Introduction
FirewallD is a powerful and flexible firewall management tool used in many Linux distributions, including AlmaLinux. It provides a dynamic way to manage firewall rules without the need for complex iptables configurations. Understanding the basic operations of FirewallD is crucial for securing your server and managing network traffic effectively.
Basic Operations
FirewallD is a front-end for the iptables firewall that uses zones and services instead of chains and rules, allowing for easier management of firewall settings. It also supports dynamic firewall changes without the need for restarting the firewall, which helps maintain continuous network traffic flow. The definition of services is set to zones on Firewalld. To enable Firewall, assosiate a zone to a NIC with related commands.
Step [1]To use Firewalld, start the Service.
[root@vms ~]# systemctl enable --now firewalld
Step [2]By default, [public] zone is applied with a NIC, and cockpit, dhcpv6-client, ssh are allowed. When operating with [firewall-cmd] command, if you input the command without [--zone=***] specification, then, configuration is set to the default zone.
# display the default zone
[root@vms ~]# firewall-cmd --get-default-zone
public
# display current settings
[root@vms ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# display all zones defined by default
[root@vms ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
.....
.....
# display allowed services on a specific zone
[root@vms ~]# firewall-cmd --list-service --zone=external
ssh
# change default zone
[root@vms ~]# firewall-cmd --set-default-zone=external
success
# change zone for an interface
[root@vms ~]# firewall-cmd --change-interface=enp1s0 --zone=external
success
[root@vms ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Step [3]Display services defined by default.
[root@vms ~]# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-controller-manager kube-scheduler kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
# definition files are placed under the directory like follows
# if you'd like to add your original definition, add XML file on there
[root@vms ~]# ls /usr/lib/firewalld/services
amanda-client.xml mqtt.xml
amanda-k5-client.xml mssql.xml
amqps.xml ms-wbt.xml
amqp.xml murmur.xml
apcupsd.xml mysql.xml
.....
.....
minidlna.xml xmpp-client.xml
mongodb.xml xmpp-local.xml
mosh.xml xmpp-server.xml
mountd.xml zabbix-agent.xml
mqtt-tls.xml zabbix-server.xml
Step [4]Add or Remove allowed services. The change will be back after rebooting the system. If you change settings permanently, add the [--permanent] or [--runtime-to-permanent] option.
# for example, add [http]
[root@vms ~]# firewall-cmd --add-service=http
success
[root@vms ~]# firewall-cmd --list-service
cockpit dhcpv6-client http ssh
# for example, remove [http]
[root@vms ~]# firewall-cmd --remove-service=http
success
[root@vms ~]# firewall-cmd --list-service
cockpit dhcpv6-client ssh
# permanent setting : [--permanent] - add setting to the permanent environment
[root@vms ~]# firewall-cmd --add-service=http --permanent
success
[root@vms ~]# firewall-cmd --list-service
cockpit dhcpv6-client ssh
# reload settings from the permanent environment to apply new setting
[root@vms ~]# firewall-cmd --reload
success
[root@vms ~]# firewall-cmd --list-service
cockpit dhcpv6-client http ssh
# permanent setting : [--runtime-to-permanent] - save the current runtime environment to the permanent environment
[root@vms ~]# firewall-cmd --add-service=http
success
[root@vms ~]# firewall-cmd --list-service
cockpit dhcpv6-client http ssh
[root@vms ~]# firewall-cmd --runtime-to-permanent
success
Step [5]Add or remove allowed ports. If you change settings permanently, add the [--permanent] or [--runtime-to-permanent] option like the examples of [4].
# for example, add [TCP 465]
[root@vms ~]# firewall-cmd --add-port=465/tcp
success
[root@vms ~]# firewall-cmd --list-port
465/tcp
# for example, remove [TCP 465]
[root@vms ~]# firewall-cmd --remove-port=465/tcp
success
[root@vms ~]# firewall-cmd --list-port
Step [6]Add or remove prohibited ICMP types.
# for example, add [echo-request] to prohibit it
[root@vms ~]# firewall-cmd --add-icmp-block=echo-request
success
[root@vms ~]# firewall-cmd --list-icmp-blocks
echo-request
# for example, remove [echo-request]
[root@vms ~]# firewall-cmd --remove-icmp-block=echo-request
success
[root@vms ~]# firewall-cmd --list-icmp-blocks
# display available ICMP types
[root@vms ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
Setup IP Masquerade
This is configration example of IP Masquerading on Firewalld. This exmaple is based on the environment like follows.
Internet
-------------+-------------
Gateway|10.0.0.1
|
External |
enp1s0|10.0.0.30
+------------+------------+
| |
| vms.bizantum.lab |
| |
+------------+------------+
enp7s0|192.168.0.30
Internal |
|
Step [1]Change zones for interfaces.
# show current setting
[root@vms ~]# firewall-cmd --get-active-zone
public
interfaces: enp1s0 enp7s0
# change zone
[root@vms ~]# nmcli connection modify enp7s0 connection.zone internal
[root@vms ~]# nmcli connection modify enp1s0 connection.zone external
[root@vms ~]# firewall-cmd --get-active-zone
external
interfaces: enp1s0
internal
interfaces: enp7s0
Step [2]Set IP Masquerading on External zone. (if set permanently, add [--permanent] or [--runtime-to-permanent] option).
# set IP Masquerading
[root@vms ~]# firewall-cmd --zone=external --add-masquerade
success
# confirm setting
[root@vms ~]# firewall-cmd --zone=external --query-masquerade
yes
# [ip_forward] is enabled automatically if masquerading is enabled
[root@vms ~]# cat /proc/sys/net/ipv4/ip_forward
1
Step [3]For example, Configure that incoming packets come to 22 port of External zone are forwarded to local 1234 port.
[root@vms ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1234
success
[root@vms ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
port=22:proto=tcp:toport=1234:toaddr=
source-ports:
icmp-blocks:
rich rules:
Step [4]For example, Configure that incoming packets come to 22 port of External zone are forwarded to another Host [192.168.0.31] of 22 port.
[root@vms ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.0.31
success
[root@vms ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
port=22:proto=tcp:toport=1234:toaddr=
port=22:proto=tcp:toport=22:toaddr=192.168.0.31
source-ports:
icmp-blocks:
rich rules:
Step [5]For exmaple, Configure that outgoing packets through the Server from Internal network [192.168.0.0/24] are allowed and forwarded to the External side.
# set masquerading to internal zone
[root@vms ~]# firewall-cmd --zone=internal --add-masquerade
success
[root@vms ~]# firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp1s0 -j MASQUERADE
[root@vms ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp7s0 -o enp1s0 -j ACCEPT
[root@vms ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp1s0 -o enp7s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- Get link
- X
- Other Apps
AffanBaihaqi_
Bizantum
Posts
Comments
Post a Comment
Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.