Reverting to IPTables from firewalld

Last Updated on 10/16/2018 by dboth

Beginning with Fedora 18, the new firewalld firewall daemon replaces the older IPTables firewall. It is more complex and introduces some interesting new concepts such as zones. Due to the current lack of decent documentation for firewalld I find it necessary to revert to IPTables for certain hosts.

The good news is that the old IPTables firewall is still available until I can learn how to best create the firewall rules I need with firewalld. However IPTables, too, has changed and some of the old IPTables rules, especially those using state related rule sets have been altered.

First, to convert back to IPTables, stop and disable the firewalld service.  Of course you must do this safely with your network disabled until you can get your new (old) firewall back in place.

systemctl stop NetworkManager.service
systemctl stop firewalld.service
systemctl disable firewalld.service

If you have Fedora 19 or higher, it is also necessary to install the iptables-services RPM. This RPM contains the systemd startup configuration files which have been removed from the iptables RPM because IPTables is no longer the default.

yum install -y iptables-services

Copy your old iptables file to /etc/sysconfig/iptables. You did save a backup copy of your IPTables firewall rules, right?

Now start and enable the iptables service and restart the NetworkManager service.

systemctl start iptables.service
systemctl enable iptables.service
systemctl start NetworkManager.service

You can use the iptables-restore command to restore your old IPTables rules from the saved copy.

At this point, IPTables may give some errors indicating that one should use new connection tracking rules in lieu of the state-related rules. The best part is that IPTables is smart enough to give you the warning message and then translate the rules into connection tracking rules. You can simply use the iptables-save command to view the translated rules and redirect the output to /etc/sysconfig/iptables to save the translated rules.