FirewallD Rules to Configure and Manage Firewall in Linux/CentOS 7

Today we’ll show you, how to Set Up and Configure a Firewall with FirewallD on CentOS 7. FirewallD is a firewall management system available by default on CentOS 7 servers. Basically, it is a wrapper around iptables. One of the biggest benefits of introducing new firewall system is that the old firewall needs a restart after making every change, while with firewalld only differences are applied. The setup and configuration of FirewallD on CentOS 7 is an easy process and should not take more time.

Before applying any firewalld rules, first, make sure to check whether firewalld service enabled and running.

systemctl status firewalld
FirewallD uses services and zones instead of iptables rules and chains. To check all the active zone and service:

# firewall-cmd --get-active-zones
# firewall-cmd --get-services

To list the default zone

# firewall-cmd --get-default-zone

To change the default zone we can run:

# firewall-cmd --set-default-zone=dmz
# firewall-cmd --get-default-zone
dmz

It comes with graphical configuration tool firewall-config and command line tool firewall-cmd. In case, if you’re not familiar with command line, you can also manage firewalld from the GUI, for that purpose you need to installed GUI package on the system by using the following command.

# yum install firewalld firewall-config

1. Add and Remove Ports in Firewalld

To open any port for the public zone, use the following command. For example:

# firewall-cmd --permanent --zone=public --add-port=80/tcp

Similarly, to remove added port, just use the ‘–remove‘ option with firewalld command as shown below.

# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether the port is added or removed by using ‘–list-ports‘ option.

# firewall-cmd --zone=public --list-ports

2. Add and Remove Services in Firewalld

By default firewalld comes with pre-defined services, if you want to add specific services, you need to create a new XML file with all services included in the file or you can also define or remove each service manually by running following commands.
For example:

# firewall-cmd --zone=public --add-service=ftp
# firewall-cmd --zone=public --remove-service=ftp
# firewall-cmd --zone=public --list-services

3. How to Block Incoming and Outgoing Packets (Panic Mode)

If you want to block any incoming or outgoing connections, you have to use a ‘panic-on‘ mode. For example, the following rule will drop any existing established connection on the system.

# firewall-cmd --panic-on

After enabling panic mode, try to ping any domain (say google.com) and check whether the panic mode is ON using ‘–query-panic‘ option as listed below.

# ping google.com -c 1
# firewall-cmd --query-panic

If you see, the panic query says “Unknown host google.com“. Then try to disable the panic mode and once again ping and check.

# firewall-cmd --query-panic
# firewall-cmd --panic-off
# ping google.com -c 1

Now this time, there will be a ping request from google.com..

4. How to Block and Enable ICMP

First, we need to check the type of ICMP we are using with below command.

# firewall-cmd --get-icmptypes

To add ICMP block on any zone, you can use the following command. before blocking, just do an ICMP ping to confirm the status of ICMP block.

# firewall-cmd --zone=public --query-icmp-block=echo-reply

If you get ‘no‘, that means there isn’t any ICMP block applied, let’s enable (block) ICMP.

# firewall-cmd --zone=public --add-icmp-block=echo-reply

5. Adding and Removing Chain using Direct Interface

To add a Custom direct interface rule, we can use ‘–direct‘ option in any chain (Public, Work, Internal, External). For example, here we’re going to add a rule in Public Zone.
Before adding any rule, first, make sure to list all the current rules in public zone using ‘–get-rules‘.

# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow

To add the rules use ‘–add-rules‘ as shown below.

# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m 
tcp -p tcp --dport 25 -j ACCEPT

To remove the rules just replace ‘–add-rule‘ with ‘–remove-rule‘.

# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m 
tcp -p tcp --dport 25 -j A

6. Firewalld Lockdown Rules

You can change the firewalld rules by any local applications, with having the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in ‘firewalld.conf‘ file. This mostly help to protect the firewalld from any unwanted rules changes by any applications.

# nano /etc/firewalld/firewalld.conf

Change no to yes

Lockdown=yes

To make it permanent reload the changes using ‘–reload‘.

# firewall-cmd --reload

After making above changes, you can verify whether firewalld was lockdown using query.

# firewall-cmd --query-lockdown

To On/Off lockdown mode, use the commands.

# firewall-cmd --lockdown-on
# firewall-cmd --lockdown-off

7: Enable Fail2ban-firewalld Support

To enable fail2ban support in firewalld, we need to install the package called ‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems. it also supports some additional security rules for SSH, SSH-DDOS, MariaDB, Apache etc..

After enabling epel, we will install the ‘fail2ban-firewalld‘ package using the following command.

# yum install fail2ban-firewalld -y

After installing the package, start the ‘fail2ban‘ service and enable to make it obstinate.

# systemctl start fail2ban
# systemctl enable fail2ban

8. Add & Block IP Addresses

To add specific IP address to trusted public zone, use the following command.

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" 
source address="192.168.0.254" accept'

After adding above rule, don’t forget to list all the trusted public zone rules.

# firewall-cmd --zone=public --list-all

To remove any added rule, just replace the ‘–add-rich-rule‘ with remove ‘–remove-rich-rule‘ as shown in below command.

# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" 
source address="192.168.0.254" accept'

To reject or drop an IP address from the trusted zones, just replace ‘accept‘ with ‘reject‘ as shown in the below command.

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" 
source address="192.168.0.250" reject'
# firewall-cmd --zone=public --list-all

9. Masquerading IP Address

IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.

Here, we will see how to forward a port to outside the network. For example, if I want to do a ssh to my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).

Before doing a port forwarding, first, make sure whether Masquerade enabled for the external zone because we are going to access the machine from outside network.

# firewall-cmd --zone=external --query-masquerade

If it’s not enabled, you can enable it by the following command.

# firewall-cmd --zone=external --add-masquerade

Now to forward all ssh port 22 connections to port 2222 for IP address 192.168.xx.xx.

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.xx.xx
# firewall-cmd --zone=external --list-all

10- How to Start/Stop or Enable/Disable firewalld on CentOS 7

To disable firewalls, execute the following command as root or using sudo:

systemctl disable firewalld

To stop (or deactivate) firewalld,execute the following command as root or using sudo:

systemctl stop firewalld

To start (or activate) firewalld, execute the following command as root or using sudo:

systemctl start firewalld

To check the status of firewalld, execute the following command as root or using sudo:

systemctl status firewalld