Get alerted when assets are down, slow, or vulnerable to SSL attacks—all free for a month. Learn more

Question

How to properly create file for firewall network-interface in CentOS 7.1?

I read a very good publication regarding firewall. It says about files /etc/sysconfig/network-scripts/ifcfg-ethX , where X it is number network-interface.

The following command shows that I have two interfaces:

firewall-cmd --get-active-zones

output:

public
  interfaces: eth0 eth1

But I have no such file /etc/sysconfig/network-scripts/ifcfg-eth1 , only ifcfg-eth0

When I create a empty file /etc/sysconfig/network-scripts/ifcfg-eth1 and restart the network, I have error:

$ sudo systemctl restart network.service
Job for network.service failed. See 'systemctl status network.service' and 'journalctl
-xn' for details.

$ systemctl status network.service
network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network)
   Active: failed (Result: exit-code) since Thu 2015-11-12 08:22:39 EET; 23s ago
  Process: 5560 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
  Process: 5832 ExecStart=/etc/rc.d/init.d/network start (code=exited,status=1/FAILURE)

I assume that each interface has to be limited by own IP-address. But I have only one public IPv4. I can have more than one firewall-zone, in such a case?

My ip addr such

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 04:01:84:4d:d3:01 brd ff:ff:ff:ff:ff:ff
    inet 46.101.245.212/18 brd 46.101.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.19.0.5/16 brd 10.19.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::601:84ff:fe4d:d301/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 04:01:84:4d:d3:02 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::601:84ff:fe4d:d302/64 scope link
       valid_lft forever preferred_lft forever

So, how to properly create file /etc/sysconfig/network-scripts/ifcfg-eth1 ?

Show comments
Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Jonathan TittleNovember 18, 2015

@ktretyak

Was your Droplet setup with or without Private Networking? I ask as eth1 would only be setup if you checked the Private Networking option when setting up your Droplet. This would be a non-public IP and would start with 10.x.x.x.

You can verify this by visiting: https://cloud.digitalocean.com/droplets/

Simply click on Settings on the navigation menu. Under the Navigation tab you’ll see Public Network, Private Network and Public IPv6 Network.

If you see:

To enable private networking please power off your Droplet from the command line.

… under the Private Network heading, then you won’t have an eth1 configuration file (nor will you need to configure it).

By creating a copy of your eth0 file, you’ll actually do more harm than good (in terms of network connectivity) as you’re essentially telling the startup script to source the same IP as two interfaces (which isn’t possible).

The standard ifcfg-eth0 file on a Droplet with Private Networking should look something like:

DEVICE='eth0'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:87:32:4b:01
IPADDR=104.236.77.29
NETMASK=255.255.192.0
GATEWAY=104.236.64.1
NM_CONTROLLED='yes'
IPADDR2=10.17.0.20
PREFIX2=16
DNS1=8.8.8.8
DNS2=8.8.4.4

This is from a freshly deployed CentOS 7.x Droplet.

The standard ifcfg-eth1 file on a Droplet with Private Networking should look something like:

DEVICE='eth1'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:87:32:4b:02
IPADDR=10.132.107.203
NETMASK=255.255.0.0
DEFROUTE='no'
NM_CONTROLLED='yes'

(which is from the same droplet)

The differences, of course, will be the HWADDR address, so don’t copy and paste this verbatim.

If private networking is not enabled for your Droplet, when you browse to:

/etc/sysconfig/network-scripts/

… what you should see when running ls -al is:

-rw-r--r--. 1 root root   221 Nov 18 04:09 ifcfg-eth0
-rw-r--r--  1 root root   254 Jan 15  2015 ifcfg-lo
...
...
...

If private networking is enabled, what you should see is:

-rw-r--r--. 1 root root   221 Nov 18 04:09 ifcfg-eth0
-rw-r--r--  1 root root   157 Nov 18 04:09 ifcfg-eth1
-rw-r--r--  1 root root   254 Jan 15  2015 ifcfg-lo
...
...
...

Keep in mind, since you just created the eth1 file, you’re going to see it listed. If you had to create it, private networking most likely is not enabled and you don’t need that file.

The tutorials are meant more so as a guide and following them verbatim to the point of creating files not specifically instructed to can present some issues :-) (this being one instance). If you don’t have a file that is shown in a tutorial, don’t sweat it and ask here in the community! I’m always happy to help if I can lend a hand and if I can keep you online while answering questions you may have, then I’ve done my good deed for the day :-).

If you can login by console from the DigitalOcean control panel, you should be able to run:

ifconfig eth1 down

… to shutdown the interface. You should then delete the eth1 file.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up