Upgrading from CentOS 6.2 to RHEL 7.3

Latest response

Upgrading from CentOS 6.2 to RHEL 7.3:

CentOS 6.2 uses iptables for firewall.

1) If iptables-services are NOT installed on RHEL 7.3, will the firewall still work if firewalld is disabled after you have imported the old iptables from CentOS 6.2?

2) Would /etc/hosts.allow and /etc/hosts.deny be able to act as a firewall if neither firewall (firewalld or iptables) is running?

RP
Log in to join the conversation

Responses

SW Red Hat Guru 4022 points
10 July 2017 8:43 PM

Hello, please note that upgrading from CentOS to RHEL is not supported. See Red Hat Knowledgebase solution Can I upgrade or convert a CentOS system into a RHEL system.

SW Red Hat Guru 4022 points
10 July 2017 8:46 PM

The Using Firewalls section of the Red Hat Enterprise Linux 7 Security Guide might be of interest. It explains how iptables and firewalld fit together.

PS Guru 6494 points
10 July 2017 11:10 PM

Randall,

Are you referring to an in place upgrade? Even if both the OS's were Red Hat, upgrade from major versions is very limited and is only really supported for limited cases of 6 -> 7 upgrades, details here:

https://access.redhat.com/solutions/21964

1) This seems like a strange constraint. If you have iptables in EL6, why wouldn't you migrate that iptables configuration to your RHEL 7 instance and use iptables that ships with RHEL 7 to implement these rules? You can disable firewalld and just run the standard iptables configuration in RHEL 7 (with your existing ruleset).

2) TCP wrappers (hosts.allow / hosts.deny) is not a full firewall implementation. You need to be sure that the services that you are 'protecting' support TCP wrappers, or are configured to use TCP wrappers (there are steps to confirm this).

RP Community Member 22 points
11 July 2017 12:30 PM

Thank you, for your responses.

I was not the person that performed the in place upgrade. (They are on vacation in Europe.) I'm the one tasked with making some changes to the systems firewall to meet new requirements, with a deadline that is before they return. I have discovered all of the iptables rules, from the CentOS configuration (along with the hosts.allow and hosts.deny files), are in place and appear to be working. But, iptables-services has not been installed and firewalld is not running/inactive/disabled:

firewall-cmd --state

not running

systemctl status firewalld.service

● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)

I'm attempting to determine how they accomplished this feat so that I can make the required firewall rule changes to the system. Plus, I am unable to mount a USB drive to the system, though I can see the USB drive with fdisk -l.

fdisk -l

Disk /dev/sdb: 8150 MB, 8150581248 bytes, 15919104 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0x6f20736b

Device Boot Start End Blocks Id System /dev/sdb1 * 2048 15919103 7958528 b W95 FAT32

ll /media/

drwxr-xr-x 2 root root 4096 Jun 22 12:23 usb dr-xr-xr-x. 21 root root 4096 Jul 7 15:48 .. drwxr-xr-x 3 root root 4096 Jul 11 12:22 .

mount /dev/sdb1 /media/usb/

mount: unknown filesystem type 'vfat' root@rsg:/home/ajwsw

ll /sbin/mkfs*

-rwxr-xr-x 1 root root 28624 Mar 4 2014 /sbin/mkfs.fat lrwxrwxrwx 1 root root 8 Jun 22 12:13 /sbin/mkfs.vfat -> mkfs.fat lrwxrwxrwx 1 root root 8 Jun 22 12:13 /sbin/mkfs.msdos -> mkfs.fat

Any and all help is appreciated.

MK Guru 1972 points
11 July 2017 2:39 PM

1.) The "iptables-services" is just a collection of scripts and systemd service files that will use the "iptables-restore" command to read the previously saved iptables firewall settings from /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files and to feed them into the iptables/netfilter subsystem of the Linux kernel.

It is entirely possible to set up the firewall by using an arbitrary script that runs either the "iptables-restore" command or a set of plain "iptables" commands to load the firewall rules.

If the original firewall rules have just been imported with a manual iptables-restore command, then the firewall rules are currently in effect, but they will be gone after the system is rebooted.

Before making your changes, you might want to run something like this:

# iptables-save >/root/iptables.backup
# ip6tables-save >/root/ip6tables.backup

Then you can make the necessary changes using the "iptables" command, and then make another set of backups to different files, e.g. /root/iptables.new and /root/ip6tables.new.

Then start solving the mystery of "does this system load the firewall rules at all at boot time, and if so, where from?" at your leisure. Until you figure that out, if the system gets rebooted, you can definitely reload the original rules with:

# iptables-restore </root/iptables.backup
# ip6tables-restore </root/ip6tables.backup

or your modified rules with:

# iptables-restore </root/iptables.new
# ip6tables-restore </root/ip6tables.new

2.) /etc/hosts.allow and /etc/hosts.deny only work with services that use tcpwrapper (tcpd) or are compiled to use the libwrap library, or are started through a mechanism (like xinetd) that fulfills the same conditions. Specifically, web servers and most Java-based server applications will normally completely ignore /etc/hosts.* files.

Yes, the /etc/hosts.allow and /etc/hosts.deny can sort of do the basic job of a firewall. But at least to me, a true firewall means a network access control system that is separate from the software asset it is expected to protect. A firewall can protect a J2EE server or a web server even if you completely mess up the configuration of that server - for /etc/hosts.allow and /etc/hosts.deny, there is no such certainty.

PS Guru 6494 points
11 July 2017 10:59 PM

Randall,

If you want the same iptables functionality as in EL6, disable firewalld completely (which may well have been done by the previous admin) either by uninstalling the package or masking the service

systemctl mask firewalld
systemctl stop firewalld

Then enable and start the iptables service (and ip6tables if you're using it)

yum install -y iptables-services
systemctl enable iptables
systemctl start iptables

Copy your rules over to /etc/sysconfig/iptables and restart the service (or reboot to confirm). I haven't had issues with this process, please let me know if you encounter any.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.