aren't listed?

Edit I was wrong, VSFTPD is on and enabled but FTP isn't showing in the firewall-cmd list. Even after reboot.

[jlehtone]

How did you add them?
Why do you have ".xml" in names?

Firewalld has live and stored configuration. The latter is accessed with the "--permanent" option of firewall-cmd.
Live config is what the kernel has active in memory.
Stored config is in files and loaded to live during boot.
Both are modified with firewall-cmd.

Note that none of the other services are active yet and thus not listening. Is that why they aren't listed?

No. Firewall does not care what is (or isn't) running in the machine.

[wolfrR1der]

Oh, that .xml is my problem. Thanks.