3

I have centos7 with installed firewalld and fail2ban. When i'm start firewalld(service firewalld start) it kills iptables (and starting iptables kills runing firewalld). Can i remove iptables and use only firewalld? Fail2ban action firewallcmd-ipset/allports/multiport use iptables to block. Could someone explain right way to setup firewalld+fail2ban ?

Kandrat
  • 195
  • 1
  • 5
  • You can remove the service for `iptables`. Since `firewalld` is a higher level configuration tool for `iptables`, those services will conflict each other. You might also want to look at [Fail2ban with FireallD](https://fedoraproject.org/wiki/Fail2ban_with_FirewallD). – Thomas Feb 02 '19 at 10:17
  • And how block ip with firewalld ? `firewall-cmd --add-rich-rule='rule family="ipv4" source address="ip" reject'` not working :( – Kandrat Feb 02 '19 at 10:30
  • `firewalld` relies on zones. You have to apply the rules to zones. Default zone should be public. You also might want to start reading the [documention](https://firewalld.org/documentation/man-pages/firewalld.zones.html). – Thomas Feb 02 '19 at 10:46

1 Answers1

1

You should not start the old iptables service if you intend to use firewalld. Start only firewalld and remove the other service.

The scripts comprising the old iptables service are in the RPM package named iptables-services, so you can remove this package from your system, and afterward use only firewalld.

yum remove iptables-services

(But do not remove the RPM package named iptables. You still need this as it contains the iptables command line tool.)

I recommend you set your fail2ban banaction to firewallcmd-ipset, as this gives the highest performance with very large lists of IP addresses.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Thanks for answer. Sorry for dummy question, firewallcmd-ipset not baning, in fail2ban.log are `fail2ban.actions [15485]: NOTICE [name] Ban myip fail2ban.filter [15485]: INFO [name] Found myip fail2ban.filter [15485]: INFO [name] Found myip` And not banning. What i do wrong ? – Kandrat Feb 02 '19 at 14:26