Convert CentOS 7 FirewallD to iptables
On Centos 7, the default firewall is firewalld. Even though this is just a shell interface to configure iptables, it has its limits when it comes to applying advanced rules and customizing your firewall.
You can fix this by getting rid of firewalld and only using iptables rules.
Do not uninstall firewalld as fail2ban has a built-in dependency on firewalld.
We can bypass this, but in this case, we will just disable firewalld.
Convert to iptables
The following steps need to be followed by running the commands below.
- Save your existing firewall rules
iptables -S |tee ~/fwd_oldiptables.rules
- Install iptables services
yum install iptables-services
- Create a new ruleset with your old and edit as needed
cat ~/fwd_oldiptables.rules > /etc/sysconfig/iptables
- Stop and disable your firewalld
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld - Enable and start iptables
systemctl enable iptables
systemctl start iptables - Check firewalld status
firewall-cmd --state
iptables Rules
Remember the basic principle of all good firewalls – DENY ALL, ALLOW SOME.
First, make a list of service ports you need open. SSH (port 22) and the ping/traceroute protocol (ICMP) are good starting points.
While we are at it, let’s rate limit ICMP so that we are less susceptible to a ping flood.
We must also allow any traffic that has been requested by our server, back in with an ACCEPT
for RELATED
or ESTABLISHED
traffic.
All OUTBOUND
traffic is ok and all FORWARD
will get dropped as we are not a router or a switch.
We must put the following in our /etc/sysconfig/iptables
file.
### Set Policies ### -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT ### Set Rules ### ## ICMP ## -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT ## SSH ## -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT ## Local Loop ## -A INPUT -i lo -j ACCEPT ## Returning Traffic ## -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ## Deny all else ## -A INPUT -j DROP ##############################################################################
Now run
systemctl restart iptables
You can check your rules with
iptables -nvL
As a test, you can run where x.x.x.x represents your server IP.
ping -f -c 100 x.x.x.x
Be sure to do this from a different server and run the ping command as root. What you should see is a high rate of packet loss.
Then try a normal ping and you should see no loss. You can increase the acceptable ping rate if you feel you need to.
Ping rates between 1 and 5 per second are ok, although most legitimate tests should never need more than 1 ping per second.
Fixing fail2ban
Fail2ban on CentOS is installed to use firewalld. To change this, we have to change the default “action” in our “jail” definitions.
First, copy the file /etc/fail2ban/jail.conf
to /etc/fail2ban/jail.local
with the command below:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now use your favourite editor (vi, vim, pico, nano or joe) to edit the jail.local
file. Find the lines that read:
banaction = firewallcmd-multiport banaction_allports =firewallcmd-allports
The line may be slightly different, but the important parts are banaction = firewallcmd
. Now change those two lines to read as follows:
banaction = iptables-multiport banaction_allports = iptables-allports
Next, we must activate the ssh jail. We can do this in one of two ways.
- Move down in our
jail.local
file until we locate the[ssh]
block marker and insertenabled = true
below the[ssh]
block marker (not the example which is at the beginning of the file), or - Cut the
[ssh]
block out of thejail.local
file, with its attending lines and create a new file under/etc/fail2ban/jail.d/sshd.conf
and paste the block in there.
Remember to add the enabled = true
below the [ssh]
block marker.
The sshd.conf
file should contain the following:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
You may now restart the fail2ban service by running
systemctl restart fail2ban
Check that it works by running the following
iptables -nvL |grep f2b
You should see a few rules appear.
Happy Hosting!