home › Navigators › Centos 7 firewall cmd open port

Centos 7 firewall cmd open port

Installed in operating system Firewall is used to prevent unauthorized traffic from passing between computer networks. Special rules for the firewall are created manually or automatically, which are responsible for access control. An OS developed on the Linux kernel, CentOS 7 has a built-in firewall, and it is managed using a firewall. FirewallD is enabled by default, and we would like to talk about setting it up today.

As mentioned above, the standard firewall in CentOS 7 is the FirewallD utility. That is why setting up a firewall will be discussed using this tool as an example. You can set filtering rules using the same iptables, but this is done in a slightly different way. We recommend that you familiarize yourself with the configuration of the mentioned utility by clicking on the following link, and we will begin analyzing FirewallD.

Firewall Basics

There are several zones - sets of rules for managing traffic based on trust in networks. All of them are given their own policies, the totality of which forms the firewall configuration. Each zone is assigned one or more network interfaces, which also allows you to adjust filtering. The applied rules directly depend on the interface used. For example, when connected to public Wi-Fi firewall will increase the level of control, and in home network will open additional access for chain participants. The firewall in question contains the following zones:

trusted — maximum level of trust in all network devices;
home - group local network. There is trust in the environment, but incoming connections are only available to certain machines;
work - work area. There is trust in most devices, and additional services are activated;
dmz is a zone for isolated computers. Such devices are disconnected from the rest of the network and allow only certain incoming traffic;
internal — zone of internal networks. Trust is applied to all machines, additional services are opened;
external — zone reverse to the previous one. In external networks, NAT masquerading is active, closing the internal network, but not blocking the ability to gain access;
public - a zone of public networks with distrust of all devices and individual reception of incoming traffic;
block - all incoming requests are reset with an error sent icmp-host-prohibited or icmp6-adm-prohibited;
drop - minimum trust level. Incoming connections are dropped without any notification.

The policies themselves can be temporary or permanent. When parameters appear or edit, the firewall action immediately changes without the need to reboot. If temporary rules were applied, they will be reset after FirewallD is restarted. That's what the permanent rule is called - it will be preserved for permanent basis when using the -permanent argument.

Enabling FirewallD

First you need to start FirewallD or make sure that it is in an active state. Only a functioning daemon (a program running in background) will apply the firewall rules. Activation is done in just a few clicks:

Launch classic "Terminal" any convenient method, for example, through the menu "Applications".

Enter the command sudo systemctl start firewalld.service and press the key Enter.

The utility is managed on behalf of the superuser, so you will have to confirm your authenticity by entering a password.

To make sure the service is functioning, specify firewall-cmd --state .

In the opened graphics window re-authenticate.

A new line will be displayed. Meaning "running" indicates that the firewall is working.

If you ever need to temporarily or permanently disable the firewall, we recommend using the instructions presented in our other article at the following link.

View default rules and available zones

Even a firewall operating normally has its own specific rules and accessible zones. Before you start editing policies, we recommend that you familiarize yourself with the current configuration. This is done using simple commands:

The firewall-cmd --get-default-zone command will help you determine the default zone.

After activating it, you will see a new line where the required parameter will be displayed. For example, in the screenshot below, the zone is considered active "public".

However, several zones can be active at once, and they are associated with a separate interface. Find out this information via firewall-cmd --get-active-zones .

The firewall-cmd --list-all command will display the rules configured for the default zone. Take a look at the screenshot below. You see that the active zone "public" rule assigned "default"- default operation, interface "enp0s3" and two services were added.

If you want to find out all the available firewall zones, enter firewall-cmd --get-zones .

The parameters of a specific zone are determined via firewall-cmd --zone=name --list-all , where name— zone name.

After determining the necessary parameters, you can proceed to changing and adding them. Let's take a closer look at a few of the most popular configurations.

Setting up interface zones

As you know from the information above, each interface has its own default zone. It will remain there until the settings are changed by the user or programmatically. It is possible to manually transfer an interface to a zone for one session, and this is done by activating the command sudo firewall-cmd --zone=home --change-interface=eth0 . Result "success" indicates that the transfer was successful. Let us remind you that such settings are reset immediately after the firewall is rebooted.

When changing parameters like this, you should take into account that the services may be reset. Some of them do not support operation in certain zones, for example, although SSH is available in "home", but in custom or special ones the service will refuse to work. You can verify that the interface has been successfully linked to the new branch by entering firewall-cmd --get-active-zones .

If you want to reset your previously made settings, simply restart the firewall: sudo systemctl restart firewalld.service .

Sometimes it is not always convenient to change the interface zone for just one session. In this case, you will need to edit the configuration file so that all settings are entered on a permanent basis. To do this, we recommend using a text editor nano, which is installed from the official repository with sudo yum install nano . Next, all that remains is to do the following:

Open the configuration file through an editor by typing sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0 , where eth0— the name of the required interface.

Confirm authenticity account to perform further actions.

Find the parameter "ZONE" and change its value to the desired one, for example, public or home .

Hold down the keys Ctrl+O to save changes.

Don't change the file name, just click on Enter.

Exit text editor through Ctrl+X.

Now the interface zone will be as you specified it until the next time you edit the configuration file. To make the updated settings take effect, run sudo systemctl restart network.service and sudo systemctl restart firewalld.service .

Setting the default zone

Above, we already demonstrated a command that allowed us to find out the default zone. It can also be changed by setting a parameter of your choice. To do this, just type sudo firewall-cmd --set-default-zone=name in the console, where name— name of the required zone.

The success of the command will be indicated by the inscription "success" on a separate line. After this, all current interfaces will be bound to the specified zone, unless otherwise specified in the configuration files.

Creating rules for programs and utilities

At the very beginning of the article, we talked about the action of each zone. Defining services, utilities and programs in such branches will allow you to apply individual parameters for each of them to suit the needs of each user. To get started, we recommend that you familiarize yourself with the full list of available ones on this moment services: firewall-cmd --get-services .

The result will be displayed directly in the console. Each server is separated by a space, and you can easily find the tool you are interested in in the list. If the required service is not available, it should be additionally installed. Read about installation rules in the official software documentation.

The above command shows only the service names. Detailed information for each of them is obtained through an individual file located along the path /usr/lib/firewalld/services. Such documents are in XML format, the path, for example, to SSH looks like this: /usr/lib/firewalld/services/ssh.xml, and the document has the following content:

SSH
Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

Service support in a specific zone is activated manually. IN "Terminal" you should issue the command sudo firewall-cmd --zone=public --add-service=http , where --zone=public- zone for activation, and --add-service=http— name of the service. Please note that such a change will only apply to one session.

Permanent addition is done via sudo firewall-cmd --zone=public --permanent --add-service=http , and the result "success" indicates the successful completion of the operation.

View full list You can create permanent rules for a specific zone by displaying the list in a separate console line: sudo firewall-cmd --zone=public --permanent --list-services .

Solving the problem of lack of access to the service

By default, firewall rules list the most popular and secure services as allowed, but some standard or third party applications he blocks. In this case, the user will need to manually change the settings to resolve the access problem. This can be done in two different ways.

Port forwarding

As you know, all network services use a specific port. It is easily detected by the firewall, and blocking can be carried out using it. To avoid such actions from the firewall, you need to open the required port with the command sudo firewall-cmd --zone=public --add-port=0000/tcp , where --zone=public- port area, --add-port=0000/tcp— port number and protocol. The firewall-cmd --list-ports option will display a list of open ports.

If you need to open ports included in the range, use the line sudo firewall-cmd --zone=public --add-port=0000-9999/udp , where --add-port=0000-9999/udp— range of ports and their protocol.

The above commands will only allow you to test the use of such parameters. If it was successful, you should add the same ports to the permanent settings, and this is done by entering sudo firewall-cmd --zone=public --permanent --add-port=0000/tcp or sudo firewall-cmd --zone=public --permanent --add-port=0000-9999/udp . The list of open permanent ports is viewed like this: sudo firewall-cmd --zone=public --permanent --list-ports .

Service Definition

As you can see, adding ports does not cause any difficulties, but the procedure becomes more complicated when a large number of applications are used. It becomes difficult to track all the ports in use, so a better option would be to define the service:

All you have to do is choose the most appropriate method for solving problems with access to the service and follow the instructions provided. As you can see, all actions are performed quite easily, and no difficulties should arise.

Creating custom zones

You already know that FirewallD initially created a large number of different zones with certain rules. However, there are situations when system administrator you need to create a custom zone, such as "publicweb" for an installed web server or "privateDNS"— for the DNS server. Using these two examples, we will look at adding branches:

In this article, you learned how to create custom zones and add services to them. We have already talked about setting them by default and assigning interfaces above; all you have to do is indicate the correct names. Remember to reboot your firewall after making any permanent changes.

As you can see, the FirewallD firewall is a fairly comprehensive tool that allows you to create the most flexible firewall configuration. All that remains is to make sure that the utility starts with the system and the specified rules immediately begin their work. Do this with the command sudo systemctl enable firewalld.

The first step to protecting the server from external threats is a firewall, which filters incoming and outgoing traffic. In this article I want to discuss setting up iptables, a special case of a firewall on CentOS, and also talk about installing and disabling it. My guide will not be exhaustive; I will only consider those aspects that I consider the most important and that I myself use in my work.

This article is part of a single series of articles about the server.

Introduction

Iptables is currently the de facto standard among modern Linux distributions. I can’t even remember right off the bat what else is used as a firewall. So any Linux administrator has to deal with setting up this firewall in their work.

There are different connections to this firewall that are used for more “convenient” configuration. Ubuntu has ufw, in centos - firewalld, I don’t know the others. Personally, I don't see any convenience in using these tools. I'm used to setting up a Linux firewall the old fashioned way, as I learned at the very beginning of my work. I think this is the simplest and most convenient way, which I will share with you. Its essence boils down to the fact that a script is created with firewall rules. This script can be easily edited to suit your needs and transferred from server to server.

Disabling firewalld

I have already touched on the issue of disabling firewalld in the topic on . First of all, let's disable firewalld, which is present in centos 7 by default immediately after installation:

# systemctl stop firewalld

Now let’s remove it from startup so that it doesn’t turn on again after a restart:

# systemctl disable firewalld

After this, the firewall settings on the server become completely open. You can view iptables rules with the command:

Installing iptables

In fact, we already have a firewall on our server and it’s working, there are simply no rules, everything is open. We will need to install additional management utilities, without which it is impossible to configure iptables. For example, it will not be possible to restart the firewall:

# systemctl restart iptables.service Failed to issue method call: Unit iptables.service failed to load: No such file or directory.

Or you won’t be able to add it to autorun:

# systemctl enable iptables.service Failed to issue method call: No such file or directory

To avoid such errors, install the necessary package with utilities:

# yum -y install iptables-services

Now you can add iptables to startup and run:

# systemctl enable iptables.service # systemctl start iptables.service

Setting up a firewall

I use a script to manage firewall rules. Let's create it:

# mcedit /etc/iptables.sh

Next we will fill it with the necessary rules. I will parse all the significant parts of the script, and I will give it in full in the form text file at the end of the article. The rules are made in the form of pictures to prohibit copying and pasting. This can lead to errors in the operation of the rules, which I myself encountered while preparing the article.

We will consider a situation where the server is a gateway to the Internet for a local network.

First of all, let's set all the variables that we will use in the script. This is not necessary, but is recommended because it is convenient to transfer settings from server to server. It will be enough to simply reassign the variables.

Before applying the new rules, we clear all chains:

We block all traffic that does not match any of the rules:

Allow all localhost and local traffic:

We allow ping:

If you don't need this, then don't add allowing rules for icmp.

We open Internet access to the server itself:

If you want to open all incoming server connections, then add the following rule:

Now let's add protection against the most common network attacks. First, let's discard all packets that have no status:

Blocking null packets:

Protecting yourself from syn-flood attacks:

If you do not set restrictions on access from the local network, then we allow everyone to access the Internet:

Next we prohibit access from the Internet to the local network:

In order for our local network to use the Internet, we enable nat:

In order not to lose access to the server, after applying the rules, we allow connections via ssh:

And at the end we write down the rules so that they apply after a reboot:

We have compiled a simple config that blocks all incoming connections except ssh and allows access from the local network to the Internet. At the same time, we protected ourselves from some network attacks.

Save the script, make it executable and run:

# chmod 0740 /etc/iptables.sh # /etc/iptables.sh

Let's review the rules and check if all the rules are in place:

# iptables -L -v -n

Please note that you only need to apply the rules if you have access to the server console. If there is an error in the settings, you may lose access. Make sure that in an emergency you can disable the firewall and adjust the settings.

Opening ports

Now let’s expand our configuration a little and open ports in iptables for some services. Let's say we have a web server running and we need to open access to it from the Internet. Add rules for web traffic:

Permission has been added for incoming connections on ports 80 and 443, which the web server uses in its work.

If you have installed mail server, then you need to allow incoming connections to it on all used ports:

For correct operation DNS servers, you need to open UDP port 53

Port forwarding

Let's consider a situation when it is necessary to forward ports from an external interface to some computer on the local network. Let's say you need to get rdp access to computer 10.1.3.50 from the Internet. We forward TCP port 3389:

If you do not want to expose a known port from the outside, you can redirect from a non-standard port to the rdp port of the target computer:

If you forward a port from outside to the local network, be sure to comment out the rule that blocks access from the external network to the internal one. In my example this rule is: $IPT -A FORWARD -i $WAN -o $LAN1 -j REJECT

Or before this rule, create an allowing rule for external access to the internal service, for example like this:

$IPT -A FORWARD -i $WAN -d 10.1.3.50 -p tcp -m tcp --dport 3389 -j ACCEPT

Enabling logs

During setup, it is useful to enable logs to monitor blocked packages and find out why there is no access to the necessary services that we seem to have already opened. I send all blocked packets to separate chains (block_in, block_out, block_fw) corresponding to the direction of traffic and mark each direction in the logs. This makes it more convenient to do debriefing. Add the following rules to the very end of the script, before saving the settings:

You can track all blocked packages in the /var/log/messages file.

After you finish setting up, comment out these lines and disable logging. It’s definitely worth doing this, as the logs grow very quickly. I personally don’t see any practical sense in storing such information.

How to disable iptables

If you suddenly decide that you no longer need the firewall, you can disable it as follows:

# systemctl stop iptables.service

This command stops the firewall. And the following removes it from startup:

# systemctl disable iptables.service

By disabling the firewall, we allowed all connections.

Conclusion

As promised, I am posting a finished script with the basic set of rules that we have considered

I would like to point out once again that when setting up iptables you need to be extremely careful. Do not start this business if you do not have access to the server console. Even while writing this article, I lost access to the server due to a ridiculous error in the rules. This error arose due to copying and the loss of a double dash - it was replaced by a single one.

online course “Linux Administrator” at OTUS. The course is not for beginners; for admission you need basic knowledge of networks and Linux installation to the virtual machine. The training lasts 5 months, after which successful course graduates will be able to undergo interviews with partners. What this course will give you:

Knowledge of Linux architecture.
Development modern methods and data analysis and processing tools.
Ability to select a configuration for the required tasks, manage processes and ensure system security.
Proficient in the basic working tools of a system administrator.
Understanding of the specifics of deploying, configuring and maintaining networks built on Linux.
The ability to quickly solve emerging problems and ensure stable and uninterrupted operation of the system.

Test yourself on the entrance test and see the program for more details.

FirewallD is a firewall management tool available by default on CentOS 7 servers. It is basically a wrapper around IPTables and comes with a graphical configuration tool, firewall-config, and a firewall-config tool. command line firewall-cmd. With the IPtables service, every change requires deleting old rules and creating new rules in the file ` /etc/sysconfig/iptables`, and with firewalld only the differences are applied.

FirewallD zones

FirewallD uses services and zones instead of rules and chains in Iptables. By default, the following zones are available:

drop– Drop all incoming network packets without response, only outgoing ones network connections available.
block– Reject all incoming network packets with the message icmp-host-prohibited, only outgoing network connections are allowed.
public– only selected incoming connections are accepted, for use in public areas
external– For external networks with masquerading, only selected incoming connections are accepted.
dmz– demilitarized zone DMZ, publicly accessible from limited access to the internal network, only selected incoming connections are accepted.
work
home– For computers in the home zone, only selected incoming connections are accepted.
internal– For computers on your internal network, only selected incoming connections are accepted.
trusted– All network connections are accepted.

To get a list of all available zones:

# firewall-cmd --get-zones work drop internal external trusted home dmz public block

To view a list of default zones:

# firewall-cmd --get-default-zone public

To change the default zone:

Firewall Services

FirewallD services are XML configuration files containing service entry information for firewalld. To get a list of all available services:

# firewall-cmd --get-services amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

XML configuration files are stored in directories /usr/lib/firewalld/services/ And /etc/firewalld/services/.

Setting up a firewall with FirewallD

As an example, here's how you can configure a firewall with FirewallD if you're running a web server, SSH on port 7022, and a mail server.

First we will set the default zone for DMZ.

# firewall-cmd --set-default-zone=dmz # firewall-cmd --get-default-zone dmz

To add persistent service rules for HTTP and HTTPS in the DMZ, run the following command:

# firewall-cmd --zone=dmz --add-service=http --permanent # firewall-cmd --zone=dmz --add-service=https --permanent

Open port 25 (SMTP) and port 465 (SMTPS):

Firewall-cmd --zone=dmz --add-service=smtp --permanent firewall-cmd --zone=dmz --add-service=smtps --permanent

Open, IMAP, IMAPS, POP3 and POP3S ports:

Firewall-cmd --zone=dmz --add-service=imap --permanent firewall-cmd --zone=dmz --add-service=imaps --permanent firewall-cmd --zone=dmz --add-service= pop3 --permanent firewall-cmd --zone=dmz --add-service=pop3s --permanent

Since the SSH port is changed to 7022, we will remove the SSH service (port 22) and open port 7022

Firewall-cmd --remove-service=ssh --permanent firewall-cmd --add-port=7022/tcp --permanent

To implement the changes we need to restart the firewall:

Firewall-cmd --reload

Finally, you can list the rules.

FirewallD is a firewall management tool available by default on CentOS 7 servers. It is basically a wrapper around IPTables and comes with a graphical configuration tool, firewall-config, and a command line tool, firewall-cmd. With the IPtables service, every change requires deleting old rules and creating new rules in the file ` /etc/sysconfig/iptables`, and with firewalld only the differences are applied.

FirewallD zones

FirewallD uses services and zones instead of rules and chains in Iptables. By default, the following zones are available:

drop– Drop all incoming network packets without response, only outgoing network connections are available.
block– Reject all incoming network packets with the message icmp-host-prohibited, only outgoing network connections are allowed.
public– only selected incoming connections are accepted, for use in public areas
external– For external networks with masquerading, only selected incoming connections are accepted.
dmz– demilitarized zone DMZ, publicly accessible with limited access to the internal network, only selected incoming connections are accepted.
work
home– For computers in the home zone, only selected incoming connections are accepted.
internal– For computers on your internal network, only selected incoming connections are accepted.
trusted– All network connections are accepted.

To get a list of all available zones:

# firewall-cmd --get-zones work drop internal external trusted home dmz public block

To view a list of default zones:

# firewall-cmd --get-default-zone public

To change the default zone:

Firewall Services

FirewallD services are XML configuration files containing service entry information for firewalld. To get a list of all available services:

XML configuration files are stored in directories /usr/lib/firewalld/services/ And /etc/firewalld/services/.

Setting up a firewall with FirewallD

As an example, here's how you can configure a firewall with FirewallD if you're running a web server, SSH on port 7022, and a mail server.

First we will set the default zone for DMZ.

# firewall-cmd --set-default-zone=dmz # firewall-cmd --get-default-zone dmz

To add persistent service rules for HTTP and HTTPS in the DMZ, run the following command:

# firewall-cmd --zone=dmz --add-service=http --permanent # firewall-cmd --zone=dmz --add-service=https --permanent

Open port 25 (SMTP) and port 465 (SMTPS):

Firewall-cmd --zone=dmz --add-service=smtp --permanent firewall-cmd --zone=dmz --add-service=smtps --permanent

Open, IMAP, IMAPS, POP3 and POP3S ports:

Since the SSH port is changed to 7022, we will remove the SSH service (port 22) and open port 7022

Firewall-cmd --remove-service=ssh --permanent firewall-cmd --add-port=7022/tcp --permanent

To implement the changes we need to restart the firewall:

Firewall-cmd --reload

Finally, you can list the rules.

Starting with CentoOS 7, a new tool has appeared to configure traffic filtering rules firewalld. It is recommended to use it to manage iptables rules. In CentOS 8, instead of the standard iptables filtering package, the nftables framework is now used, and when you configure firewall rules through firewalld, you are actually configuring nftables. In this article, we will look at installing, basic concepts and configuring firewalld on a server running CentOS 8 (CentOS 7 is the same).

FirewallD– a firewall to protect the server from unwanted traffic with support for dynamic rule management (without restarting) and the implementation of permanent firewall rules. Works as an interface for and nftables. FirewallD can be used on almost all Linux distributions.

Basic firewalld concepts, zones and rules

Before you begin installation and configuration firewalld, we will introduce the concept of zones, which are used to determine the level of trust in various connections. For different zones firewalld you can apply various filtering rules, specify active options firewall in the form of predefined services, protocols and ports, port forwarding and rich-rules.

Firewalld filters incoming traffic by zone depending on the rules applied to the zone. If IP- the address of the request sender matches the rules of a certain zone, then the packet will be sent through this zone. If the address does not match any of the zones configured on the server, the packet will be processed by the default zone. When installing firewalld the default zone is called public.

Firewalld has zones that are pre-configured with permissions for various services. You can use these settings or create your own zones. List of default zones that are created when installing firewalld (stored in the /usr/lib/firewalld/zones/ directory):

drop	minimum level of trust. All incoming connections are blocked without response, only outgoing connections are allowed;
block	the zone is similar to the previous one, but when incoming requests are rejected, the message icmp-host-prohibited for Ipv4 or icmp6-adm-prohibited for Ipv6 is sent;
public	represents public, untrusted networks. You can allow selected incoming connections on an individual basis;
external	external networks when using a firewall as a gateway. It's configured for NAT masquerading so your internal network remains private but accessible;
internal	antonym of external zone. The host has a sufficient level of trust, a number of additional services are available;
dmz	used for computers located in a DMZ (isolated computers without access to the rest of the network). Only certain incoming connections are allowed;
work	zone for work machines (most computers on the network are trusted);
home	home network zone. Most PCs can be trusted, but only certain incoming connections are supported;
trusted	trust all machines on the network. The most open of all available options, it requires conscious use.

IN firewalld two sets of rules are used - permanent and temporary. Temporary rules work until the server is rebooted. By default, when adding rules to firewalld, the rules are considered temporary ( runtime). To add a rule on a permanent basis, you need to use the flag - permanent. Such rules will be applied after the server is rebooted.

Installing and enabling firewalld on CentOS

In CentOS 7/8, firewalld is installed by default with the OS. If you have removed it and want to install firewalld, you can use the standard /dnf manager:

# yum install firewalld -y - for Centos 7
# dnf install firewalld -y - for Centos 8

To the demon firewalld started automatically when the server started, you need to add it to:

# systemctl enable firewalld

And run:

# systemctl start firewalld

Check service status:

# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2019-10-14 14:54 :40 +06; 22s ago Docs: man:firewalld(1) Main PID: 13646 (firewalld) CGroup: /system.slice/firewalld.service └─13646 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid Oct 14 14:54:40 server.vpn.ru systemd: Starting firewalld - dynamic firewall daemon... Oct 14 14:54:40 server.vpn.ru systemd: Started firewalld - dynamic firewall daemon.

Or with the command:

# firewall-cmd --state

The firewall-cmd command is a firewalld frontend to nftables/iptables.

# firewall-cmd --state

Working with firewalld rules

Default rules:

Before setting up firewalld rules, you need to check which zone is used by default:

# firewall-cmd --get-default-zone

Since we just installed firewalld and haven’t configured it yet, we have a default zone public.

Let's check the active zone. There is also one - public:

# firewall-cmd --get-active-zones

Public interfaces: eth0

As you can see, the eth0 network interface is controlled by the zone public.

To view the core rules, enter:

# firewall-cmd --list-all

Public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

From the listing you can see that the usual operations related to the DHCP client and ssh have been added to this zone.

Available zones

To view a list of all zones, you need to run the command:

# firewall-cmd --get-zones

I got the following list:

Block dmz drop external home internal public trusted work

To check the rules of a specific zone, you need to add the flag - zone.

# firewall-cmd --zone=home --list-all

Home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

The rules of all zones can be viewed with the command:

# firewall-cmd --list-all-zones

The listing will be quite large, since there can be many zones.

Change the default zone.

Default is all network interfaces located in the area public, but they can be transferred to any of the zones with the command:

# firewall-cmd --zone=home -change-interface=eth0

After the parameter --zone= indicate the desired zone.

To change the default zone, you need to use the command:

# firewall-cmd --set-default-zone=home

Adding application rules

To open a port for an application, you can add a service to the exceptions. Display a list of available services:

The output will contain a large number of services. detailed information about the service is contained in its xml file. These files are located in the directory /usr/lib/firewalld/services.

For example:

# cd /usr/lib/firewalld/services

Mail (SMTP) This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP"s server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.

The XML file contains a description of the service, protocol and port number that will be opened in firewalld.

When adding rules, you can use the parameter --add-service to open access to a specific service:

# firewall-cmd --zone=public --add-service=http

# firewall-cmd --zone=public --add-service=https

After adding rules, you can check whether services have been added to the specified zone:

# firewall-cmd --zone=public --list-services

Dhcpv6-client http https ssh

If you want to make these rules permanent, you need to add the parameter when adding —permanent.

To remove a service from a zone:

# firewall-cmd --permanent --zone=public --remove-service=http

Dhcpv6-client https ssh test

If you want to add your service to exceptions, you can create a file xml yourself and fill it out. You can copy data from any service, change the name, description and port number.

Let's copy the file smtp.xml to the directory for working with user services:

# cp /usr/lib/firewalld/services/smtp.xml /etc/firewalld/services

Change the service description in the file.

Myself xml file You also need to rename it by the name of your service. After that, you need to restart firewalld and check if our service is in the list:

I called the service test and it appeared in the list:

Syslog-tls telnet test tftp

Now you can add the created service to any zone:

# firewall-cmd --zone=public --add-service=test --permanent

# firewall-cmd --zone=public --permanent --list-services

Dhcpv6-client http https ssh test

If you haven't found the service you need in the list, you can open the required port on firewalld with the command:

# firewall-cmd --zone=public -add-port=77/tcp - open port 77 tcp
# firewall-cmd --zone=public -add-port=77/udp - open port 77 udp
# firewall-cmd --zone=public -add-port=77-88/udp - open port range 77-88 udp
# firewall-cmd --zone=public -list-ports - check the list of allowed ports

Block/allow ICMP replies:

# firewall-cmd --zone=public --add-icmp-block=echo-reply
# firewall-cmd --zone= public --remove-icmp-block=echo-reply

Remove added port:

# firewall-cmd --zone=public -remove-port=77/udp - remove temporary rule 77 udp

# firewall-cmd --permanent --zone=public -remove-port=77/udp - remove permanent rule

Adding your own zones

You can create your own zone (I'll call it our):

# firewall-cmd --permanent --new-zone=our

After creating a new zone, as well as after creating a service, a reboot is required firewalld:

# firewall-cmd --reload

# firewall-cmd --get-zones

Block dmz drop external home internal our public trusted work

Zone our available. You can add services to it or open specific ports.

Firewalld: blocking IP addresses, creating exceptions

You can add trusted IP addresses to firewalld exceptions or block unwanted ones.

To add a specific one to exceptions IP address(for example 8.8.8.8) on your server via firewalld, use the command:

# firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="8.8.8.8" accept"

Check the area and make sure IP added to exceptions in rich rules:

Public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client http https ssh test ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="8.8.8.8" accept

To block IP, need to replace accept on reject:

# firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="8.8.4.4" reject"

# firewall-cmd --zone=public --list-all

You can allow a specific service only for requests from a specific IP address:

#firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="10.10.1.0/24" service name="https" accept"

If you urgently need to block all requests to the server, use the panic command:

# firewall-cmd --panic-on

You can disable panic mode either with the command:

# firewall-cmd --panic-off

Or by rebooting the server.

You can block the firewalld configuration so that local services with root rights could not change the firewall rules you created:

# firewall-cmd --lockdown-on