dynamic firewall rules in Linux that can be applied instantly, without
the need of firewall restart and also it support D-BUS and zone
concepts which makes configuration easy.
Firewalld replaced old Fedora’s
firewall (Fedora 18 onwards) mechanism,
RHEL/CentOS 7 and other latest
distributions rely on this new mechanism. One of the biggest motive of
introducing new firewall system is that the old firewall needs a
restart after making each change, thus breaking all active connections.
As said above, that the latest firewalld supports dynamic zones which
is useful in configuring different set of zones and rules for your
office or home network via a command line or using a GUI method.
Initially, firewalld concept looks very difficult to configure, but
services and zones makes it easier by keeping both together as covered
in this article. In our earlier article, where we have seen how to
play with firewalld and its zones, now here, in this article, we will
see some useful firewalld rules to configure your current Linux systems
using command line way.
All the examples covered in this article are
practically tested on CentOS 7 distribution, and also
works on RHEL and Fedora distributions. Before implementing firewalld
rules, make sure to first check whether firewalld service enabled and
# systemctl status firewalld
The above picture shows that firewalld is
active and running. Now it’s time to check all the active zones and
# firewall-cmd --get-active-zones # firewall-cmd --get-services
If incase, you’re not familiar with command
line, you can also manage firewalld from the GUI, for this you need to
have GUI package installed on the system, if not install it using the
# yum install firewalld firewall-config
As said above, this article is specially written for command line
lovers and all the examples, which we’re going to cover are based on
command line only, no GUI way..sorry….. Before moving further, first
make sure to confirm on which public zone you’re going to configure
Linux firewall and list all active services, ports, rich rules for
public zone using following command.
# firewall-cmd --zone=public --list-all
In the above picture, there isn’t any active rules
are added yet, let’s see how to add, remove and modify rules in the
remaining part of this article….
1. Adding and Removing Ports in
To open any port for public zone, use the following
command. For example, the following command will open port 80 for
# firewall-cmd --permanent --zone=public --add-port=80/tcp
Similarly, to remove added port, just use the
‘–remove‘ option with firewalld command as shown
# firewall-cmd --zone=public --remove-port=80/tcp
After adding or removing specific ports, make sure to confirm whether
the port is added or removed by using ‘–list-ports‘
# firewall-cmd --zone=public --list-ports
2. Adding and Removing Services in
By default firewalld comes with pre-defined services, if
you want to add a list of specific services, you need to create a new
xml file with all services included in the file or else you can also
define or remove each service manually by running following commands.
For example, the following commands will help you to add or remove
specific services, like we did for FTP here in this example.
# firewall-cmd --zone=public --add-service=ftp # firewall-cmd --zone=public --remove-service=ftp # firewall-cmd --zone=public --list-services
3. Block Incoming and Outgoing Packets
If you wish to block any incoming or outgoing
connections, you need to use a ‘panic-on‘ mode to
block such requests. For example, the following rule will drop any
existing established connection on the system.
# firewall-cmd --panic-on
After enabling panic mode, try to ping any domain
(say google.com) and check whether the panic mode is
ON using ‘–query-panic‘ option as
# ping google.com -c 1 # firewall-cmd --query-panic
Do you see in the above
picture, the panic query says “Unknown host
google.com“. Now try to disable the panic mode and then once
again ping and check.
# firewall-cmd --query-panic # firewall-cmd --panic-off # ping google.com -c 1
Now this time, there will be a ping
request from google.com..
4. Masquerading IP Address
also known as Network Address Translation (NAT), which is basically a
simple method for allowing a computer to connect with internet with the
help of base machine just a intermediary work. Here, we will see how
to forward a port to outside network. For example, if I want to do a
ssh into my home virtual machine from anywhere, I need to forward my
ssh port 22 to different port (i.e. 2222). Before doing a port
forwarding, first make sure check whether Masquerade enabled for
external zone, because we are going to access the machine from outside
# firewall-cmd --zone=external --query-masquerade
If it’s not enabled, you can enable it by following command.
# firewall-cmd --zone=external --add-masquerade
Now let’s forward all ssh port 22 connections to port
2222 for IP address 192.168.0.132.
# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132 # firewall-cmd --zone=external --list-all
5. How to Block and Enable ICMP
check the type of icmp we are using with below command.
# firewall-cmd --get-icmptypes
To add icmp block on any zone, you
can use the following command. For example, here I am going to add icmp
block on external zone, before blocking, just do a icmp ping to confirm
the status of icmp block.
# firewall-cmd --zone=public --query-icmp-block=echo-reply
If you get ‘no‘,
that means there isn’t any icmp block applied, let’s enable (block)
# firewall-cmd --zone=public --add-icmp-block=echo-reply
6. Adding and Removing Chain using Direct
To add a Custom direct interface rule, we can use
‘–direct‘ option in any chain (Public, Work, Internal,
External). For example, here we’re going to add a rule in Public Zone.
Before adding any rule, first make sure to list all the current rules
in public zone using ‘–get-rules‘.
# irewall-cmd --direct --get-rules ipv4 filter IN_public_allow
To add the
rules use ‘–add-rules‘ as show below.
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
To remove the rules just replace
‘–add-rule‘ with ‘–remove-rule‘.
# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
7 Firewalld Lockdown Rules
It’s possible to
change the firewalld rules by any local applications, which have the
root privileges. To avoid making changes to firewalld rules, we have to
put a lock-down in ‘firewalld.conf‘ file. This mostly
used to protect the firewalld from any unwanted rules changes by any
# vim /etc/firewalld/firewalld.conf
To make it permanent reload the changes
# firewall-cmd --reload
After making above changes, make sure to verify whether firewalld was
lockdown using query.
# firewall-cmd --query-lockdown
On/Off lockdown mode, use the following combination.
# firewall-cmd --lockdown-on # firewall-cmd --lockdown-off
8: Enabling Fail2ban-firewalld
To enable support of fail2ban in
firewalld, we need to install the package called
‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems.
The fail2ban support provides some additional secure rules for SSH,
SSH-DDOS, MariaDB, Apache etc.. After enabling epel, let’s install the
‘fail2ban-firewalld‘ package using the following
# yum install fail2ban-firewalld -y
After installing the package, start the
‘fail2ban‘ service and enable to make it persistent.
# systemctl start fail2ban # systemctl enable fail2ban
9. Adding & Blocking IP
To add specific IP address (192.168.0.254) to trusted
public zone, use the following command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
After adding above rule, don’t
forget to list all the trusted public zone rules.
# firewall-cmd --zone=public --list-all
To remove any added rule, just replace
the ‘–add-rich-rule‘ with remove
‘–remove-rich-rule‘ as show in below command.
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
To reject or drop a IP address from the trusted
zones, just replace ‘accept‘ with
‘reject‘ as shown in the below command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.250" reject' # firewall-cmd --zone=public --list-all
Here we have seen how to
configure some of the rules and default services in firewalld. If there
any query regarding above firewalld rules, feel free to leave your
valuable comments below.