Using Iptables instead of Firewalld in Centos 7

kiti

Member
Sep 16, 2015
19
3
53
france
cPanel Access Level
Root Administrator
Hi,

I would like to know if there are other people like me who deactivate firewalld to use iptables instead in CENTOS 7. Also, do you think it would be a problem for Cpanel?

(with systemctl stop firewalld, systemctl disable firewalld, systemctl mask firewalld, yum install iptables-services, systemctl enable iptables, systemctl start iptables)
Then, i put my rules in Iptables & ip6tables ending by COMMIT


Still today, i have found that firewalld was unable to replace iptables for the following rules:
  • Create a rule to drop invalid packets
  • Create a rule that respond to SYN flag against SYN attacks
  • Limite rate per IP clients to let legitimate clients connect.
  • Create a portscan trap
  • Log offenders per rule.
Plus, the public zone of firewalld isn't accurate for a web server. It has been created for a work station.

Still iptables is stronger than CSF (i know it is hard to believe for CSF lovers).
 

kiti

Member
Sep 16, 2015
19
3
53
france
cPanel Access Level
Root Administrator
Yes i took a look at firewalld documentation here
4.5. Using Firewalls

Firewalld can't protect from Denial of service and distributed denial of attacks:
I have found that firewalld is unable to protect a web server with CPANEL against DOS and DDOS attacks because there is no commands to rate limit incoming ports per IP. So, with firewalld in front and Cpanel, someone can send many packets to a server with Cpanel and take it down. On the other hand CSF and Iptables can block number of connections per IP.

Firewalld don't have the recent feature iptables and can't fight port scanner:
Iptables has the ability to store "bad guys" IP addresses in a table and use it when the bad the guy IP address come back, it is an on-the fly black list. It can be set up. For instance, i have setup a trap for robots who try to find out my SSH password on port 20 thanks to Iptables.

Firewalld does not take the state of connection into account:
In IPtables, it is possible to do things with connection that has different state: NEW, ESTABLISHED, INVALID. That's how we can carefully protect pure-ftp without opening all ports above 1023 for passive mode.

Firewalld can't fight SYN attacks:
Firewalld has no command to take a look at TCP flags. Consequently it can't fight SYN attacks on a web server. A SYN attack is when an attacker will send many packets with SYN to a service until the TCP cache is full. Apache 2.4 has a special embedded feature to prevent SYN attacks BUT there are many other services that use TCP and i am sure it is possible to attack them.

Why Iptables is better than CSF:
In CSF, i don't think it is possible to rate limit incoming ports per IP. In Iptables it is possible to do it and it is the best way to protect from a Denial of Service attack.

Firewalld is a dummy firewall that has been made for workstation (read the doc and you will see) and it is really not suitable for servers.

CONCLUSION:
I just hope Cpanel will let us choose our firewall module (csf, iptables, firewalld) in the future :)
hoping also that Iptables will be always here.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Feel free to switch to "iptables" and let us know the results. You can search for a term such as "iptables on CentOS 7" on a search engine such as Google and see several results where other users have done this.

Thank you.
 

DriveSafe

Registered
Apr 11, 2016
4
1
3
Newmarket, Ontario
cPanel Access Level
Root Administrator
Hi,


Still today, i have found that firewalld was unable to replace iptables for the following rules:
  • Create a rule to drop invalid packets
  • Create a rule that respond to SYN flag against SYN attacks
  • Limite rate per IP clients to let legitimate clients connect.
  • Create a portscan trap
  • Log offenders per rule.
Plus, the public zone of firewalld isn't accurate for a web server. It has been created for a work station.

Still iptables is stronger than CSF (i know it is hard to believe for CSF lovers).
I, too, prefer to use iptables. If you are okay doing so, would you mind posting the rules you use for these:
  • Create a rule that respond to SYN flag against SYN attacks
  • Limite rate per IP clients to let legitimate clients connect.
  • Create a portscan trap
Thank you,

steve