Why does my Firewalld configuration on CentOS 7 fail to start and show iptables errors?

editor asked:

I’d like to:

  1. Drop all incoming connections from the external Web except 80 and 443
  2. Allow internal machines on 192.168.0.0/16 to connect to :9000 :8080

Here’s what I did to setup my drop zone via firewall-cmd:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
systemctl start firewalld.service
systemctl enable firewalld
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-port=80/tcp
firewall-cmd --permanent --zone=drop --add-port=443/tcp
firewall-cmd --zone=drop --permanent --add-rich-rule='rule source address="192.168.0.0/16" port port="9000" protocol="tcp" accept'
firewall-cmd --zone=drop --permanent --add-rich-rule='rule source address="192.168.0.0/16" port port="8080" protocol="tcp" accept'
firewall-cmd --reload

Here’s what the active drop zone looks like:

[root@machine ~]# firewall-cmd --zone=drop --list-all
drop (default, active)
  interfaces: eth0 vethadc7c41 vethaef84e2 vethd53fa38
  sources: 
  services: ssh
  ports: 443/tcp 80/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
  rule family="ipv4" source address="192.168.0.0/16" port port="9000" protocol="tcp" accept
  rule family="ipv4" source address="192.168.0.0/16" port port="8080" protocol="tcp" accept

This appears OK; however, I run into issues after reload:

[root@machine ~]# systemctl status firewalld -l
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sun 2014-12-21 19:48:53 UTC; 2s ago
 Main PID: 21689 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─21689 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Dec 21 19:48:53 machine.hostname systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: COMMAND_FAILED: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: COMMAND_FAILED: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.

I’m a bit confused as I believed firewall-cmd to be an abstraction and sort of mutually exclusive with iptables, the latter being something I shouldn’t mess with.

Here are my version vitals:

[machine@douglasii ~]# firewall-cmd -V
0.3.9
[machine@douglasii ~]# cat /proc/version
Linux version 3.16.7-x86_64-linode49 (maker@build) (gcc version 4.7.2 (Debian 4.7.2-5) ) #3 SMP Fri Nov 14 16:55:37 EST 2014
[machine@douglasii ~]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core) 
[machine@douglasii ~]# iptables -v
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.

My answer:


The Linode kernel you are using doesn’t have the modules your firewall wants. This is why you get the error “No chain/target/match by that name.”

(And firewalld is a front-end to iptables.)

To resolve the problem, you need to run the kernel provided by the virtual machine, rather than the Linode kernel. Do this by setting the Linode to boot pv-grub-x86_64 and then installing a kernel with yum install kernel if one isn’t already installed.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.