Centos – How to combine firewall –enabled and –nobase in a CentOS kickstart


As part of system hardening, I'm trying to configure my firewall during a CentOS 6.6 kickstart with the following line. It does work under one circumstance, and otherwise it doesn't.

Kickstart firewall

firewall --enabled 
         --service=ssh --service=http --service=https

This tells it to enable the firewall, and open up a certain set of services. The line break are for readability, and not part of the config.

My packages section is below, note that:
If I add the –nobase option, iptables is in passthrough mode, with no trace of the configuration.

As soon as I remove –nobase, iptables is set up correctly, with only the defined set of open ports.

Kickstart packages:

#%packages --nobase --excludedocs
%packages --excludedocs

I made a lot of reinstalls to track this down, and searched via google to find that there's quite a few people combining –nobase and firewall –enabled –port settings.

Also, fyi: Adding iptables to packages list didn't make a diff. – it is autoadded.

In case you wonder, the SW vendor for the final application does not allow SELinux to be enabled.

Firewall output 1

This is the output when base is added:

[host]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:tftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:25150 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:25151 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

Firewall output 2

And this is when I used –nobase:

[host]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


  • I don't know if other people just didn't check, or this is a bug specific to
    CentOS 6.6 or what the exact trigger parameters are.
  • Which packages from @base seem likely to relate to iptables configuration during setup?

Yeah basically, I'd just like to fullfill that missing dependency. If there's no way to find it, I'll instead put the iptables config under control of something outside of the OS install.
I'd like to avoid that, so that the firewall configuration is in place on first boot and generated by the default mechanism, not some addon.

Best Answer

You need to add the system-config-firewall-base package, which provides the lokkit command used to configure the firewall during kickstart.

Versions of RHEL/CentOS prior to 6.6 automatically included this package, see https://bugs.centos.org/view.php?id=7956 and https://bugzilla.redhat.com/show_bug.cgi?id=1161682 for discussion of the issue.