How to Switch from firewalld to iptables on RHEL 7 and Fedora: A Complete Guide


1 views

Many sysadmins and developers prefer iptables over firewalld for its direct control and legacy compatibility. While firewalld offers dynamic management with zones, iptables provides granular rule manipulation that's essential for complex networking setups.

# First, stop and disable firewalld
sudo systemctl stop firewalld
sudo systemctl disable firewalld

# Install iptables-services if missing (common on minimal installs)
sudo yum install iptables-services -y

# Enable and start iptables
sudo systemctl enable iptables
sudo systemctl start iptables

# Same for IPv6 if needed
sudo systemctl enable ip6tables
sudo systemctl start ip6tables

If you encounter "No such file or directory" errors, it typically means:

  1. The iptables-services package isn't installed (fixed with yum install)
  2. Your distro might not include legacy iptables support

After configuring rules, save them permanently:

# For IPv4
sudo /usr/libexec/iptables/iptables.init save

# For IPv6
sudo /usr/libexec/iptables/ip6tables.init save

Check service status with:

systemctl status iptables
iptables -L -n -v

If services fail to start, examine journal logs:

journalctl -xe -u iptables

To convert existing firewalld rules to iptables format:

# Dump current firewalld rules
sudo firewall-cmd --list-all-zones

# Then manually recreate them using iptables syntax:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Many system administrators still prefer the classic iptables over firewalld for its straightforward rule management and predictable behavior. The transition to firewalld in RHEL 7/Fedora 18 created compatibility issues for existing scripts and configurations.

First verify the iptables packages are installed:

rpm -q iptables iptables-services

If missing, install them:

yum install iptables iptables-services

The complete switch requires these steps:

# Stop and disable firewalld
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld

# Install legacy services if needed
yum install iptables-services -y

# Enable and start iptables
systemctl enable iptables
systemctl enable ip6tables
systemctl start iptables
systemctl start ip6tables

The "No such file or directory" error typically occurs when either:

  1. The iptables-services package isn't installed
  2. The service unit files are missing

Verify the service files exist:

ls -l /usr/lib/systemd/system/iptables.service 
ls -l /usr/lib/systemd/system/ip6tables.service

After migration, save your rules permanently:

service iptables save
service ip6tables save

This writes rules to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables respectively.

Confirm the services are running:

systemctl status iptables
systemctl status ip6tables

Check active rules:

iptables -L -n -v

Basic ruleset initialization:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT