The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using Iptables instead of Firewalld in Centos 7

Discussion in 'Security' started by kiti, Feb 14, 2016.

  1. kiti

    kiti Member

    Joined:
    Sep 16, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    france
    cPanel Access Level:
    Root Administrator
    Hi,

    I would like to know if there are other people like me who deactivate firewalld to use iptables instead in CENTOS 7. Also, do you think it would be a problem for Cpanel?

    (with systemctl stop firewalld, systemctl disable firewalld, systemctl mask firewalld, yum install iptables-services, systemctl enable iptables, systemctl start iptables)
    Then, i put my rules in Iptables & ip6tables ending by COMMIT


    Still today, i have found that firewalld was unable to replace iptables for the following rules:
    • Create a rule to drop invalid packets
    • Create a rule that respond to SYN flag against SYN attacks
    • Limite rate per IP clients to let legitimate clients connect.
    • Create a portscan trap
    • Log offenders per rule.
    Plus, the public zone of firewalld isn't accurate for a web server. It has been created for a work station.

    Still iptables is stronger than CSF (i know it is hard to believe for CSF lovers).
     
  2. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    207
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Pretty sure CSF uses iptables on all versions of CentOS, including 7.

    It’s pretty much a frontend GUI for iptables + some additional features.
     
  3. kiti

    kiti Member

    Joined:
    Sep 16, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    france
    cPanel Access Level:
    Root Administrator
    Yes i took a look at firewalld documentation here
    4.5. Using Firewalls

    Firewalld can't protect from Denial of service and distributed denial of attacks:
    I have found that firewalld is unable to protect a web server with CPANEL against DOS and DDOS attacks because there is no commands to rate limit incoming ports per IP. So, with firewalld in front and Cpanel, someone can send many packets to a server with Cpanel and take it down. On the other hand CSF and Iptables can block number of connections per IP.

    Firewalld don't have the recent feature iptables and can't fight port scanner:
    Iptables has the ability to store "bad guys" IP addresses in a table and use it when the bad the guy IP address come back, it is an on-the fly black list. It can be set up. For instance, i have setup a trap for robots who try to find out my SSH password on port 20 thanks to Iptables.

    Firewalld does not take the state of connection into account:
    In IPtables, it is possible to do things with connection that has different state: NEW, ESTABLISHED, INVALID. That's how we can carefully protect pure-ftp without opening all ports above 1023 for passive mode.

    Firewalld can't fight SYN attacks:
    Firewalld has no command to take a look at TCP flags. Consequently it can't fight SYN attacks on a web server. A SYN attack is when an attacker will send many packets with SYN to a service until the TCP cache is full. Apache 2.4 has a special embedded feature to prevent SYN attacks BUT there are many other services that use TCP and i am sure it is possible to attack them.

    Why Iptables is better than CSF:
    In CSF, i don't think it is possible to rate limit incoming ports per IP. In Iptables it is possible to do it and it is the best way to protect from a Denial of Service attack.

    Firewalld is a dummy firewall that has been made for workstation (read the doc and you will see) and it is really not suitable for servers.

    CONCLUSION:
    I just hope Cpanel will let us choose our firewall module (csf, iptables, firewalld) in the future :)
    hoping also that Iptables will be always here.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to switch to "iptables" and let us know the results. You can search for a term such as "iptables on CentOS 7" on a search engine such as Google and see several results where other users have done this.

    Thank you.
     
  5. DriveSafe

    DriveSafe Registered

    Joined:
    Apr 11, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Newmarket, Ontario
    cPanel Access Level:
    Root Administrator
    I, too, prefer to use iptables. If you are okay doing so, would you mind posting the rules you use for these:
    • Create a rule that respond to SYN flag against SYN attacks
    • Limite rate per IP clients to let legitimate clients connect.
    • Create a portscan trap
    Thank you,

    steve
     
Loading...

Share This Page