I have a CentOS 7 computer, which originally uses iptables
as its firewall configuration tool.
The computer has a docker container that listens to port 10079
.
I want to use firewalld
to replace iptables
.
Both firewalld
and iptables
run outside of the docker container. I don't run them inside the container.
So I run the following commands
$ systemctl stop iptables
# disable iptables so that it doesn't start at next system reboot.
$ systemctl disable iptables
$ systemctl start firewalld
$ systemctl enable firewalld
$ firewall-cmd --list-services
dhcpv6-client ssh
As you can see from the output firewall-cmd --list-services
command, I only have ssh
, and dhcpv6-client
services enabled.
However, one thing that I feel strange is that I can still access the server through port 10079
.
I thought that the rules of the chains of the iptables
would become invalid after running systemctl stop iptables
command.
But I was wrong. Because I can still access a service on the computer through port 10079.
Why can I still access port 10079
after running systemctl stop iptables
command?
Here're the status of iptables
and firewalld
$ systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Fri 2021-06-18 16:56:38 CST; 47min ago
Process: 18324 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 18220 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 18220 (code=exited, status=0/SUCCESS)
Jun 18 16:56:22 foo.my-company.com systemd[1]: Starting IPv4 firewall with iptables...
Jun 18 16:56:22 foo.my-company.com iptables.init[18220]: iptables: Applying firewall rules: [ OK ]
Jun 18 16:56:22 foo.my-company.com systemd[1]: Started IPv4 firewall with iptables.
Jun 18 16:56:38 foo.my-company.com systemd[1]: Stopping IPv4 firewall with iptables...
Jun 18 16:56:38 foo.my-company.com iptables.init[18324]: iptables: Setting chains to policy ACCEPT: nat mangle security raw fil...OK ]
Jun 18 16:56:38 foo.my-company.com iptables.init[18324]: iptables: Flushing firewall rules: [ OK ]
Jun 18 16:56:38 foo.my-company.com systemd[1]: Stopped IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-06-18 16:56:38 CST; 48min ago
Docs: man:firewalld(1)
Main PID: 18325 (firewalld)
Tasks: 2
Memory: 26.0M
CGroup: /system.slice/firewalld.service
└─18325 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Jun 18 16:56:38 foo.my-company.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 18 16:56:38 foo.my-company.com systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure con...t now.
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-e06022...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ee12e0...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-37072d...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-95db75...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-d77a44...ain?).
Jun 18 16:56:40 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -...ain?).
Hint: Some lines were ellipsized, use -l to show in full.
It looks like that firewalld
is started correctly, and iptables
has been disabled.
Here's the content of the /var/log/firewalld
when restarting my computer now:
2021-06-18 22:13:19 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ee12e0b3bd4b -o br-ee12e0b3bd4b -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-37072db2b0a2 -o br-37072db2b0a2 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-95db758dd575 -o br-95db758dd575 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-d77a4470f1ee -o br-d77a4470f1ee -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-e06022f15557 -o br-e06022f15557 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
The log content contains a lot of warnings about docker. Maybe this problem has something to do with docker.
Here's my current iptables setting.
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (6 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 192.168.208.2 tcp dpt:8005
ACCEPT tcp -- 0.0.0.0/0 172.29.0.3 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 172.20.0.3 tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 172.21.0.3 tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 172.20.0.4 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.21.0.4 tcp dpt:9000
ACCEPT tcp -- 0.0.0.0/0 172.20.0.4 tcp dpt:22
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination