FirewallD to iptables on centos7 and fail2ban setup

June 13, 2017 - Guides, Linux, Security
FirewallD to iptables on centos7 and fail2ban setup


On version 7 of centos, the firewall is managed by firewalld, this is an interface to configure the firewall on centos7 with iptables.



Although this uses Iptables, you won’t be able to mess around as much as you would like, to be able to setup the firewall the way your want.
To fix this, you can get rid of firewalld and use purely iptables, the way you would on previous versions of centos.
Let’s start by backing up the iptables configuration, in case you have already some rules applied by firewalld:
iptables -S | tee ~/firewalld_iptables_rules

This will generate file “firewalld_iptables_rules” on your home directory
Now let’s install iptables services:
yum install iptables-services
Now create your iptables rules by editing file /etc/sysconfig/iptables

Stop the FirewallD Service and Start the Iptables Service

systemctl stop firewalld && systemctl start iptables
To make sure firewalld is no longer running, run the following command:
firewall-cmd –state

Disable the FirewallD Service and Enable the Iptables Services
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables

And you’re done, you can now use iptables like you would on previous versions of centos.

What about fail2ban?
By default it’s set to use firewalld to setup rules…

Here’s what you can do to reverse this:

mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.OLD

then go to /etc/fail2ban/jail.d/ and rename the default file there too and build a new one, just with the jails you want.

restart fail2ban
systemctl restart fail2ban

you’re now using fail2ban correctly on the server.

Please follow and like me at:

Leave a Reply

Your email address will not be published. Required fields are marked *