Chapter 15 - firewalls
I've collected several questions. Pls help me to fins the answer.I'm usuing CentOS7
1.I've disabled the firewalld (systemctl disable firewalld systemctl stop firewalld). I've configured the iptables with the iptables CMD.It's Ok. What the different the iptables/netfilter and firewalld ? How to do it correctly ? Must firewalld be stopped not to use it together with iptables/nftables? Any compatibility between firewalld and iptables ?
2. Chapter - Distribution Default:
It's possible to find /etc/sysconfig/iptables-config and /etc/sysconfig/ip6 tables-config instead of /etc/sysconfig/iptables. Is it the same file ?
3. How to save all my settings for the iptables not to lost it after rebooting ?
There is no the "service iptable save" command! As backup It's possible to save as the iptables-save > /root/ iptables.backup and iptables-restore < /root/iptables.backup . I think it's better than nothing but how to save it correctly ?
4. What do you mean " service iptables stop" ? You mean SysV , don't you ? I think Systemd is everything. There is no iptables/iptablesd. I cannot find systemctl status iptablesd. this is no here --> "systemctl | grep iptables" Is it possible to check the status with systemctl (not iptables -L)?
5. Where can I find the logs about unsuccessful connection attempts for the iptables ? Can i find statistics/logs If the connections are established ? Must " -j LOG..." be added to all rules where I'd like to see established connections ?
6. Firewalld is compatible with nftables. When about the iptables ? Does iptables compatible with nftables ?
Pls let me know some example about the Mangle table ? When must the table be used ?0
There is no "must use" tables, only common or optional configurations.
The "mangle" table is generally used for changing the packet, like changing the MTU size or the RTT. Features of the less common tables "mangle","raw" and "security" are not covered in detail in this course.
Please see "man iptables" for additional information on the tables "mangle","raw" and "security" tables.0
iptables and firewall-cmd are both configuration programs that can configure netfilter firewalls, they use different configuration files. Firewalld package has a monitoring service called "firewalld" that implements the configuration created by "firewall-cmd" and friends.
As for the iptables vs iptqbles -config files in /etc/sysconfig, one file describes the iptables commands to netfilter and the other configures the environment for the iptables module. iptables-config is well documeted in the file.
Sorry, missed a "service" command, it will be purged.
You can use "iptables-save" and "iptables-restore".
Use the "LOG" target.
Yes, firewalld can configure iptables or nftables.
iptables is not intended to configure nftables.
nft configures nftables.
There are of course exceptions and compatibility modes to migrate configurations and commands. Migration & conversion features are out of scope for this chapter.
As far as I understand there are two ways how to configure the netfilter -- iptables and firewalld. Don't they interfere one with one ? What is the best way to configure netfiler - iptables ? firewalld ? it's better to add some labs about firewalld.
As for saving configurations of the netfilter which is configure with iptables, I can set iptables-save but the configuration is deleted as soon as OS is rebooted. any other way ?
As for the "LOG" target, it's additional CMD. If i got wrong and something didn't work Would it possible to find unsuccessful connection attempts ? E.g. would i found anything in my OS about attempts if "iptables -P INPUT DROP " and "iptables -P FORWARD DROP " were set ?
firewalld is covered in some detail in LFS201, and iptables etc in LFS211 so as to avoid repetition. YOu should have taken LFS201 before LFS211 as a pre-req (or the equivalent of course).
iptables-save saves the configuration. That is where its name comes from. Iptables-restore restores it. That is why it has restore in the name. It saves the configuration in /etc AFAIK.
It might be more productive if you put perhaps a little more effort into answering questions yourself before asking on the forum, just because this is not a real time chat and it is not unusual to wait 24 hours or more to get a response. iptables does have quite a bit of stuff in it, and while it is all conceptually not hard there is just a lot of things to absorb. (which is why we hold back on it in LFS201 and do it in LFS211) It will eventually be a diminishing legacy infrastructure, but not yet.0
Hope everything is Ok on your side.
Have you ever read you labs ? I mean theory and practice too. For example, It is really funny to see that the NFS is tested with loopback(127.0.0.1) instead of creating a simple topology with two OS. Why cannot I answer questions here. I've lost my money pls lose your time to answer for questions. Pls be informed it's impossible to perform the most of the labs step by step due to your mistakes I suggest asking Google to understand topics how to prepare the course.
I've read the LFS201. I've asked here the best practice how to do it. This course(LFS211) is theoretical which cannot be used at all in production setup.
As for the configurations , A script must be created to load the iptables-restore after rebooting an OS.
So be polite the next time before chatting here. Probably you don't know Linux is open source word
Thank you. I'm waiting for your thanks for me because i'm improving your course with my messages here!
sigh. You oscillate between nice and being abusive. You should read your posts before sending and think about what kind of response they are likely to inspire.
You should understand that thousands of students have taken these courses without the constant kinds of problems you are running into and asking for immediate help. Sure there are mistakes here and there and differences because there are many different Linux distributions and versions even with distributions (Centos 7 vs 8, Ubuntu 20.04 vs 18.04 vs 16.04, Debian, Fedora etc) so a little patience on your side would be appreciated. Statments like "cannot be used at all" are not likely to engender patient and friendly response. or "Pls be informed it's impossible to perform the most of the labs step by step due to your mistakes" when thousands of students have done precisely that -- successfully complete the labs and learn from them.
I am not going to engage on this further because I am not an expert much less the expert on this course. Remember the live instructor version of this course has a list price of about $3K; you cannot get that instant help in the e-learning course.0
Ha-ha. relax! Checking NFS with a loopback is funny. why not ))))
I wanted to pay $3K for LFS422 but...I lose my interest. If you cannot create a good lab for so easy topics how can...
- 10.1K All Categories
- 35 LFX Mentorship
- 88 LFX Mentorship: Linux Kernel
- 504 Linux Foundation Boot Camps
- 279 Cloud Engineer Boot Camp
- 103 Advanced Cloud Engineer Boot Camp
- 48 DevOps Engineer Boot Camp
- 41 Cloud Native Developer Boot Camp
- 2 Express Training Courses
- 2 Express Courses - Discussion Forum
- 1.8K Training Courses
- 17 LFC110 Class Forum
- 5 LFC131 Class Forum
- 19 LFD102 Class Forum
- 148 LFD103 Class Forum
- 13 LFD121 Class Forum
- 61 LFD201 Class Forum
- LFD210 Class Forum
- 1 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum
- 23 LFD254 Class Forum
- 569 LFD259 Class Forum
- 100 LFD272 Class Forum
- 1 LFD272-JP クラス フォーラム
- 1 LFS145 Class Forum
- 23 LFS200 Class Forum
- 739 LFS201 Class Forum
- 1 LFS201-JP クラス フォーラム
- 1 LFS203 Class Forum
- 45 LFS207 Class Forum
- 298 LFS211 Class Forum
- 53 LFS216 Class Forum
- 46 LFS241 Class Forum
- 41 LFS242 Class Forum
- 37 LFS243 Class Forum
- 10 LFS244 Class Forum
- 27 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- 131 LFS253 Class Forum
- 997 LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 87 LFS260 Class Forum
- 126 LFS261 Class Forum
- 31 LFS262 Class Forum
- 79 LFS263 Class Forum
- 15 LFS264 Class Forum
- 10 LFS266 Class Forum
- 17 LFS267 Class Forum
- 17 LFS268 Class Forum
- 21 LFS269 Class Forum
- 200 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- 212 LFW211 Class Forum
- 154 LFW212 Class Forum
- 899 Hardware
- 217 Drivers
- 74 I/O Devices
- 44 Monitors
- 115 Multimedia
- 208 Networking
- 101 Printers & Scanners
- 85 Storage
- 749 Linux Distributions
- 88 Debian
- 64 Fedora
- 14 Linux Mint
- 13 Mageia
- 24 openSUSE
- 133 Red Hat Enterprise
- 33 Slackware
- 13 SUSE Enterprise
- 355 Ubuntu
- 473 Linux System Administration
- 38 Cloud Computing
- 69 Command Line/Scripting
- Github systems admin projects
- 94 Linux Security
- 77 Network Management
- 108 System Management
- 49 Web Management
- 63 Mobile Computing
- 22 Android
- 27 Development
- 1.2K New to Linux
- 1.1K Getting Started with Linux
- 528 Off Topic
- 127 Introductions
- 213 Small Talk
- 20 Study Material
- 794 Programming and Development
- 262 Kernel Development
- 498 Software Development
- 923 Software
- 258 Applications
- 182 Command Line
- 2 Compiling/Installing
- 76 Games
- 316 Installation
- 53 All In Program
- 53 All In Forum
August 20, 2018
Kubernetes Administration (LFS458)
August 20, 2018
Linux System Administration (LFS301)
August 27, 2018
Open Source Virtualization (LFS462)
August 27, 2018
Linux Kernel Debugging and Security (LFD440)