How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21

Net-filter as we all know it’s a firewall in Linux. Firewalld is a dynamic daemon to manage firewall with support for networks zones. In earlier version, RHEL & CentOS 6 we have been using iptables as a daemon for packet filtering framework. In RHEL/CentOS 7 and Fedora 21 iptables interface is being replaced by firewalld.

Configure and Use FirewallD

Configure and Use FirewallD

It’s recommended to start using Firewalld instead of iptables as this may discontinue in future. However, iptables is still supported and can be installed with YUM command. We can’t keep Firewalld and iptables both in same system which may lead to conflict.

In iptables, we used to configure as INPUT, OUTPUT & FORWARD CHAINS but here in Firewalld, the concept which uses Zones. By default, there are different zones available in firewalld, which will be discussed in this article.

The basic zone which are like public zone and private zone. To make things work around with these zones, we need to add the interface with the specified zone support and then we can add the services to firewalld.

By default, there are many services are available, one of the best feature of firewalld is, it comes with pre-defined services and we can take these services as example to add our services by simply copying them.

Firewalld works great with IPv4, IPv6 and Ethernet bridges too. We can have the separate run-time and permanent configuration in firewalld. Let’s get started how to work with zones and create our own services and much more exciting usage of firewalld.

Our Testing Environment
Operating System :	CentOS Linux release 7.0.1406 (Core)
IP Address       :	192.168.0.55
Host-name	:	server1.tecmintlocal.com
Our Setup Details

Our Setup Details

Step 1: Installing Firewalld Package

1. Firewalld package is installed by default in RHEL/CentOS 7 and Fedora 21. If not, you can install it using the following YUM command.

# yum install firewalld -y
Install Firewalld in CentOS 7

Install Firewalld

2. After firewalld package has been installed, it’s time to verify whether iptables service is running or not, if running, you need to stop and mask (not use anymore) the iptables service with below commands.

# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables
Disable Iptables in CentOS 7

Disable Iptables Service

Stpe 2: Discussing Firewalld Components

3. Before heading up for firewalld configuration, I would like to discuss about each zones. By default there are some zones available. We need to assign the interface to the zone. A zone define that the zone was trusted or denied level to the interface to get connection. A zone can contain services & ports. Here, we’re going describe each zones available in Firewalld.

  1. Drop Zone: Any incoming packets are dropped, if we use this drop zone. This is same as we use to add iptables -j drop. If we use the drop rule, means there is no reply, only outgoing network connections will be available.
  2. Block Zone: Block zone will deny the incoming network connections are rejected with an icmp-host-prohibited. Only established connections within the server will be allowed.
  3. Public Zone: To accept the selected connections we can define rules in public zone. This will only allow the specific port to open in our server other connections will be dropped.
  4. External Zone: This zone will act as router options with masquerading is enabled other connections will be dropped and will not accept, only specified connection will be allowed.
  5. DMZ Zone: If we need to allow access to some of the services to public, you can define in DMZ zone. This too have the feature of only selected incoming connections are accepted.
  6. Work Zone: In this zone, we can define only internal networks i.e. private networks traffic are allowed.
  7. Home Zone: This zone is specially used in home areas, we can use this zone to trust the other computers on networks to not harm your computer as every zone. This too allow only the selected incoming connections.
  8. Internal Zone: This one is similar to work zone with selected allowed connections.
  9. Trusted Zone: If we set the trusted zone all the traffic are accepted.

Now you’ve better idea about zones, now let’s find out available zones, default zones and list all zones using the following commands.

# firewall-cmd --get-zones
Find Available Firewalld Zones

Find Available Zones in Firewalld

# firewall-cmd --get-default-zone
Firewalld Default Zone

Firewalld Default Zone

# firewall-cmd --list-all-zones

Note: The output of above command won’t fit into single page as this will list every zones like block, dmz, drop, external, home, internal, public, trusted, and work. If the zones have any rich-rules, enabled services or ports will be also listed with those respective zone informations.

Step 3: Setting Default Zone

4. If you would like to set the default zone as internal, external, drop, work or any other zone, you can use the below command to set the default zone. Here we using “internal” zone as default.

# firewall-cmd --set-default-zone=internal

5. After setting zone, verify the default zone using below command.

# firewall-cmd --get-default-zone
Set Firewalld Default Zone

Set Firewalld Default Zone

6. Here, our Interface is enp0s3, If we need to check our zone in which interface is bounded we can use the below command.

# firewall-cmd --get-zone-of-interface=enp0s3
Check Interface Zone

Check Interface Zone

7. Another interesting feature of firewalld is ‘icmptype‘ is the one of the icmp types supported by firewalld. To get the listing of supported icmp types we can use the below command.

# firewall-cmd --get-icmptypes

Step 4: Creating Own Services in Firewalld

8. Services are set of rules with ports and options which is used by Firewalld. Services which are enabled, will be automatically loaded when the Firewalld service up and running. By default, many services are available, to get the list of all available services, use the following command.

# firewall-cmd --get-services
Check Firewalld Services

List Firewalld Services

9. To get the list of all the default available services, go the the following directory, here you will get the list of services.

# cd /usr/lib/firewalld/services/
List Default Firewalld Services

List Default Firewalld Services

10. To create your own service, you need to define it at the following location. For example, here I want to add a service for RTMP port 1935, first make a copy of any one of the service from.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

And then, navigate to the location were our service file was copied, next rename the file ‘ssh.xml‘ to ‘rtmp.xml‘ as shown in the below picture.

# cd /etc/firewalld/services/
Create Firewalld Service

Create Firewalld Service

Add Service to Firewalld

Add Firewalld Service

11. Next open and edit the file as Heading, Description, Protocol, and Port number, which we need to use for the RTMP service as shown in below picture.

Configure Firewalld Service

Configure Firewalld Service

12. To make these changes activate, restart the firewalld service or reload the settings.

# firewall-cmd --reload

13. To confirm, whether service is added or not, run below command to get list of services available.

# firewall-cmd --get-services
Confirm Added Service in Firewall

Confirm Added Service in Firewall

Step 5: Assigning Services to Zones

14. Here we are going to see how to manage the firewall using ‘firewall-cmd‘ command. To know the current state of the firewall and all active zones, type the following command.

# firewall-cmd --state
# firewall-cmd --get-active-zones

15. To get the public zone for interface enp0s3, this is the default interface, which is defined in /etc/firewalld/firewalld.conf file as DefaultZone=public.

To list all available services in this default interface zone.

# firewall-cmd --get-service

Step 6: Adding Services to Zones

16. In the above examples, we have seen how to create own services by creating rtmp service, here we will see how to add the rtmp service to the zone as well.

# firewall-cmd --add-service=rtmp

17. To remove added zone, type.

# firewall-cmd --zone=public --remove-service=rtmp

The above step was temporary period only. To make it permanent we need to run the below command with option –permanent.

# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload

18. Define rules for network source range and open anyone of the port. For example, if you would like to open a network range say ‘192.168.0.0/24’ and port ‘1935’ use the following commands.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

Make sure to reload firewalld service after adding or removing any services or ports.

# firewall-cmd --reload 
# firewall-cmd --list-all
Open Port in CentOS 7

Open Port in Firewalld

Step 7: Adding Rich Rules for Network Range

19. If I want to allow the services such as http, https, vnc-server, PostgreSQL, you use the following rules. First add the rule and make it permanent and reload the rules and check the status.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanent

Now, the Network range 192.168.0.0/24 can use the above service from my server. The option –permanent can be used in every rule, but we have to define the rule and check with the client access after that we have to make it permanent.

20. After adding above rules, don’t forget to reload the firewall rules and list the rules using:

# firewall-cmd --reload
# firewall-cmd --list-all
List All FirewallD Active Rules

List All FirewallD Active Rules

To know more about Firewalld.

# man firewalld

That’s it, we have seen how to setup net-filter using Firewalld in RHEL/CentOS 7 and Fedora 21.

Conclusion

Net-filter is the framework for firewall for each and every Linux distributions. Back in every RHEL and CentOS editions we used iptables but in version 7 they have introduced Firewalld. It’s easier to understand and use firewalld. Hope you have enjoyed the write-up.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Linux: Disks diagnostic using smartctl
Viewed 14920 times since Wed, Jul 25, 2018
How To: Create Self-Signed Certificate – OpenSSL
Viewed 2904 times since Mon, Feb 18, 2019
LVM: Create a new Logical Volume / Filesystem
Viewed 2020 times since Sat, Jun 2, 2018
An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE
Viewed 7409 times since Mon, Aug 6, 2018
OpenSSL: Find Out SSL Key Length – Linux Command Line
Viewed 6750 times since Mon, Feb 18, 2019
Logowanie za pomocą kluczy Secure Shell
Viewed 2869 times since Thu, May 24, 2018
CentOS / RHEL : Configure yum automatic updates with yum-cron service
Viewed 3467 times since Fri, Oct 26, 2018
Super Grub2 Disk
Viewed 3353 times since Wed, May 22, 2019
RHEL: Display swap/RAM size
Viewed 3202 times since Sat, Jun 2, 2018
RHEL: Rebuilding the initial ramdisk image
Viewed 7227 times since Sat, Jun 2, 2018