CentOS - Mar 2017 - Disabling Firewall/iptables on CentOS 7??

I apologize if this has been asked and answered, but I googled and 
attempted things for several hours today without success.

I have a freshly installed CentOS 7 system that I'd like to disable the 
firewall and all iptables rules. Basically the equivalent of doing 
iptables -F

In a nutshell I've tried the following commands, in many different ways 
and orders, but when the system restarts it still seems to end up with 
some form of default rules. It even has a couple rules specifying 
192.168.122.0 and I can't figure out where it's coming from.

#Disable Firewall
systemctl stop firewalld
systemctl disable firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
systemctl disable firewalld
systemctl stop firewalld
iptables --flush
iptables --list
iptables -L
yum install iptables-services
service iptables save
systemctl enable iptables
service iptables save

Any help is appreciated.

Thanks
James

On Mar 22, 2017, at 7:56 PM, James Pifer <jep at obrien-pifer.com>
wrote:
> In a nutshell I've tried the following commands, in many different ways
and orders, but when the system restarts it still seems to end up with some form
of default rules. It even has a couple rules specifying 192.168.122.0 and I
can't figure out where it's coming from.
libvirtd?  That network is the range it tends to use for routing private
networking.

Also, you should look into using ?systemctl mask unitname? to make it not run,
rather than just deleting a symlink.

--
Jonathan Billings <billings at negate.org>

Data Wed, 22 Mar 2017 19:56:03 -0400
James Pifer <jep at obrien-pifer.com> wrote:
> I apologize if this has been asked and answered, but I googled and 
> attempted things for several hours today without success.
Iptables isn't used by default, at least not directly. Easiest way to
do dosable firewall is:
# systemctl mask firewalld
and restart the machine.

192.168.122. subnet is something for libvirt and KVM. I have it
completely disabled on my locals and VPSes without any problem.

If You write specific rules in /etc/sysconfig/iptables
and /etc/sysconfig/ip6tables, with 
-F
-X
-P INPUT DROP
at the beginning, any trace of 192.168.122 will be gone. Here's mine
ipv4 rules for my local machines:
------------------------
*filter
-F
-X
-P INPUT DROP
-A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# localhost
-A INPUT -i lo -j ACCEPT

# ping
-A INPUT -p icmp -j ACCEPT

# ssh
-A INPUT -s 192.168.234.0/24 -p tcp --dport 22 -j ACCEPT

COMMIT
------------------------

-- 
?ukasz Posadowski

On 3/24/2017 3:16 AM, ?ukasz Posadowski wrote:
> Data Wed, 22 Mar 2017 19:56:03 -0400
> James Pifer <jep at obrien-pifer.com> wrote:
>
>> I apologize if this has been asked and answered, but I googled and
>> attempted things for several hours today without success.
> Iptables isn't used by default, at least not directly. Easiest way to
> do dosable firewall is:
> # systemctl mask firewalld
> and restart the machine.
>
> 192.168.122. subnet is something for libvirt and KVM. I have it
> completely disabled on my locals and VPSes without any problem.
>
> If You write specific rules in /etc/sysconfig/iptables
> and /etc/sysconfig/ip6tables, with
> -F
> -X
> -P INPUT DROP
> at the beginning, any trace of 192.168.122 will be gone. Here's mine
> ipv4 rules for my local machines:
> ------------------------
> *filter
> -F
> -X
> -P INPUT DROP
> -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # localhost
> -A INPUT -i lo -j ACCEPT
>
> # ping
> -A INPUT -p icmp -j ACCEPT
>
> # ssh
> -A INPUT -s 192.168.234.0/24 -p tcp --dport 22 -j ACCEPT
>
> COMMIT
> ------------------------
>
Thanks for the help.

Basically I was making it more complex than it needed to be. Disabling 
firewalld and removing the libvirt NIC did the job.

Thanks
James