How I reverted from firewalld to iptables — and why

0

First, let’s get something straight. Linux has only one firewall. One.

Netfilter is a part of the Linux kernel and it implements the logic contained in a series of rules that describe how each network data packet is to be handled. Netfilter performs the functional tasks of inspecting each data packet and making a determination of its disposition based upon the rules. Netfilter has been used by every firewall front-end since about 1998 when Rusty Russell began the project.

IPTables

The IPTables front-end, — the user interface — was developed by Russell at the same time. IPTables is used to create the rules that Netfilter used to process each data packet. Later user-space tools like nftables and firewalld are also tools that manage the rule sets and rely upon Netfilter for their functional implementation.

I’ve used IPTables for a long time. It’s rule structure is easy to understand, and the default rule sets are simple. They can be created and modified using iptables commands or — and the way I prefer — simply modifying /etc/sysconfig/iptables using your favorite editor, and running the simple command, iptables-restore /etc/sysconfig/iptables.

A typical default rule set looks like that in Figure 1. It blocks everything except inbound SSH on TCP port 22.

# cat iptables.orig 
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

For most of the hosts in my home lab, this simple set of default rules is perfect. Only my firewall and server need some additional rules.

And this is the perfect point to mention that every host on my network, physical and virtual, has an active firewall. One of my Linux hosts acts as a firewall and router for the entire network, so requires a more complex set of rules, ones that are easier to create using IPTables. Another host is a server that provides services to my network such as NTP, DHCP, DNS, and more; it also acts as my web server and email server. It also requires a set of rules that are best created and implemented with IPTables.

There’s something about firewalld

Firewalld is yet another front-end that creates rule sets used by Netfilter. It replaces IPTables and has been in use on Fedora since Fedora 18 — about 11 years. firewalld provides less experienced SysAdmins with an interface that isolates them from the details of the actual rules. It provides a preconfigured set of zones that can be used to assign a specific rule-set to a network interface. SysAdmins can create their own zones and modify the existing ones to meet their unique use cases.

FOSS Linux has a good article, iptables vs. firewalld: Choosing your Linux firewall solution, which makes a comparison between both firewall front-ends.

After using firewalld on most of my hosts for several years, I determined that its command syntax is overly complex for my needs. I never did manage to use firewalld successfully on my Linux firewall host. Use of many defined zones and permanent rules versus temporary rules, makes its implementation more complex than it needs to be for most use cases. I decided to revert to IPTables for all my hosts.

Reverting to IPTables

The procedure to revert to IPTables is fairly simple and requires only a few commands.

Install the iptables-services package.

# dnf install -y iptables-services

Disconnect the host from the network by turning down the network interface or stopping NetworkManager. We do this to prevent potential infections while we disable firewalld and then start IPTables. This doesn’t require root privilege and any locally logged-in user can use this command. Of course, this can also be done as root.

First identify the network connections, then turn down “Wired connection 1” or whichever name it has on your host. You can also use the connection UUID for the nmcli commands. The backslashes ( \ ) are required to designate the name of the connection as a single argument rather than three. You can also put quotes around the entire name, “Wired connection 1” to do the same thing.

$ nmcli connection show
NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  cc156e1d-296d-327d-8328-c415b19f45f0  ethernet  enp0s3 
lo                  9c6f3dbb-d86a-47f7-bc6d-cc987995f2cf  loopback  lo 
$ nmcli connection down Wired\ connection\ 1 
Connection 'Wired connection 1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

Stop and disable firewalld.

# systemctl disable --now firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".

Enable and start IPTables.

# systemctl enable --now iptables
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

Verify that IPTables is active and verify that the rule set is active. These commands need to be run as root.

# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
     Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (exited) since Fri 2024-10-18 09:21:11 EDT; 39min ago
    Process: 1821 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
   Main PID: 1821 (code=exited, status=0/SUCCESS)
        CPU: 29ms

Oct 18 09:21:11 testvm1.both.org systemd[1]: Starting iptables.service - IPv4 firewall with iptables...
Oct 18 09:21:11 testvm1.both.org iptables.init[1821]: iptables: Applying firewall rules: [  OK  ]
Oct 18 09:21:11 testvm1.both.org systemd[1]: Finished iptables.service - IPv4 firewall with iptables.

# iptables-save
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Oct 18 09:59:44 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1111:105170]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Oct 18 09:59:44 2024

Turn up the network interface.

$ nmcli connection up Wired\ connection\ 1 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3

You’ve successfully completed the reversion to IPTables.

Summary

Although firewalld provides a powerful and usable front-end for the Netfilter kernel firewall, it’s far more complicated than most of us need, both in terms of the complexity of its rules, and the complexity of the commands needed to change those rules. However, if you only have a small number of hosts in a simple network, and everything is working fine, meaning that you don’t ever need to modify the firewall rules, I do recommend using firewalld. No point in changing something that’s working.

If you have some reasons to change the firewall because your needs are more complex, by all means consider reverting to IPTables. IPTables provides the SysAdmin with much better and direct control over the firewall rules and the rule sets can be more finely tuned to specific use cases than those of firewalld.

And if your needs are very complex with many hosts and servers, the complex rule sets with many different zones provided by firewalld might be the best option. The firewalld command set offers the flexibility to create things like DMZ, server, and internal trusted zones.

Finally, you might find a combination of firewalld and IPTables on different hosts to be your best solution.


Resources

Leave a Reply