Useful FirewallD Examples

Firewalld replaced old Fedora’s firewall (Fedora 18 onwards) mechanism, RHEL/CentOS 7 and other latest distributions rely on this new mechanism. One of the biggest motive of introducing new firewall system is that the old firewall needs a restart after making each change, thus breaking all active connections. As said above, that the latest firewalld supports dynamic zones which is useful in configuring different set of zones and rules for your office or home network via a command line or using a GUI method.

Initially, firewalld concept looks very difficult to configure, but services and zones makes it easier by keeping both together as covered in this article.

Before implementing firewalld rules, make sure to first check whether firewalld service enabled and running.

# systemctl status firewalld

The above picture shows that firewalld is active and running. Now it’s time to check all the active zones and active services.

# firewall-cmd –get-active-zones
# firewall-cmd –get-services

If incase, you’re not familiar with command line, you can also manage firewalld from the GUI, for this you need to have GUI package installed on the system, if not install it using the following command.

# yum install firewalld firewall-config

As said above, this article is specially written for command line lovers and all the examples, which we’re going to cover are based on command line only, no GUI way..sorry…..

Before moving further, first make sure to confirm on which public zone you’re going to configure Linux firewall and list all active services, ports, rich rules for public zone using following command.

# firewall-cmd –zone=public –list-all

In the above picture, there isn’t any active rules are added yet, let’s see how to add, remove and modify rules in the remaining part of this article….

1. Adding and Removing Ports in Firewalld

To open any port for public zone, use the following command. For example, the following command will open port 80 for public zone.

# firewall-cmd --permanent --zone=public --add-port=80/tcp

Similarly, to remove added port, just use the ‘–remove‘ option with firewalld command as shown below.

# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether the port is added or removed by using ‘–list-ports‘ option.

# firewall-cmd –zone=public –list-ports

2. Adding and Removing Services in Firewalld

By default firewalld comes with pre-defined services, if you want to add a list of specific services, you need to create a new xml file with all services included in the file or else you can also define or remove each service manually by running following commands.

For example, the following commands will help you to add or remove specific services, like we did for FTP here in this example.

# firewall-cmd –zone=public –add-service=ftp
# firewall-cmd –zone=public –remove-service=ftp
# firewall-cmd –zone=public –list-services

3. Block Incoming and Outgoing Packets (Panic Mode)

If you wish to block any incoming or outgoing connections, you need to use a ‘panic-on‘ mode to block such requests. For example, the following rule will drop any existing established connection on the system.

# firewall-cmd --panic-on

After enabling panic mode, try to ping any domain (say google.com) and check whether the panic mode is ON using ‘–query-panic‘ option as listed below.

# ping google.com -c 1

# firewall-cmd –query-panic

Do you see in the above picture, the panic query says “Unknown host google.com“. Now try to disable the panic mode and then once again ping and check.

# firewall-cmd –query-panic

# firewall-cmd –panic-off

# ping google.com -c 1

Now this time, there will be a ping request from google.com.

4. Masquerading IP Address

Masquerade also known as Network Address Translation (NAT), which is basically a simple method for allowing a computer to connect with internet with the help of base machine just a intermediary work.

Here, we will see how to forward a port to outside network. For example, if I want to do a ssh into my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).

Before doing a port forwarding, first make sure check whether Masquerade enabled for external zone, because we are going to access the machine from outside network.

# firewall-cmd --zone=external --query-masquerade

If it’s not enabled, you can enable it by following command.

# firewall-cmd --zone=external --add-masquerade
Now let’s forward all ssh port 22 connections to port 2222 for IP address 192.168.0.132.

# firewall-cmd –zone=external –add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132

# firewall-cmd –zone=external –list-all

5. How to Block and Enable ICMP

First, check the type of icmp we are using with below command.

# firewall-cmd --get-icmptypes

To add icmp block on any zone, you can use the following command. For example, here I am going to add icmp block on external zone, before blocking, just do a icmp ping to confirm the status of icmp block.

# firewall-cmd --zone=public --query-icmp-block=echo-reply

If you get ‘no‘, that means there isn’t any icmp block applied, let’s enable (block) icmp.

# firewall-cmd –zone=public –add-icmp-block=echo-reply

6. Adding and Removing Chain using Direct Interface

To add a Custom direct interface rule, we can use ‘–direct‘ option in any chain (Public, Work, Internal, External). For example, here we’re going to add a rule in Public Zone.

Before adding any rule, first make sure to list all the current rules in public zone using ‘–get-rules‘.

# irewall-cmd --direct --get-rules ipv4 filter IN_public_allow

To add the rules use ‘–add-rules‘ as show below.

# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT

To remove the rules just replace ‘–add-rule‘ with ‘–remove-rule‘.

# firewall-cmd –direct –remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp –dport 25 -j ACCEPT

7 Firewalld Lockdown Rules

It’s possible to change the firewalld rules by any local applications, which have the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in ‘firewalld.conf‘ file. This mostly used to protect the firewalld from any unwanted rules changes by any applications.

# vim /etc/firewalld/firewalld.conf

Change no to yes

Lockdown=yes

To make it permanent reload the changes using ‘–reload‘.

# firewall-cmd --reload

After making above changes, make sure to verify whether firewalld was lockdown using query.

# firewall-cmd --query-lockdown

To On/Off lockdown mode, use the following combination.

# firewall-cmd –lockdown-on

# firewall-cmd –lockdown-off

8: Enabling Fail2ban-firewalld Support

To enable support of fail2ban in firewalld, we need to install the package called ‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems. The fail2ban support provides some additional secure rules for SSH, SSH-DDOS, MariaDB, Apache etc..

After enabling epel, let’s install the ‘fail2ban-firewalld‘ package using the following command.

# yum install fail2ban-firewalld -y

After installing the package, start the ‘fail2ban‘ service and enable to make it persistent.

# systemctl start fail2ban

# systemctl enable fail2ban

9. Adding & Blocking IP Addresses

To add specific IP address (192.168.0.254) to trusted public zone, use the following command.

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'

After adding above rule, don’t forget to list all the trusted public zone rules.

# firewall-cmd --zone=public --list-all

To remove any added rule, just replace the ‘–add-rich-rule‘ with remove ‘–remove-rich-rule‘ as show in below command.

# firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.254″ accept’

To reject or drop a IP address from the trusted zones, just replace ‘accept‘ with ‘reject‘ as shown in the below command.

# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.250″ reject’

# firewall-cmd –zone=public –list-all

Was this answer helpful? 0 Users Found This Useful (0 Votes)