Question
How to properly create file for firewall network-interface in CentOS 7.1?
- Posted November 12, 2015
- FirewallNetworking
I read a very good publication regarding firewall. It says about files /etc/sysconfig/network-scripts/ifcfg-ethX , where X it is number network-interface.
The following command shows that I have two interfaces:
firewall-cmd --get-active-zones
output:
public
interfaces: eth0 eth1
But I have no such file /etc/sysconfig/network-scripts/ifcfg-eth1 , only ifcfg-eth0
When I create a empty file /etc/sysconfig/network-scripts/ifcfg-eth1 and restart the network, I have error:
$ sudo systemctl restart network.service
Job for network.service failed. See 'systemctl status network.service' and 'journalctl
-xn' for details.
$ systemctl status network.service
network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network)
Active: failed (Result: exit-code) since Thu 2015-11-12 08:22:39 EET; 23s ago
Process: 5560 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
Process: 5832 ExecStart=/etc/rc.d/init.d/network start (code=exited,status=1/FAILURE)
I assume that each interface has to be limited by own IP-address. But I have only one public IPv4. I can have more than one firewall-zone, in such a case?
My ip addr such
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 04:01:84:4d:d3:01 brd ff:ff:ff:ff:ff:ff
inet 46.101.245.212/18 brd 46.101.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.19.0.5/16 brd 10.19.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::601:84ff:fe4d:d301/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 04:01:84:4d:d3:02 brd ff:ff:ff:ff:ff:ff
inet6 fe80::601:84ff:fe4d:d302/64 scope link
valid_lft forever preferred_lft forever
So, how to properly create file /etc/sysconfig/network-scripts/ifcfg-eth1 ?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Was your Droplet setup with or without Private Networking? I ask as eth1 would only be setup if you checked the Private Networking option when setting up your Droplet. This would be a non-public IP and would start with 10.x.x.x.
You can verify this by visiting: https://cloud.digitalocean.com/droplets/
Simply click on Settings on the navigation menu. Under the Navigation tab you’ll see Public Network, Private Network and Public IPv6 Network.
If you see:
To enable private networking please power off your Droplet from the command line.
… under the Private Network heading, then you won’t have an eth1 configuration file (nor will you need to configure it).
By creating a copy of your eth0 file, you’ll actually do more harm than good (in terms of network connectivity) as you’re essentially telling the startup script to source the same IP as two interfaces (which isn’t possible).
–
The standard ifcfg-eth0 file on a Droplet with Private Networking should look something like:
DEVICE='eth0'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:87:32:4b:01
IPADDR=104.236.77.29
NETMASK=255.255.192.0
GATEWAY=104.236.64.1
NM_CONTROLLED='yes'
IPADDR2=10.17.0.20
PREFIX2=16
DNS1=8.8.8.8
DNS2=8.8.4.4
This is from a freshly deployed CentOS 7.x Droplet.
The standard ifcfg-eth1 file on a Droplet with Private Networking should look something like:
DEVICE='eth1'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:87:32:4b:02
IPADDR=10.132.107.203
NETMASK=255.255.0.0
DEFROUTE='no'
NM_CONTROLLED='yes'
(which is from the same droplet)
The differences, of course, will be the HWADDR address, so don’t copy and paste this verbatim.
–
If private networking is not enabled for your Droplet, when you browse to:
/etc/sysconfig/network-scripts/
… what you should see when running ls -al is:
-rw-r--r--. 1 root root 221 Nov 18 04:09 ifcfg-eth0
-rw-r--r-- 1 root root 254 Jan 15 2015 ifcfg-lo
...
...
...
If private networking is enabled, what you should see is:
-rw-r--r--. 1 root root 221 Nov 18 04:09 ifcfg-eth0
-rw-r--r-- 1 root root 157 Nov 18 04:09 ifcfg-eth1
-rw-r--r-- 1 root root 254 Jan 15 2015 ifcfg-lo
...
...
...
Keep in mind, since you just created the eth1 file, you’re going to see it listed. If you had to create it, private networking most likely is not enabled and you don’t need that file.
The tutorials are meant more so as a guide and following them verbatim to the point of creating files not specifically instructed to can present some issues :-) (this being one instance). If you don’t have a file that is shown in a tutorial, don’t sweat it and ask here in the community! I’m always happy to help if I can lend a hand and if I can keep you online while answering questions you may have, then I’ve done my good deed for the day :-).
–
If you can login by console from the DigitalOcean control panel, you should be able to run:
ifconfig eth1 down
… to shutdown the interface. You should then delete the eth1 file.
My VPS down! ssh: connect to host hub.org.ua port 22: Bad file number
Hi,
Instead of a blank file, can you try creating an eth1 file that contains the same fields as your eth0 file?
DEVICE=‘eth1’ TYPE=Ethernet BOOTPROTO=none ONBOOT=‘yes’ HWADDR=replace with correct info IPADDR=127.0.0.1 NETMASK=255.255.255.0 GATEWAY=127.0.0.1 NM_CONTROLLED=‘yes’ IPADDR2=127.0.0.1 PREFIX2=16
This comment has been deleted