Firewalld – How to Prevent Firewalld from Killing Iptables

fail2banfirewalldiptables

I have centos7 with installed firewalld and fail2ban.
When i'm start firewalld(service firewalld start) it kills iptables (and starting iptables kills runing firewalld).
Can i remove iptables and use only firewalld?
Fail2ban action firewallcmd-ipset/allports/multiport use iptables to block.
Could someone explain right way to setup firewalld+fail2ban ?

Best Answer

You should not start the old iptables service if you intend to use firewalld. Start only firewalld and remove the other service.

The scripts comprising the old iptables service are in the RPM package named iptables-services, so you can remove this package from your system, and afterward use only firewalld.

yum remove iptables-services

(But do not remove the RPM package named iptables. You still need this as it contains the iptables command line tool.)

I recommend you set your fail2ban banaction to firewallcmd-ipset, as this gives the highest performance with very large lists of IP addresses.

Related Solutions

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

The ipset command requires IP SET support in the kernel. Specifically, you would be looking for the following settings:

CONFIG_IP_SET=m
CONFIG_IP_SET_HASH_IP=m

And it seems that your kernel is built without ipset support, or at the least, it cannot find these modules. Solve that issue and your error should go away.

Try running find /lib/modules/$(uname -r) -name ip_set.ko to see if you current kernel supports them, and also find /lib/modules -name ip_set.ko to see if any of the installed kernel supports them.

If you need more help, you would have to tell us:

What version of CentOS you are using
What kernel you are running
How you installed fail2ban (from the EPEL repository or manually?)

I should also note that the version of ipset reported in your question (6.19) is what CentOS 7 comes with, so if you are using the original kernel and fail2ban from the EPEL repo everything should just work.

CentOS 6.5 also has support for ip sets and fail2ban is available in EPEL for CentOS 6. These should also work fine.

However, if you are running CentOS 5, then you are likely out of luck. You may have some luck building the modules that ipset comes with, but I am not sure the CentOS 5 kernel is supported at all. If you actually managed to pull that off, and later upgraded the kernel, then it is just a matter of rebuilding the modules for the new kernel.

Fail2ban on centos 7 does not add rule to firewall. Firewall-cmd used on system

If you check the action.d directory, you will find all firewalld-related actions forgot to put on reload command after adding the rule to DROP or REJECT the source IPs by fail2ban, reload is important due to it makes the rules to be accepted by FirewallD. I suggest you to modify the actions to fit what you need, however, IMHO, FirewallD acts like a manger to control iptables and it's more suitable for workstation than server environment. Thus, the most efficient way to solve your problem is,

systemctl stop firewalld

systemctl mask firewalld

and enable your iptables.

Best Answer

Related Solutions

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

Fail2ban on centos 7 does not add rule to firewall. Firewall-cmd used on system

Related Topic