RHEL 7 and CentOS 7 | skybert.net

RHEL 7 and CentOS 7

My notes on using RHEL 7 and CentOS 7


iptables isn't in root's PATH by default, but you can access it by its full path /sbin/iptables. However, RHEL/CentOS wants you to use firewalld instead and the user friendly firewall-cmd frontend, so you may want to start using this to earn some hipster points 😉. Interestingly enough, firewalld uses iptables behind the scenes to manipulate netfilter in the Linux kernel, but can be changed to use nftables instead.

List all firewall rules

# firewall-cmd --list-all

Open up port 80 (http)

First make sure public is the right zone by running --get-active-zones, then add port 80:

# firewall-cmd --get-active-zones
  interfaces: enp0s3
# firewall-cmd --permanet --zone=public --add-port=80/tcp

Add a network interface to an existing zone

If firewalld is running and your interface isn't in any of the zones, then everything on that interface is blocked.

# firewall-cmd  --permanent --zone=public --add-interface enp0s8

Further reading on firewalld, iptables and netfilter


Get SELinux status

# sestatus

Create a SELinux profile for a service that's currently blocked

On RHEL/CentOS you've got an audit log of everything processes are trying to do system call wise, see /var/log/audit/audit.log. If you've got a process which doesn't work properly, you can create a SELinux profile in a .pp file based on this log file and then use semodule -i to install this profile.

Here, I'm using mybinary as example:

$ grep mybinary /var/log/audit/audit.log | audit2allow -M mybinary

This creates a mybinary.pp file which can be applied using:

# semodule -i mybinary.pp

Turn off SELinux

# setenforce 0
# sed -i s#SELINUX=enforcing#SELINUX=disabled# /etc/selinux/config 

Good articles on SELinux

Digital Ocean


View routing table

There's no /sbin/route, so:

$ ip route list

View interfaces and IP addresses

There's no /sbin/ifconfig, so:

$ ip addr

View network interfaces

$ ip link

View which ports are open/listening

There's no netstat, but ss is there. ss has similar parameters, so to list all processes listening on a port, I do:

$ ss -nutlp

Licensed under CC BY Creative Commons License ~ gmail torstein.k.johansen @ gmail ~ twitter @torsteinkrause ~