iptables, firewalld and Fedora 18

After setting up httpd in my Fedora 18, I was not able to get access to my own web server. I thought it was related with firewall within the local network, like port 80 being blocked. However, thanks to Mingwei (Daniel), we find the root cause is the default firewall within Fedora 18 – iptables. Further more, it is unable to tune the iptables in Fedora 18 (there is even no configuration file for iptables). Yes, Fedora 18 is using a new thing called firewalld to take control of all the things happened in iptables. This post is providing hints about the old iptables and the new firewalld things. May it help.

1. iptables

The reason why port 80 is blocked by default in Fedora 18 is the rules in iptables. Run ‘iptables -L‘, you should be able to see all the rules configured in your system. If you are using non-Fedora 18, like CentOS 6.4, you should be able to find the configuration file ‘/etc/sysconfig/iptables‘, where you could add rules to unblock ports.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
# daveti: add nat table
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-port 8080
-A PREROUTING -p udp -m udp –dport 80 -j REDIRECT –to-port 8080
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
# Open port for http
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
# Open port for VNC 1
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5801 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5901 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 6001 -j ACCEPT
# Open port for VNC 2
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5802 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5902 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 6002 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT

The green parts are used to open port 80 and 8080. Generally, ports 80 and 8080 need to be opened within the *filter rules. Moreover, if http request forwarding (like from 80 to 8080, needed by Tomcat) is needed, *nat rules need to be created. The blues parts are used to opens 2 sets of VNC ports, including java client, vnc-server and vnc client. Before and after the changes, ‘service iptables stop’ and ‘service iptables start’ are needed to make the newly added rules work.

The good thing of iptables is the power to create complicated rules to provide the ability of firewall and security. However, the bad thing, as you can tell, is the awkward way to write down these rules.

2. firewalld, firewall-cmd

In Fedora 18, iptables is replaced or taken control by firewalld, which tends to provide a friendly interface to tune the iptables. firewalld is the demaeon process and firewall-cmd is the cmd interface used to talk with firewalld. Run ‘firewall-cmd –list-all-zones‘, you will find something like ‘iptables -L’ but firewalld provides the idea of ‘zone’. The way to open port 80 and enable VNC in firewalld is like below:

firewall-cmd –permanent –zone=public –add-service=http
firewall-cmd –permanent –zone=public –add-service=vnc-server

Seems not only the famous ports (1-1024) are combined with service name directly but also some other not that ‘famous’ ports are binded with service name. Actually, the definition of service for firewalld are written in xml under ‘/usr/lib/firewalld/services‘

[root@daveti services]# pwd
/usr/lib/firewalld/services
[root@daveti services]# ll
total 116
-rw-r—–. 1 root root 374 Apr 3 03:37 amanda-client.xml
-rw-r—–. 1 root root 320 Apr 3 03:37 bacula-client.xml
-rw-r—–. 1 root root 346 Apr 3 03:37 bacula.xml
-rw-r—–. 1 root root 455 Apr 3 03:37 cluster-suite.xml
-rw-r—–. 1 root root 338 Apr 3 03:37 dhcpv6-client.xml
-rw-r—–. 1 root root 346 Apr 3 03:37 dns.xml
-rw-r—–. 1 root root 374 Apr 3 03:37 ftp.xml
-rw-r—–. 1 root root 448 Apr 3 03:37 https.xml
-rw-r—–. 1 root root 353 Apr 3 03:37 http.xml
-rw-r—–. 1 root root 372 Apr 3 03:37 imaps.xml
-rw-r—–. 1 root root 454 Apr 3 03:37 ipp-client.xml
-rw-r—–. 1 root root 427 Apr 3 03:37 ipp.xml
-rw-r—–. 1 root root 517 Apr 3 03:37 ipsec.xml
-rw-r—–. 1 root root 385 Apr 3 03:37 libvirt-tls.xml
-rw-r—–. 1 root root 389 Apr 3 03:37 libvirt.xml
-rw-r—–. 1 root root 424 Apr 3 03:37 mdns.xml
-rw-r—–. 1 root root 324 Apr 3 03:37 nfs.xml
-rw-r—–. 1 root root 389 Apr 3 03:37 ntp.xml
-rw-r—–. 1 root root 335 Apr 3 03:37 openvpn.xml
-rw-r—–. 1 root root 357 Apr 3 03:37 pop3s.xml
-rw-r—–. 1 root root 446 Apr 3 03:37 radius.xml
-rw-r—–. 1 root root 384 Apr 3 03:37 samba-client.xml
-rw-r—–. 1 root root 461 Apr 3 03:37 samba.xml
-rw-r—–. 1 root root 550 Apr 3 03:37 smtp.xml
-rw-r—–. 1 root root 463 Apr 3 03:37 ssh.xml
-rw-r—–. 1 root root 393 Apr 3 03:37 telnet.xml
-rw-r—–. 1 root root 301 Apr 3 03:37 tftp-client.xml
-rw-r—–. 1 root root 437 Apr 3 03:37 tftp.xml
-rw-r—–. 1 root root 475 Apr 3 03:37 vnc-server.xml
[root@daveti services]# cat http.xml
<?xml version=”1.0″ encoding=”utf-8″?>
<service>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol=”tcp” port=”80″/>
</service>
[root@daveti services]# cat vnc-server.xml
<?xml version=”1.0″ encoding=”utf-8″?>
<service>
<short>Virtual Network Computing Server (VNC)</short>
<description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
<port protocol=”tcp” port=”5900-5903″/>
</service>
[root@daveti services]#