CentOS 7 - Converting your firewall from Firewalld to Iptables including fail2ban - HostAfrica
+27 21 554 3096

Blog

CentOS 7 – Converting your firewall from Firewalld to Iptables including fail2ban

CentOS 7 firewallsecurity firewall

 

On Centos 7, the default firewall is firewalld. Even though this is just a shell interface to configure iptables, it has its limits when it comes to applying advanced rules and customizing your firewall. You can fix this by getting rid of firewalld and using only iptables rules. Do not uninstall firewalld as fail2ban has a built-in dependency on firewalld. We can bypass this, but in this case, we will just disable firewalld.

Converting to IPTABLES

The following steps need to be followed:

  • Save your existing firewall rules with “iptables -S |tee ~/fwd_oldiptables.rules
  • Install iptables services with “yum install iptables-services
  • Create a new ruleset with your old “cat ~/fwd_oldiptables.rules > /etc/sysconfig/iptables” (and edit it if needed)
  • Stop and disable your firewalld with “systemctl stop firewalld“, “systemctl disable firewalld” and “systemctl mask firewalld
  • Enable and Start iptables with “systemctl enable iptables” and “systemctl start iptables
  • Check firewalld status with “firewall-cmd –state

emailIPTABLES Rules

Remember the basic principle of all good firewalls – DENY ALL, ALLOW SOME.

First, make a list of service ports you need open. SSH (port 22) and the ping/traceroute protocol (ICMP) are a good starting point. While we are at it, lets rate limit ICMP so that we are less susceptible to a ping flood. We must also allow any traffic that has been requested by our server, back in with an ACCEPT for RELATED or ESTABLISHED traffic. All OUTBOUND traffic is ok and all FORWARD will get dropped as we are not a router or a switch.

 

We must put the following in our “/etc/sysconfig/iptables” file.

### Set Policies ###
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
### Set Rules ###
## ICMP ##
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT 
## SSH ##
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
## Local Loop ##
-A INPUT -i lo -j ACCEPT 
## Returning Traffic ##
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
## Deny all else ##
-A INPUT -j DROP 
##############################################################################

Now run “systemctl restart iptables. You can check your rules with “iptables -nvL“. As a test, you can run “ping -f -c 100 x.x.x.x” where x.x.x.x represents your server IP. Be sure to do this from a different server and run the ping command as root. What you should see is a high rate of packet loss. Then try a normal ping and you should see no loss. You can increase the acceptable ping rate if you feel you need to. Ping rates between 1 and 5 per second are ok, although most legitimate tests should never need more than 1 ping per second.

Fixing fail2banfail2ban firewall

Fail2ban on CentOS is installed to use firewalld. To change this, we have to change the default “action” in our “jail” definitions. First copy the file “/etc/fail2ban/jail.conf” to “/etc/fail2ban/jail.local”

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now use your favourite editor (vi,vim,pico,nano or joe) to edit the jail.local file. Find the lines that read:

banaction = firewallcmd-multiport
banaction_allports =firewallcmd-allports

The line may be slightly different, but the important parts are “banaction = firewallcmd”. Now change those two lines to read as follows:

banaction = iptables-multiport
banaction_allports = iptables-allports

Next, we must activate the ssh jail. We can do this in one of two ways.

  • Move down in our jail.local file until we locate the [ssh] block marker and insert “enabled = true” below the [ssh] block marker (not the example which is at the beginning of the file).             OR
  • Cut the [ssh] block out of the jail.local file, with it’s attending lines and create a new file under /etc/fail2ban/jail.d/sshd.conf and paste the block in there. Remember to add the “enabled = true” below the [ssh] block marker. The sshd.conf file should contain the following:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

You may now restart the fail2ban service with systemctl restart fail2ban. Check that it works by running the following:

iptables -nvL |grep f2b

You should see a few rules appear.

Host AfricaHappy Hosting!

Leave a Reply