How to migrate from iptables to firewalld

Issues related to configuring your network
jody
Posts: 53
Joined: 2015/05/12 12:58:08

How to migrate from iptables to firewalld

Post by jody » 2019/07/01 09:20:27

I am migrating a CentOS 6 server to CentOS 7, and one of the issues is getting the iptable rules on CentOS 6 to firewalld on CentOS7.
My problem is that with IPTables you could specify in much more detail what ports to open, and for whom to open them etc.

Is there some tool i can use to convert a dump of my IPTable rules to firewalld?

If not, how would i have to call firewall-cmd to achieve the effect of these rules:

Code: Select all

-A INPUT -s xxx.xxx.xxx.0/25 -p tcp -m state --state NEW -m multiport --dports 22222,22223 -j ACCEPT 
-A INPUT -s yyy.yyy.yyy.0/18 -p tcp -m state --state NEW -m multiport --dports 22222,22223 -j ACCEPT 
-A INPUT -s yyy.yyy.yyy.0/18 -p udp -m state --state NEW -m multiport --dports 22222,22223 -j ACCEPT 
or something like this:

Code: Select all

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
Thanks
Jody

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: How to migrate from iptables to firewalld

Post by stevemowbray » 2019/07/01 11:35:48

One option is just to disable firewalld and enable iptables, so you don't have to change anything.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to migrate from iptables to firewalld

Post by jlehtone » 2019/07/01 13:04:55

However, one has to migrate at some point, because 8, like 7, has firewalld but no iptables backend. Therefore, one eventually must adopt the firewalld or the new backend, or whatever is available in 2024 when CentOS 7 expires.


The firewall emphasizes "zones" that decouple "who" and "what" somewhat.

Who:
"Packet arrived from xxx.xxx.xxx.0/25" -> Let zone X handle it
"Packet arrived from yyy.yyy.yyy.0/18 -> Let zone Y handle it
"Packet arrived from interface p1p1" -> Let zone Y handle it
"Packet arrived from interface em2" -> Let zone Z handle it

What:
Zone X: Allow (new) ssh and https connections
Zone Z: Allow all connections


The default in CentOS-7 firewalld is:

Code: Select all

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
By default, there is nothing in INPUT_direct and INPUT_ZONES_SOURCE.
The default zone is public. It adds just two rules.

The default input filter is thus:

Code: Select all

-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-i lo -j ACCEPT
-p icmp -j ACCEPT
-p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-m conntrack --ctstate INVALID -j DROP
-j REJECT --reject-with icmp-host-prohibited
That is quite close to Jody's second ruleset. The zone public has service ssh (and dhcpv6-client in the IPv6 rules).
One could keep using the public and just remove the service from that zone or change to different zone.
Zone block is probably what one wants.


For the specific ports to allow:
Define services:

Code: Select all

firewall-cmd --permanent --new-service=myt
firewall-cmd --permanent --service=myt --add-port=22222/tcp
firewall-cmd --permanent --service=myt --add-port=22223/tcp

firewall-cmd --permanent --new-service=myu
firewall-cmd --permanent --service=myu --add-port=22222/udp
firewall-cmd --permanent --service=myu --add-port=22223/udp
Define zones:

Code: Select all

firewall-cmd --permanent --new-zone=mono
firewall-cmd --permanent --zone=mono --add-service=myt
firewall-cmd --permanent --zone=mono --add-source=xxx.xxx.xxx.0/25

firewall-cmd --permanent --new-zone=dual
firewall-cmd --permanent --zone=dual --add-service=myt
firewall-cmd --permanent --zone=dual --add-service=myu
firewall-cmd --permanent --zone=dual --add-source=yyy.yyy.yyy.0/18
One most likely has to reload service/zone definitions from permanent (files) into active (memory) in order to complete all steps:

Code: Select all

firewall-cmd --reload

If one has to change the zone of an interface, then use nmcli:

Code: Select all

nmcli con mod "System em1" connnection.zone block

Disclaimer: I have used bits and pieces of firewall-cmd, but never the specific combination above.
Check man firewall-cmd and Red Hat's documentation about firewalld.



EDIT: typo fix
Last edited by jlehtone on 2019/07/02 10:38:17, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How to migrate from iptables to firewalld

Post by TrevorH » 2019/07/01 14:59:35

However, one has to migrate at some point, because 8, like 7, has firewalld but no iptables backend.
At one point during the beta this was thought likely but I think Redhat must've had significant pushback on that plan because RHEL 8 does contain iptables packages, including iptables-services

Code: Select all

[ ]	iptables-1.8.2-9.el8.i686.rpm	2019-05-11 14:22 	594K	 
[ ]	iptables-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	581K	 
[ ]	iptables-arptables-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	58K	 
[ ]	iptables-devel-1.8.2-9.el8.i686.rpm	2019-05-11 14:22 	62K	 
[ ]	iptables-devel-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	62K	 
[ ]	iptables-ebtables-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	66K	 
[ ]	iptables-libs-1.8.2-9.el8.i686.rpm	2019-05-11 14:22 	100K	 
[ ]	iptables-libs-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	96K	 
[ ]	iptables-services-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	57K	 
[ ]	iptables-utils-1.8.2-9.el8.x86_64.rpm	2019-05-11 14:22 	69K	 
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to migrate from iptables to firewalld

Post by jlehtone » 2019/07/01 15:37:41

When it rains, it pours. :o

Just noticed yesterday that RHEL 8 has python2. Considering that upstream python2 EoL is 2020, yet RHEL could support to 2029 ...

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How to migrate from iptables to firewalld

Post by TrevorH » 2019/07/01 15:44:18

Well, that's the interesting thing about RHEL8 and its appstream stuff. I gather the plan is that packages in BaseOS will be supported for the entire duration of RHEL8 but appstream packages, those are not. Since I've yet to install it at all, I don't know what things are BaseOS and what are not. But probably off topic in this thread...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jody
Posts: 53
Joined: 2015/05/12 12:58:08

Re: How to migrate from iptables to firewalld

Post by jody » 2019/07/02 07:26:48

I think i'll give jlehtone's suggestion a try.
A question, though:
In your code to define zones you use
firewall-cmd --permanent --new-service=mono.
Shouldn't that be
firewall-cmd --permanent --new-zone=mono?

I know it is possible to write xml files to define the new zones and their services.
Is there a way to write the entirety of zones, services and other settings to a file and read it from there?
(similar to iptables-save and iptables-restore)

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to migrate from iptables to firewalld

Post by jlehtone » 2019/07/02 10:37:40

jody wrote:
2019/07/02 07:26:48
I think i'll give jlehtone's suggestion a try.
A question, though:
In your code to define zones you use
firewall-cmd --permanent --new-service=mono.
Shouldn't that be
firewall-cmd --permanent --new-zone=mono?

I know it is possible to write xml files to define the new zones and their services.
Is there a way to write the entirety of zones, services and other settings to a file and read it from there?
(similar to iptables-save and iptables-restore)
You are right. My typo / copy-paste.

man firewall-cmd:
man firewall-cmd: wrote:--permanent --new-zone=zone
Add a new permanent and empty zone.

--permanent --new-zone-from-file=filename [--name=zone]
Add a new permanent zone from a prepared zone file with an optional name override.

--permanent --new-service=service
Add a new permanent and empty service.

--permanent --new-service-from-file=filename [--name=service]
Add a new permanent service from a prepared service file with an optional name override.
The iptables-save and iptables-restore dump and load (atomically) the entire current ruleset from/to kernel. One monolith file. The firewalld attempts to provide/maintain modularity. In order to do so it keeps its configuration in multiple files.

One could store all the commands / input files they do use when they configure custom ruleset into a (script) file and then recreate the config in another machine by running that script.

Ansible is "a script" that I recently noticed: https://docs.ansible.com/ansible/latest ... odule.html

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: How to migrate from iptables to firewalld

Post by hunter86_bg » 2019/07/12 03:37:37

I didn't see anyone to mention firewallds' rich rules.
There is a very good man page about it.

J-B
Posts: 2
Joined: 2019/10/31 16:52:35

Re: How to migrate from iptables to firewalld

Post by J-B » 2019/10/31 17:35:14

As I do see it you can at least still with FirewallD use your common iptables ruleset (eg rules.ipv4).

On my CentOS 7.7 (stock with FirewallD) I am able to e.g.

Code: Select all

iptables-save rules.ipv4
And if I see this point right I so should be able trying to customize this textfile to my needs? So as I see this at all I should be at least being able to migrate any rules from any "older" iptables (in my case Debian 10 Buster) configuration to at least my actual CentOS 7 with FirewallD. Am I overseeing (missing) something?

For reference and as an example:
I e.g. replaced the "-m state" module loading with the newer "-m conntrack" module as it SHALL be improved as I have read (!) and CentOS7 is using these CTSTATEs instead of STATEs by default in any way (Debian 10 Buster does not and just provides the opportunity to do so).
So e.g. a Debian 10 Buster iptables rule like

Code: Select all

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
looks on my CentOS 7 FirewallD now as this

Code: Select all

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
I am just struggling with the at least to me immensive complex CHAIN- and REFERENCE-Complexity of CentOS...
On a Debian 10 there are exactly 3 CHAINs by default and no Reference if I do remember right.

So for me it is quite hard to get a real understanding what does what in the NETFILTER on CentOS 7... What by the way was the reason for me to register here.

Anyway, I hope I may have been able to show you a way to at least use your "old" IPTABLES Commands with FirewallD so a migration might become possible or hopefully more easier. If I completely missunderstoood your point I do appologize for that.

Post Reply