ktretyak
By:
ktretyak

How to properly create file for firewall network-interface in CentOS 7.1?

November 12, 2015 2k views
Firewall Networking

I read a very good publication regarding firewall. It says about files /etc/sysconfig/network-scripts/ifcfg-ethX , where X it is number network-interface.

The following command shows that I have two interfaces:

firewall-cmd --get-active-zones

output:

public
  interfaces: eth0 eth1

But I have no such file /etc/sysconfig/network-scripts/ifcfg-eth1 , only ifcfg-eth0

When I create a empty file /etc/sysconfig/network-scripts/ifcfg-eth1 and restart the network, I have error:

$ sudo systemctl restart network.service
Job for network.service failed. See 'systemctl status network.service' and 'journalctl
-xn' for details.

$ systemctl status network.service
network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network)
   Active: failed (Result: exit-code) since Thu 2015-11-12 08:22:39 EET; 23s ago
  Process: 5560 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
  Process: 5832 ExecStart=/etc/rc.d/init.d/network start (code=exited,status=1/FAILURE)

I assume that each interface has to be limited by own IP-address. But I have only one public IPv4. I can have more than one firewall-zone, in such a case?

My ip addr such

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 04:01:84:4d:d3:01 brd ff:ff:ff:ff:ff:ff
    inet 46.101.245.212/18 brd 46.101.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.19.0.5/16 brd 10.19.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::601:84ff:fe4d:d301/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 04:01:84:4d:d3:02 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::601:84ff:fe4d:d302/64 scope link
       valid_lft forever preferred_lft forever

So, how to properly create file /etc/sysconfig/network-scripts/ifcfg-eth1 ?

2 comments
  • Hi,

    Instead of a blank file, can you try creating an eth1 file that contains the same fields as your eth0 file?

    DEVICE='eth1'
    TYPE=Ethernet
    BOOTPROTO=none
    ONBOOT='yes'
    HWADDR=replace with correct info
    IPADDR=127.0.0.1
    NETMASK=255.255.255.0
    GATEWAY=127.0.0.1
    NM_CONTROLLED='yes'
    IPADDR2=127.0.0.1
    PREFIX2=16

  • Hi,
    Instead of a blank file, can you try creating an eth1 file that contains the same fields as your eth0 file?
    DEVICE='eth1'
    TYPE=Ethernet
    BOOTPROTO=none
    ONBOOT='yes'
    HWADDR=replace with correct info
    IPADDR=127.0.0.1
    NETMASK=255.255.255.0
    GATEWAY=127.0.0.1
    NM_CONTROLLED='yes'
    IPADDR2=127.0.0.1
    PREFIX2=16

    My VPS down!
    ssh: connect to host hub.org.ua port 22: Bad file number

1 Answer

@ktretyak

Was your Droplet setup with or without Private Networking? I ask as eth1 would only be setup if you checked the Private Networking option when setting up your Droplet. This would be a non-public IP and would start with 10.x.x.x.

You can verify this by visiting: https://cloud.digitalocean.com/droplets/

Simply click on Settings on the navigation menu. Under the Navigation tab you'll see Public Network, Private Network and Public IPv6 Network.

If you see:

To enable private networking please power off your Droplet from the command line.

.... under the Private Network heading, then you won't have an eth1 configuration file (nor will you need to configure it).

By creating a copy of your eth0 file, you'll actually do more harm than good (in terms of network connectivity) as you're essentially telling the startup script to source the same IP as two interfaces (which isn't possible).

--

The standard ifcfg-eth0 file on a Droplet with Private Networking should look something like:

DEVICE='eth0'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:87:32:4b:01
IPADDR=104.236.77.29
NETMASK=255.255.192.0
GATEWAY=104.236.64.1
NM_CONTROLLED='yes'
IPADDR2=10.17.0.20
PREFIX2=16
DNS1=8.8.8.8
DNS2=8.8.4.4

This is from a freshly deployed CentOS 7.x Droplet.

The standard ifcfg-eth1 file on a Droplet with Private Networking should look something like:

DEVICE='eth1'
TYPE=Ethernet
BOOTPROTO=none
ONBOOT='yes'
HWADDR=04:01:87:32:4b:02
IPADDR=10.132.107.203
NETMASK=255.255.0.0
DEFROUTE='no'
NM_CONTROLLED='yes'

(which is from the same droplet)

The differences, of course, will be the HWADDR address, so don't copy and paste this verbatim.

--

If private networking is not enabled for your Droplet, when you browse to:

/etc/sysconfig/network-scripts/

.... what you should see when running ls -al is:

-rw-r--r--. 1 root root   221 Nov 18 04:09 ifcfg-eth0
-rw-r--r--  1 root root   254 Jan 15  2015 ifcfg-lo
...
...
...

If private networking is enabled, what you should see is:

-rw-r--r--. 1 root root   221 Nov 18 04:09 ifcfg-eth0
-rw-r--r--  1 root root   157 Nov 18 04:09 ifcfg-eth1
-rw-r--r--  1 root root   254 Jan 15  2015 ifcfg-lo
...
...
...

Keep in mind, since you just created the eth1 file, you're going to see it listed. If you had to create it, private networking most likely is not enabled and you don't need that file.

The tutorials are meant more so as a guide and following them verbatim to the point of creating files not specifically instructed to can present some issues :-) (this being one instance). If you don't have a file that is shown in a tutorial, don't sweat it and ask here in the community! I'm always happy to help if I can lend a hand and if I can keep you online while answering questions you may have, then I've done my good deed for the day :-).

--

If you can login by console from the DigitalOcean control panel, you should be able to run:

ifconfig eth1 down

... to shutdown the interface. You should then delete the eth1 file.

Have another answer? Share your knowledge.