How to set up firewall with firewalld on RHEL/CENTOS 7?

Firewalld

The firewall is the new default method in RHEL 7 and Centos 7. It starts from the firewall. service system service and manages the Linux kernel netfilter subsystem using low-level commands. It is recommended to start using Firewalld as IPtables may discontinue in the future. Currently, iptables is still supported can be installed by using YUM command, but firewalld. service and iptables. service conflict with each other. So use only one of them in a system. In this tutorial, I will show you how to set up a firewall for your server.

Zones

Firewalld separated all the incoming traffic into zones. Each zone basically has its own set of rules. By default zone for any new network interface will be set to the public zone. trusted: It will allow all the incoming traffic. home: This zone is generally used in the home environment. It rejects incoming traffic unless related to outgoing traffic. internal: This is same as the home zone with some additional services are available. work: It is used for work machines. It allows incoming traffic matching the ssh, ipp-client or dhcpv6-client predefined services. public: It is the default zone for newly added network interfaces. Can be used to allow selected incoming connections external: IPv4 traffic forwarded through this zone is masqueraded to look like that it originated from the IPv4 address of the outgoing network interface. dmz: This zone allows only certain incoming connections. block: It is similar to the drop but denied incoming network connections are rejected with an icmp-host-prohibited message. drop: If we use this drop zone then all the incoming traffic will be dropped unless it is related to outgoing traffic. It is the lowest level of trust.

Firewalld Management

We can manage firewalld in three ways:

  • By using the command line tool named “firewall-cmd”
  • By using the graphical tool named “firewall-config”
  • By using the configuration files located in /etc/firewalld

Note: configuration files are useful when copying configuration, editing them directly is not recommended.

Installing Firewalld Package

It is installed on Red Hat Enterprise Linux/CentOS 7 as default. If not, then you can install it with yum command

yum install firewalld -y

firewalld installation After installing firewalld check whether the iptables service is running or not,

systemctl status iptables

If it is running, then you need to stop it with

systemctl stop iptables

It is good practice to mask them using the systemctl command

# for SERVICE in iptables ip6tables ebtables; do
> systemctl mask ${SERVICE}.service
> done

Useful commands

Some useful commands to manage services To start firewalld service

systemctl start firewalld.service

To stop the service

systemctl stop firewalld.service

To check firewalld service status

systemctl status firewalld.service

To enable firewalld service status

systemctl enable firewalld.service

Enabling the service will start the firewall automatically at boot. To disable the service status

systemctl disable firewalld.service

Disabling the service will stop the firewall automatically at boot. Check Default Zone

# firewall-cmd --get-default-zone

This command will display the current default zone

Set Default Zone

# firewall-cmd --set-default-zone=work

This command will set default zone to work. You can use any available zone according to your requirement.

Check Available Zones

# firewall-cmd --get-zones

This will list all the available zones. firewalld get zones command

List all available zones currently in use.

# firewall-cmd --get-active-zones

It will list all zones currently in use along with their interface information.

Create a new zone

# firewall-cmd --permanent --new-zone=myclassroom

How to Add Services to the Zones

Add MySQL service to the zone temporary

# firewall-cmd --add-service=mysql

Add mysql service to the zone permanently

# firewall-cmd --permanent --add-service=mysql

Specify zone while adding mysql service to the zone permanently

# firewall-cmd --permanent --zone=work --add-service=mysql

How to Remove Services from the Zones

# firewall-cmd --zone=work --remove-service=mysql

This command will remove MySQL service from work zone

Port Management

Allow the port 22 tcp temporarily in the classroom zone.

# firewall-cmd --zone=classroom --add-port=22/tcp

Allow the port 22 tcp permanently in the classroom zone.

# firewall-cmd --permanent --zone=classroom --add-port=22/tcp

Reload

After adding or removing rules use the following command for changes to take effect.

# firewall-cmd --reload

Rich rules

Apart from regular zones and services, you have two other options for adding firewall rules: direct rules and rich rules. Direct rules allow you to insert and-coded rules into the zones while rich rules give you expressive language to express custom firewall rules

Rich rule syntax

rule
[source]
[destination]
service|port|protocol|icmp-block|masquerade|forward-port
[log]
[audit]
[accept|reject|drop]

Examples

1.) Reject all traffic from the IP address 192.168.1.15 in internal zone

firewall-cmd --permanent --zone=internal --add-rich-rule='rule family=ipv4 source address=192.168.1.15/32 reject'

Note while using a source or destination with an address option, the family= must be set to either ipv4 or ipv6 2.) Allow all traffic from the IP address 192.168.1.15 to use the http service

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.1.15/24" service name="http" accept' --permanent

After adding the rich rules, reload the firewall.

Port Forwarding

With port forwarding, you can forward traffic from a single port to either a different port on the same system or to a different port on the different system. Example

# firewall-cmd --permanent --zone=work --add-forward-port=port=518:proto=tcp:toport=134:toaddr=192.168.1.22

This command will forward incoming connection on 518/TCP to the port 134/TCP on the system with the IP address 192.168.1.22 for clients from work zone.

Conclusion

You will now have a good understanding of how to use the firewalld service on your system or server. If you find this post helpful, please share it on your social networks. If you have any questions? Leave a comment below, or you can contact me using the contact us page.

Resources

Guide by Sander van Vugt

Add Comment