1

I recently converted to centos 7 and so far I am beginning to like the simplicity of zones in my firewall structure, however I can't seem to find a configuration parameter for firewalld like the iptables "NOTRACK" which essentially ignores the status of the incoming connections. In other words I need a stateless firewalld setup in order to keep up with the volume of Queries coming into my DNS Caching server.

This is the syntax I was using with iptables:

iptables -t raw -I OUTPUT -p udp --dport 53 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --sport 53 -j NOTRACK
iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p udp --sport 53 -j ACCEPT
iptables -I OUTPUT -p udp --dport 53 -j ACCEPT

ip6tables -t raw -I OUTPUT -p udp --dport 53 -j NOTRACK
ip6tables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK
ip6tables -t raw -I PREROUTING -p udp --sport 53 -j NOTRACK
ip6tables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK
ip6tables -I INPUT -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT -p udp --sport 53 -j ACCEPT
ip6tables -I OUTPUT -p udp --dport 53 -j ACCEPT
Colt
  • 2,029
  • 6
  • 21
  • 27
Giancarlo D
  • 37
  • 8

1 Answers1

0

I don't remember the syntax for marking the traffic as NOTRACK, but doing it in the raw table is correct.

You'll need a rule like iptables -A INPUT -m state --state NOTRACK -j ACCEPT to actually let the traffic through. (and a corresponding rule for IPv6).

Henrik supports the community
  • 318
  • 2
  • 10
  • Henrick, does the iptables command still apply to firewalld? . I read that the back end still uses iptables and netfilter. To clarify I am using firewalld. . Thanks. – Giancarlo D May 20 '16 at 01:47
  • Netfilter is the kernel part doing the actually filtering on any Linux (since kernel 2.2 or 2.4 - I don't remember anymore). iptables is a fairly low-level (and my preferred) tool for configuring netfilter, Firewalld (which I don't know anything about) is probably just another tool. – Henrik supports the community May 20 '16 at 05:48