Contents

How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21

02 Sep 2018 0 7  0
How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21
How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21

 

 

Step 1: Setting Default Zone

If you would like to set the default zone as internal, external, drop, work, or any other zone, then you can use the below command to set the default zone. In this example, we are using the ‘internal’ zone as default.

# firewall-cmd --set-default-zone=internal

 

After setting the zone, verify the default zone using the below command.

# firewall-cmd --get-default-zone

 

Set Firewalld Default Zone

Here, the Interface is ‘enp0s3′, If you need to check your zone in which interface is bound, you can use the below command.

# firewall-cmd --get-zone-of-interface=enp0s3

 

Check Interface Zone

Another interesting feature of firewallD is ‘icmptype‘ this is one of the ‘icmp’ types supported by firewallD. To get the listing of supported ‘icmp’ types we can use the below command.

# firewall-cmd --get-icmptypes

 

Step 2: Creating Own Services in Firewalld

Services are set of rules with ports and options which is used by FirewallD. Services which are enabled will be automatically loaded when the FirewallD service up and running. By default, many services are available; to get the list of all available services, use the following command.

# firewall-cmd --get-services

 

List Firewalld Services

To get the list of all the default available services, go the the following directory, here you will get the list of services.

# cd /usr/lib/firewalld/services/

List Default Firewalld Services

To create your own service, you need to define it at the following location. For example, here we want to add a service for RTMP port 1935; first make a copy of any one of the service from.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

 

And then, navigate to the location were our service file was copied, next rename the file ‘ssh.xml‘ to ‘rtmp.xml‘ as shown in the below picture.

# cd /etc/firewalld/services/

 

Create Firewalld Service

 

Add Firewalld Service

 

Next, open and edit the file as Heading, Description, Protocol, and Port number, which you will need to use for the RTMP service as shown in below picture.

 

Configure FirewallD Service

To make these changes activate, restart the firewallD service or reload the settings.

# firewall-cmd --reload

 

To confirm whether service is added, run the below command to get a list of services available.

# firewall-cmd --get-services

 

Step 3: Assigning Services to Zones

Here we are going to show you how to manage the firewall using the ‘firewall-cmd‘ command. To know the current state of the firewall and all active zones, type the following command.

# firewall-cmd --state
# firewall-cmd --get-active-zones

 

To get the public zone for interface ‘enp0s3’, this is the default interface which is defined in the ‘/etc/firewalld/firewalld.conf’ file as ‘DefaultZone=public’.

To list all available services in this default interface zone.

# firewall-cmd --get-service

 

Step 4: Adding Services to Zones

In the above examples, we have shown how to create your own services by creating an ‘rtmp’ service, here we will show how to add the ‘rtmp’ service to the zone as well.

# firewall-cmd --add-service=rtmp

 

To remove an added zone, type.

# firewall-cmd --zone=public --remove-service=rtmp

 

The above step was temporary only. To make it permanent, you will need to run the below command with option ‘permanent’.

# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload

 

Define the rules for network source range and open any one of the ports. For example, if you would like to open a network range say ‘192.168.0.0/24’ and port ‘1935’, then use the following commands.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

 

Make sure to reload the firewallD service after adding or removing any services or ports.

# firewall-cmd --reload 
# firewall-cmd --list-all

 

Open Port in Firewalld

 

Step 5: Adding Rich Rules for Network Range

If you want to allow the services such as ‘http’, ‘https’, ‘vnc-server’, and ‘PostgreSQL’, you can use the following rules. First, add the rule and make it permanent before reloading the rules and check the status.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanent

 

Now, the Network range ‘192.168.0.0/24′ can use the above service from my server. The option ‘permanent’ can be used in every rule, however, you have to define the rule and check with the client access; after that you have to make it permanent.

 

After adding the above rules, don’t forget to reload the firewall rules and list the rules using the below.

# firewall-cmd --reload

# firewall-cmd --list-all




List All FirewallD Active Rules

 

To know more about FirewallD.

# man firewalld

 

That’s it, we have seen how to setup net-filter using FirewallD in RHEL/CentOS 7 and Fedora 21.

Conclusion

Net-filter is the framework for firewall for each and every Linux distributions. Back in every RHEL and CentOS editions we used iptables but in version 7 they have introduced FirewallD. It’s easier to understand and use firewallD. Hope you have enjoyed the write-up.

0 Comments
Add a comment

Leave a Reply