Monday, April 22, 2013

Fedora 18 : disable firewalld & install iptables


Changing back to IPTables in Fedora 18

How to enable iptables(instead of firewalld) services on Fedora 18?


systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service

yum -y install iptables-services iptables-utils



Firewall

Currently the developers of Fedora are trying to reinvent the wheel using some wrappers. I like what they are trying to do with systemd but I am not satisfied their firewall attempts. I like the good old tools so we have to fix some minor issues. Because I upgraded from Fedora 17 to Fedora 18 I have to remove some other tools.
I want to revert back to our good-old iptables stuff.


removing unwanted stuff

# removing UFW - Uncomplicated Firewall (from F17 LiveDVD Setup)
systemctl disable ufw.service
systemctl stop ufw.service
yum remove ufw

# removing firewalld (from F18 Upgrade)
systemctl disable firewalld.service
systemctl stop firewalld.service
yum remove firewalld firewall-config firewall-appled
                                               
# disabling ip6tables
systemctl disable ip6tables.service
systemctl stop ip6tables.service

# enabling iptables
systemctl enable iptables.service
systemctl start ip6tables.service


FYI: the firwall startup process

When I fixed this issue I found some good-to-know dependencies.
/bin/systemctl status  iptables.service

-- calls --> /usr/lib/systemd/system/iptables.service
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)

-- calls --> /usr/libexec/iptables/iptables.init
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
--- calls --> /etc/sysconfig/iptables-config (default-behaviour)


Issues

WARNING: The state match is obsolete. Use conntrack instead
I am now trying to restart the good old firwall. It seems to work, but there were some issues.
systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
          Active: active (exited) since Mo 2013-02-04 18:01:39 CET; 5min ago
         Process: 345 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Feb 04 18:01:37 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:01:38 vmama iptables.init[345]: iptables: Applying firewall rules: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:38 vmama iptables.init[345]: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:39 vmama iptables.init[345]: [  OK  ]
Feb 04 18:01:39 vmama systemd[1]: Started IPv4 firewall with iptables.
There were some syntax-changes in iptables so we have to fix these rules wherever we find them. Typically in all your custom iptables-save rules and inside our default-location at /etc/sysconfig/iptables

Replace every occurrence of -m state --state -m conntrack --ctstate and reload your rules. I decided to use the default iptables config file instead of iptables -A
# backup the existing (default) configuration file (created by system-config-firewall)
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
# backup the existing rules
iptables-save > /etc/sysconfig/iptables
Now modify the file /etc/sysconfig/iptables

# OLD
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# NEW
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# restore the settings
iptables-restore < /etc/sysconfig/iptables


Issue fixed
[root@vmama sysconfig]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
          Active: active (exited) since Mo 2013-02-04 18:34:36 CET; 53min ago
         Process: 1037 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
         Process: 1083 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Feb 04 18:34:36 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:34:36 vmama iptables.init[1083]: iptables: Applying firewall rules: [  OK  ]
Feb 04 18:34:36 vmama systemd[1]: Started IPv4 firewall with iptables.



Internet Connection Sharing using iptables

iptables can be used to share an internet connection from a Linux system. Another method of doing this is using a proxy server like squid.

Enable IP forwarding

Run as root
sysctl -w net.ipv4.ip_forward=1
To enable it in system startup, edit the file /etc/sysctl.conf and set
net.ipv4.ip_forward = 1

iptables

Run command as root
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save 

Status


# iptables -t nat -L POSTROUTING 
cat /proc/sys/net/ipv4/ip_forward
1

# iptables -L

iptables-restore under f18
http://forums.fedoraforum.org/showthread.php?t=284675

Hello! I set up my iptables in fedora 18, saved them to "/etc/iptables.save" and wanted to add the "iptables-restore" command in /etc/rc.local... Well the file doesn't exist anymore under that path - where can I now put this restore-command so that my iptables are being loaded with every boot - preferable before network starts.
 

Auto running commands at boot

IF AT BOOT MUST RUN A SCRIPT : 
http://pantestmb.blogspot.ro/2013/09/fedora-systemctl-start-rc-local.html

No comments:

Post a Comment