Complete Guide to Using iptables on CentOS 7

Nov 19, 2025 · Programming · 12 views · 7.8

Keywords: CentOS 7 | iptables | firewall configuration | firewalld | system services

Abstract: This article provides a comprehensive guide to configuring and using iptables firewall on CentOS 7 systems. While CentOS 7 defaults to firewalld as the firewall management tool, users can switch back to traditional iptables. Starting from problem diagnosis, the article explains how to stop firewalld service, install iptables-services package, configure firewall rules, and offers complete operational examples and best practice recommendations. Through clear step-by-step instructions and code examples, it helps users understand iptables working principles and configuration techniques in CentOS 7.

Problem Background and Diagnosis

In a minimal CentOS 7 installation environment, users encounter iptables service-related issues when trying to open port 80 for the httpd service. Error messages indicate that iptables.service is not found because CentOS 7 uses firewalld as the default firewall management tool.

The user's command sequence shows:

# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

# sudo service iptables status
Redirecting to /bin/systemctl status  iptables.service
iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

These errors indicate that the iptables service is not installed or enabled, requiring a switch to traditional iptables configuration.

Switching from firewalld to iptables

CentOS 7 introduces firewalld as the default firewall management tool, but users familiar with traditional iptables can switch using the following steps:

Stop and Disable firewalld

First, stop and mask the firewalld service:

systemctl stop firewalld
systemctl mask firewalld

The systemctl mask command ensures the firewalld service won't be accidentally started, which is particularly important in server environments.

Install iptables-services Package

Install the package that provides traditional iptables services:

yum install iptables-services

This package contains system service files and related management scripts for iptables.

Enable iptables Service

Configure the iptables service to start automatically at system boot:

systemctl enable iptables
systemctl enable ip6tables

Enable both IPv4 and IPv6 iptables services to ensure complete network protection.

Configuring Firewall Rules

After installation, iptables rules can be configured through multiple methods.

Command Line Configuration

Use iptables commands to add rules directly:

# Allow established and related connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Open port 80 for HTTP service
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Open port 22 for SSH connections
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow local loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Reject all other incoming connections
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

Configuration File Method

Alternatively, edit the configuration file /etc/sysconfig/iptables directly:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [214:43782]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

The corresponding IPv6 configuration file /etc/sysconfig/ip6tables should be similarly configured.

Service Management and Rule Persistence

Starting and Stopping Services

Use systemctl to manage iptables services:

systemctl start iptables    # Start service
systemctl stop iptables     # Stop service
systemctl restart iptables  # Restart service
systemctl status iptables   # Check service status

Saving Firewall Rules

In CentOS 7, multiple methods exist for saving iptables rules:

service iptables save

Or use the full path:

/usr/libexec/iptables/iptables.init save

If rules are modified by editing configuration files, restart the service to apply changes:

systemctl restart iptables
systemctl restart ip6tables

Verification and Troubleshooting

Checking Service Status

Verify that iptables services are running properly:

systemctl status iptables
systemctl status ip6tables

Viewing Current Rules

Check the currently loaded firewall rules:

iptables -L -n      # View IPv4 rules
ip6tables -L -n    # View IPv6 rules

Verifying Port Listening

Confirm that services are listening on specified ports:

netstat -tulpn | grep :80
ss -tulpn | grep :80

Checking System Logs

Monitor iptables service activities through systemd logs:

journalctl -f -u iptables.service
journalctl -f -u ip6tables.service

Best Practice Recommendations

When configuring iptables, follow these best practices:

Rule Order Optimization: Place most frequently used rules at the beginning to improve matching efficiency. For example, position rules allowing established connections early in the chain.

Principle of Least Privilege: Only open necessary ports and services, defaulting to deny all other connections. This significantly enhances system security.

Rule Persistence: Always use service iptables save command after modifying rules to ensure they remain effective after system reboots.

Testing and Validation: Test new rules in a testing environment before applying them to avoid service unavailability due to configuration errors. Particularly in production environments, maintain an active SSH session to prevent remote access loss from rule errors.

Regular Auditing: Periodically review firewall rules, removing unnecessary ones to maintain configuration simplicity and efficiency.

Comparison with firewalld

While this article focuses on traditional iptables usage, understanding differences with firewalld is important. firewalld offers dynamic rule management and zone concepts, making it more suitable for scenarios requiring frequent firewall rule changes. Traditional iptables remains more stable and predictable in server environments, especially for applications with specific security requirements.

The choice between iptables and firewalld should be based on specific needs. For administrators requiring fine-grained control and familiarity with traditional iptables syntax, iptables may be preferable. For users needing dynamic rule management and simpler configuration, firewalld might be more appropriate.

Conclusion

Using iptables on CentOS 7 requires disabling the default firewalld service, installing the iptables-services package, and then configuring firewall rules in the traditional manner. Through proper service management and rule persistence, firewall configuration reliability and durability can be ensured. The complete workflow and best practices provided in this article help users successfully deploy and use iptables firewall in CentOS 7 environments.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.