Firewall setup using Firewalld in CentOS8

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

Firewalld Introduction

Firewall is a way to protect machines from any unwanted traffic from outside. It provides the power to users to control incoming network traffic on host machines by defining a set of firewall rules. It is in use to allow or deny specific service/port to specific host or network.

Firewalld

Firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. It performs a dynamic behavior, it means when the rules got change then it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time.

firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option.

Basic things to know first:

package and service name : firewalld

Command Line Tool: firewall-cmd

Gui-tool: firewall-config

Steps to working with Firewalld

First you need to check the package availability on the server. By default it is available.

[root@localhost ~]# rpm -qa firewalld
firewalld-0.6.3-7.el8.noarch

If you need to install package. Incase it is not available by default.

# yum install firewalld -y

After installation you need to start and enable the service.

# systemctl start firewalld

To make firewall service remain active after system reboot you need to enable it.

# systemctl enable firewalld

To check the running status of firewall servic e

# systemctl status firewalld

or we can check this by command-line tool

# firewall-cmd --state

To stop firewalld service use below command

# systemctl stop firewalld

To prevent firewalld from starting automatically at system start:

# systemctl disable firewalld

Zones

firewalld separates all incoming traffic into zones, with each zone having its own set of rules. To check which zone to use for an incoming connection, firewalld uses this logic, where the first rule that matches wins:

  1. If the source address of an incoming packet matches a source rule setup for a zone, that
    packet will be routed through that zone.
  2. If the incoming interface for a packet matches a filter setup for a zone, that zone will be
    used.
  3. Otherwise, the default zone is used. The default zone is not a separate zone; instead, it
    points to one of the other zones defined on the system. Unless overwritten by an administrator or a NetworkManager configuration, the default zone for any new network interface will be set to the public zone.
    A number of predefined zones are shipped with firewalld, each with their own intended usage:

Default Configuration of firewalld Zones

Zone NameDefault configuration
trustedAllow all incoming traffic
homeReject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp – client, samba- client, or dhcpv6 – client predefined services.
internalReject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp – client, samba- client, or dhcpv6 – client predefined services (same as the home zone to start with).
workReject incoming traffic unless related to outgoing traffic or matching the ssh, ipp – client, or dhcpv6 – client predefined services.
permitReject incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6 – client predefined services. The default zone for newly added network interfaces.
externalReject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. Outgoing IPv4 traffic forwarded through this zone is masqueraded to look like it originated from the IPv4 address of the outgoing network interface.
dmzReject incoming traffic unless related to outgoing traffic or matching the ssh predefined service.
blockReject all incoming traffic unless related to outgoing traffic.
dropDrop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors).

To make a zone active, at least one attribute should be available.

interfaces:
or
sources:
To fetch all available zones
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal libvirt public trusted work

Command to set the default zone.

[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]#

Command to check the available default zone.

[root@localhost ~]# firewall-cmd --get-default-zone
work
[root@localhost ~]#

To add service.

firewall-cmd --add-service=<service name>

above command is use to allow traffic to <service> If no – – zone=option is provided, the default zone will be used.

To Remove from the allowed list for the zone. If no – – zone=option is provided, the default zone will be used.

firewall-cmd --remove-service=<service name>

Modify Firewall settings in runtime and permanent configuration

To test the settings before you apply them to the permanent mode. First make changes in settings and then make them permanent.

# firewall-cmd <options>
# firewall-cmd --runtime-to-permanent

To make setting permanent you need to reload the firewall.

# firewall-cmd --permanent <options>
# firewall-cmd --reload

Here are some set of commands that are frequently used with firewall-cmd.

firewall-cmd CommandsExplanations
– – get – servicesList all predefined services.
– – get – active – zonesList all zones currently in use (have
an interface or source tied to them
),along with their interface and source
information.
– – add – source=<CIDR> [- – zone=<zone>]Route all traffic coming from the
IP address or Network/netmask
to the specified zone. If no
– – zone= option is provided, the
default zone will be used.
– – remove – source=<CIDR> [- – zone=<zone>]Remove the rule routing all traffic
coming from the IP address or
network/netmask from the
specified zone. If no –zone=option
is provided, the default zone will be used.
– – add – interface=<Interface>[- – zone= <zone>]Route all traffic coming from
<interface>to the specified zone.
If no – – zone= option is provided,
the default zone will be used.
– – change – interface=<Interface>[- – zone= <zone>]Associate the interface with <zone>
instead of its current zone. If no
– – zone= option is provided, the
default zone will be used.
– – list – all [- – zone=<zone>]List all configured interfaces,
sources, services, and ports for
<zone>. If no – – zone= option is
provided, the default zone will be
used.
– – list – all- zonesRetrieve all information for all zones
(interfaces, sources, ports, services,
etc.).
– – remove- service=<service>Remove <service> from the
allowed list for the zone. If no – –
zone= option is provided, the
default zone will be used.
– – add – port=<port/protocol>Allow traffic to the<port/
protocol> port(s). If no – – zone=
option is provided, the default zone
will be used.
– – remove – port=<port/protocol>Remove the<port/protocol>
port(s) from the allowed list for
the zone. If no – – zone= option is
provided, the default zone will be
used.
For Example:

Let suppose you need to add http service to firewall.

Firewalld

In the above example you can see that we have added http service. we have not provided any zone in above example. So the service added into default active zone(work).

We have used – – permanent option to make these settings permanent. After that we reload it.

Port Forwarding

To forward traffic of one port to another port is know as port forwarding. Let suppose you want to forward all traffic of ssh from port 22 to port 2222. then first you need to mention port number in /etc/ssh/sshd_config. After that you will forward that port by below command:

# firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toport=2222

# firewall-cmd --reload

firewall add port forwarding

To remove port forwarding.

# firewall-cmd --permanent --remove-forward-port=port=22:proto=tcp:toport=2222

# firewall-cmd --reload

firewall remove port forwarding

In this article we have discussed about firewalld, zone, and port forwarding. The best way to forward the traffic can be possible by rich-rules. In the next article we will discuss about rich rules on firewall.

Please give your comment and suggestions below. Thank you.

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"
Mel
Melhttps://unixcop.com
Unix/Linux Guru and FOSS supporter

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook