Excluding Iptables Services

When working with firewalld, you should no longer use iptables and related ser- vices. That is because these services are incompatible to one another, and making changes to the iptables configuration will affect firewalld as well, so they must be avoided. On a server where multiple administrators are working, you risk that a less-knowledgeable administrator wants to create a firewall configuration and notices that the iptables service is not running and wants to start the iptables service anyway. This might mess up your firewalld-based firewall configuration.

Systemd provides a nice solution to make sure that unwanted services are not started by accident: You can use systemctl mask to exclude them from ever being started.

To exclude all iptables-based services from ever being started, type for i in iptables ip6tables ebtables; do systemctl mask $i; done . This command creates a sym- bolic link to /dev/null for the related service files in /etc/systemd/system. The fol- lowing example shows what happens. By using the systemctl mask command, the symbolic links are created. (You do not have to use the ln commands yourself.)

[root@localhost ~]# for i in iptables ip6tables ebtables; do
systemctl mask $i; done
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'

Notice that this is an elegant way to disable services. Service files in /etc/systemd/ system always take precedence over the configuration files in /usr/lib/systemd/ system. By linking the iptables-related service scripts in /etc/systemd/system to /dev/null, they will never start, but it is easy to enable them again by just removing these symbolic links or by using the command for i in iptables ip6tables ebtables; do systemctl unmask $i; done .

NOTE The ebtables service is used to manage firewalling on Linux software bridges.