How to convert your CentOS 7 firewall from FirewallD to iptables, and fix fail2ban

On Centos 7, the default firewall is firewalld. Even though this is just a shell interface to configure iptables, it has its limits when it comes to applying advanced rules and customizing your firewall. You can fix this by getting rid of firewalld and only using iptables rules. Do not uninstall firewalld as fail2ban has a built-in dependency on firewalld. We can bypass this, but in this case, we will just disable firewalld.

Convert to iptables

The following steps need to be followed by running the commands below.

Step 1. Save your existing firewall rules

iptables -S |tee ~/fwd_oldiptables.rules

Step 2. Install iptables services

yum install iptables-services

Step 3. Create a new ruleset with your old

cat ~/fwd_oldiptables.rules > /etc/sysconfig/iptables

And edit it if needed

Step 4. Stop and disable your firewalld

systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld

Step 5. Enable and start iptables

systemctl enable iptables
systemctl start iptables

Step 6. Check firewalld status

firewall-cmd --state

iptables Rules

Remember the basic principle of all good firewalls – DENY ALL, ALLOW SOME.

First, make a list of service ports you need open. SSH (port 22) and the ping/traceroute protocol (ICMP) are a good starting point. While we are at it, lets rate limit ICMP so that we are less susceptible to a ping flood. We must also allow any traffic that has been requested by our server, back in with an ACCEPT for RELATED or ESTABLISHED traffic. All OUTBOUND traffic is ok and all FORWARD will get dropped as we are not a router or a switch.

 

We must put the following in our /etc/sysconfig/iptables file.

### Set Policies ###
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
### Set Rules ###
## ICMP ##
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT 
## SSH ##
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
## Local Loop ##
-A INPUT -i lo -j ACCEPT 
## Returning Traffic ##
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
## Deny all else ##
-A INPUT -j DROP 
##############################################################################

Now run

systemctl restart iptables

You can check your rules with

iptables -nvL

As a test, you can run

ping -f -c 100 x.x.x.x

where x.x.x.x represents your server IP. Be sure to do this from a different server and run the ping command as root. What you should see is a high rate of packet loss. Then try a normal ping and you should see no loss. You can increase the acceptable ping rate if you feel you need to. Ping rates between 1 and 5 per second are ok, although most legitimate tests should never need more than 1 ping per second.

Fixing fail2ban

Fail2ban on CentOS is installed to use firewalld. To change this, we have to change the default “action” in our “jail” definitions.

First, copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local with the command below

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now use your favourite editor (vi, vim, pico, nano or joe) to edit the jail.local file. Find the lines that read:

banaction = firewallcmd-multiport
banaction_allports =firewallcmd-allports

The line may be slightly different, but the important parts are banaction = firewallcmd. Now change those two lines to read as follows:

banaction = iptables-multiport
banaction_allports = iptables-allports

Next, we must activate the ssh jail. We can do this in one of two ways.

1. Move down in our jail.local file until we locate the [ssh] block marker and insert

enabled = true

below the [ssh] block marker (not the example which is at the beginning of the file).

OR

2. Cut the [ssh] block out of the jail.local file, with it’s attending lines and create a new file under /etc/fail2ban/jail.d/sshd.conf and paste the block in there. Remember to add the enabled = true below the [ssh] block marker. The sshd.conf file should contain the following:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

You may now restart the fail2ban service by running

systemctl restart fail2ban

Check that it works by running the following

iptables -nvL |grep f2b

You should see a few rules appear.

 

Host Africa

Happy Hosting!

we're happy to help!

Talk to a hosting specialist today and discover which options will work best for you.


Call us on +27 21 554 3096
Copyright © 2020 HOSTAFRICA - All rights reserved.

By visiting this website, you agree to its terms of use, which can be accessed by clicking on the following link: Website Terms of use
We Accept: EFT, Debit Cards, Credit Cards and Mobile Payments
Accepted payment methods