Changing back to IPTables in Fedora 18
How to enable iptables(instead of firewalld) services on Fedora 18?
systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service
yum -y install iptables-services iptables-utils
Firewall
Currently the developers of Fedora are trying to reinvent the wheel using some wrappers. I like what they are trying to do with systemd but I am not satisfied their firewall attempts. I like the good old tools so we have to fix some minor issues. Because I upgraded from Fedora 17 to Fedora 18 I have to remove some other tools.I want to revert back to our good-old iptables stuff.
removing unwanted stuff
# removing UFW - Uncomplicated Firewall (from F17 LiveDVD Setup)
systemctl disable ufw.service
systemctl stop ufw.service
yum remove ufw
# removing firewalld (from F18 Upgrade)
systemctl disable firewalld.service
systemctl stop firewalld.service
yum remove firewalld firewall-config firewall-appled
# disabling ip6tables
systemctl disable ip6tables.service
systemctl stop ip6tables.service
# enabling iptables
systemctl enable iptables.service
systemctl start ip6tables.service
systemctl disable ufw.service
systemctl stop ufw.service
yum remove ufw
# removing firewalld (from F18 Upgrade)
systemctl disable firewalld.service
systemctl stop firewalld.service
yum remove firewalld firewall-config firewall-appled
# disabling ip6tables
systemctl disable ip6tables.service
systemctl stop ip6tables.service
# enabling iptables
systemctl enable iptables.service
systemctl start ip6tables.service
FYI: the firwall startup process
When I fixed this issue I found some good-to-know dependencies.
/bin/systemctl status iptables.service
-- calls --> /usr/lib/systemd/system/iptables.service
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
-- calls --> /usr/libexec/iptables/iptables.init
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
--- calls --> /etc/sysconfig/iptables-config (default-behaviour)
-- calls --> /usr/lib/systemd/system/iptables.service
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
-- calls --> /usr/libexec/iptables/iptables.init
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
--- calls --> /etc/sysconfig/iptables-config (default-behaviour)
Issues
WARNING: The state match is obsolete. Use conntrack insteadI am now trying to restart the good old firwall. It seems to work, but there were some issues.
systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Mo 2013-02-04 18:01:39 CET; 5min ago
Process: 345 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Feb 04 18:01:37 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:01:38 vmama iptables.init[345]: iptables: Applying firewall rules: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:38 vmama iptables.init[345]: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:39 vmama iptables.init[345]: [ OK ]
Feb 04 18:01:39 vmama systemd[1]: Started IPv4 firewall with iptables.
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Mo 2013-02-04 18:01:39 CET; 5min ago
Process: 345 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Feb 04 18:01:37 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:01:38 vmama iptables.init[345]: iptables: Applying firewall rules: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:38 vmama iptables.init[345]: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:39 vmama iptables.init[345]: [ OK ]
Feb 04 18:01:39 vmama systemd[1]: Started IPv4 firewall with iptables.
Replace every occurrence of -m state --state -m conntrack --ctstate and reload your rules. I decided to use the default iptables config file instead of iptables -A
# backup the existing (default) configuration file (created by system-config-firewall)
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
# backup the existing rules
iptables-save > /etc/sysconfig/iptables
iptables-save > /etc/sysconfig/iptables
# OLD
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# NEW
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# NEW
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# restore the settings
iptables-restore < /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
Issue fixed
[root@vmama sysconfig]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Mo 2013-02-04 18:34:36 CET; 53min ago
Process: 1037 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 1083 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Feb 04 18:34:36 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:34:36 vmama iptables.init[1083]: iptables: Applying firewall rules: [ OK ]
Feb 04 18:34:36 vmama systemd[1]: Started IPv4 firewall with iptables.
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Mo 2013-02-04 18:34:36 CET; 53min ago
Process: 1037 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 1083 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Feb 04 18:34:36 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:34:36 vmama iptables.init[1083]: iptables: Applying firewall rules: [ OK ]
Feb 04 18:34:36 vmama systemd[1]: Started IPv4 firewall with iptables.
Internet Connection Sharing using iptables
iptables can be used to share an internet connection from a Linux system. Another method of doing this is using a proxy server like squid.Enable IP forwarding
Run as rootsysctl -w net.ipv4.ip_forward=1To enable it in system startup, edit the file
/etc/sysctl.conf and setnet.ipv4.ip_forward = 1iptables
Run command as rootiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save Status
# iptables -t nat -L POSTROUTING
cat /proc/sys/net/ipv4/ip_forward
1# iptables -Liptables-restore under f18 http://forums.fedoraforum.org/showthread.php?t=284675Hello! I set up my iptables in fedora 18, saved them to "/etc/iptables.save" and wanted to add the "iptables-restore" command in /etc/rc.local... Well the file doesn't exist anymore under that path - where can I now put this restore-command so that my iptables are being loaded with every boot - preferable before network starts.
Auto running commands at boot
http://pantestmb.blogspot.ro/2013/09/fedora-systemctl-start-rc-local.html
No comments:
Post a Comment