Today we’ll show you, how to Set Up and Configure a Firewall with FirewallD on CentOS 7. FirewallD is a firewall management system available by default on CentOS 7 servers. Basically, it is a wrapper around iptables. One of the biggest benefits of introducing new firewall system is that the old firewall needs a restart after making every change, while with firewalld only differences are applied. The setup and configuration of FirewallD on CentOS 7 is an easy process and should not take more time.
Before applying any firewalld rules, first, make sure to check whether firewalld service enabled and running.
systemctl status firewalld
# firewall-cmd --get-active-zones # firewall-cmd --get-services
To list the default zone
# firewall-cmd --get-default-zone
To change the default zone we can run:
# firewall-cmd --set-default-zone=dmz # firewall-cmd --get-default-zone dmz
It comes with graphical configuration tool firewall-config and command line tool firewall-cmd. In case, if you’re not familiar with command line, you can also manage firewalld from the GUI, for that purpose you need to installed GUI package on the system by using the following command.
# yum install firewalld firewall-config
1. Add and Remove Ports in Firewalld
To open any port for the public zone, use the following command. For example:
# firewall-cmd --permanent --zone=public --add-port=80/tcp
Similarly, to remove added port, just use the ‘–remove‘ option with firewalld command as shown below.
# firewall-cmd --zone=public --remove-port=80/tcp
After adding or removing specific ports, make sure to confirm whether the port is added or removed by using ‘–list-ports‘ option.
# firewall-cmd --zone=public --list-ports
2. Add and Remove Services in Firewalld
By default firewalld comes with pre-defined services, if you want to add specific services, you need to create a new XML file with all services included in the file or you can also define or remove each service manually by running following commands.
# firewall-cmd --zone=public --add-service=ftp # firewall-cmd --zone=public --remove-service=ftp # firewall-cmd --zone=public --list-services
3. How to Block Incoming and Outgoing Packets (Panic Mode)
If you want to block any incoming or outgoing connections, you have to use a ‘panic-on‘ mode. For example, the following rule will drop any existing established connection on the system.
# firewall-cmd --panic-on
After enabling panic mode, try to ping any domain (say google.com) and check whether the panic mode is ON using ‘–query-panic‘ option as listed below.
# ping google.com -c 1 # firewall-cmd --query-panic
If you see, the panic query says “Unknown host google.com“. Then try to disable the panic mode and once again ping and check.
# firewall-cmd --query-panic # firewall-cmd --panic-off # ping google.com -c 1
Now this time, there will be a ping request from google.com..
4. How to Block and Enable ICMP
First, we need to check the type of ICMP we are using with below command.
# firewall-cmd --get-icmptypes
To add ICMP block on any zone, you can use the following command. before blocking, just do an ICMP ping to confirm the status of ICMP block.
# firewall-cmd --zone=public --query-icmp-block=echo-reply
If you get ‘no‘, that means there isn’t any ICMP block applied, let’s enable (block) ICMP.
# firewall-cmd --zone=public --add-icmp-block=echo-reply
5. Adding and Removing Chain using Direct Interface
To add a Custom direct interface rule, we can use ‘–direct‘ option in any chain (Public, Work, Internal, External). For example, here we’re going to add a rule in Public Zone.
Before adding any rule, first, make sure to list all the current rules in public zone using ‘–get-rules‘.
# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
To add the rules use ‘–add-rules‘ as shown below.
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
To remove the rules just replace ‘–add-rule‘ with ‘–remove-rule‘.
# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j A
6. Firewalld Lockdown Rules
You can change the firewalld rules by any local applications, with having the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in ‘firewalld.conf‘ file. This mostly help to protect the firewalld from any unwanted rules changes by any applications.
# nano /etc/firewalld/firewalld.conf
Change no to yes
To make it permanent reload the changes using ‘–reload‘.
# firewall-cmd --reload
After making above changes, you can verify whether firewalld was lockdown using query.
# firewall-cmd --query-lockdown
To On/Off lockdown mode, use the commands.
# firewall-cmd --lockdown-on # firewall-cmd --lockdown-off
7: Enable Fail2ban-firewalld Support
To enable fail2ban support in firewalld, we need to install the package called ‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems. it also supports some additional security rules for SSH, SSH-DDOS, MariaDB, Apache etc..
After enabling epel, we will install the ‘fail2ban-firewalld‘ package using the following command.
# yum install fail2ban-firewalld -y
After installing the package, start the ‘fail2ban‘ service and enable to make it obstinate.
# systemctl start fail2ban # systemctl enable fail2ban
8. Add & Block IP Addresses
To add specific IP address to trusted public zone, use the following command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
After adding above rule, don’t forget to list all the trusted public zone rules.
# firewall-cmd --zone=public --list-all
To remove any added rule, just replace the ‘–add-rich-rule‘ with remove ‘–remove-rich-rule‘ as shown in below command.
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
To reject or drop an IP address from the trusted zones, just replace ‘accept‘ with ‘reject‘ as shown in the below command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.250" reject' # firewall-cmd --zone=public --list-all
9. Masquerading IP Address
IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines.
Here, we will see how to forward a port to outside the network. For example, if I want to do a ssh to my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).
Before doing a port forwarding, first, make sure whether Masquerade enabled for the external zone because we are going to access the machine from outside network.
# firewall-cmd --zone=external --query-masquerade
If it’s not enabled, you can enable it by the following command.
# firewall-cmd --zone=external --add-masquerade
Now to forward all ssh port 22 connections to port 2222 for IP address 192.168.xx.xx.
# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.xx.xx # firewall-cmd --zone=external --list-all
10- How to Start/Stop or Enable/Disable firewalld on CentOS 7
To disable firewalls, execute the following command as root or using sudo:
systemctl disable firewalld
To stop (or deactivate) firewalld,execute the following command as root or using sudo:
systemctl stop firewalld
To start (or activate) firewalld, execute the following command as root or using sudo:
systemctl start firewalld
To check the status of firewalld, execute the following command as root or using sudo:
systemctl status firewalld