iptables question - should it be enabled?

Discussion in 'Installation/Configuration' started by jnewman67, Nov 2, 2022.

  1. jnewman67

    jnewman67 Member HowtoForge Supporter

    while following the Perfect CentOS8 server installation instructions, one of the first things done is to disable iptables, then later fail2ban is installed (which I believe uses iptables). so my questions:
    1. should iptables be enabled to allow the fail2ban rules to be applied?
    2. if I want to add additional iptable rules manually for my own purposes, wouldn't it have to be enabled for those to take effect as well?
    3. I vaguely remember reading that iptables might have been superceded by another program, and that iptables is now just a backwards compatible interface to that mechanism. is that true as well, or not?
    in my case, i have about 22,000 rules I've added to iptables to block email password testers (fail2ban isn't catching them - SASL authentication failures from all over the globe, lots of repeat offendering IPs per minute if you let them persist). I have a script that finds the offenders, and another that inserts them into iptables. what i noticed after the 3.8.2p2 update and a reboot is that iptables was masked and disabled, and my script that tried to insert offenders ran REALLY fast, but wasn't actually adding the offenders. When i finally realized iptables wasn't running, I unmasked, enabled, started it, and tried adding them again, it ran at normal speed. so that tells me (i think) it should've been unmasked and enabled.
    can someone verify this is the case for this scenerio, related to IPSConfig? could someone also verify that the "reconfig" done during the 3.2.8p2 update actually masks and disables iptables?
    thanks.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The perfect server guide does not disable iptables, it disables firewalld and firewalld is not the same as iptables. Firewalld is disabled for the sole reason to be able to use iptables for manual rules, for the ISPConfig firewall, and also for fail2ban as all this requires iptables and does not work with firewalld. If iptables is not enabled on your system, then enable it. Firewalld though must be disabled as shown in the tutorial.
     
  3. jnewman67

    jnewman67 Member HowtoForge Supporter

    okay, so maybe this is worded wrong, or I'm just misreading it?

    under Prepare the Server section
    i see where the instruction reference firewalld above that, but i guess maybe its not clear that the output from iptables -L indicates it's still on.
     
  4. jnewman67

    jnewman67 Member HowtoForge Supporter

    okay, i'm going to let this go. I think there's something confusing in the instructions, like what does the iptables -L output indicate (it's referenced as a way to tell that firewalld is off, how does it indicate that when the output isn't related to firewalld?), and there are no instructions for making sure it's actually unmasked, enabled, and running, so it's confusing. if its on by default, maybe that should be mentioned, and checked as well.
    thanks for the help in understanding it, Till.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The wording is perfectly fine, it nowhere mentions that this disables iptables. The Firewall on CentOS 8 is Firewalld and that's what gets disabled. The tutorial asks you to confirm that by comparing the output from iptables -L in the guide with what you get by running the same command on your server. So it's really not that complicated, copy & paste commands and finally, compare the output of one command with the output on your system.

    Your confusion arises because you don't seem to be aware that recent CentOS versions do not use a native iptables firewall anymore, they use Firewalld instead. You must disable Firewalld by running the commands as shown in the tutorial to ensure it does not cause conflicts and lock you up from your server.

    In regards to enabling iptables, it was not needed on my systems, but I'll check that again and add the commands to enable it if needed.
     

Share This Page