How to configure a firewall with FirewallD on CentOS 7

A properly configured firewall is one of the most important aspects of system security overall.

FirewallD is a complete firewall solution for managing iptables rule system and provides D-Bus interface to run. Starting with CentOS 7, FirewallD has replaced iptables as the default firewall management tool.

In this tutorial, we’ll show you how to set up a FirewallD on CentOS 7 and explain the basic concepts of FirewallD.

precondition

Before starting this tutorial, make sure you are logged into the server with sudo privileges or with the user root. If you don’t already have a sudo user on your CentOS system, you can create one by following these instructions.

Basic concepts of firewall

FirewallD uses the concept of region (Area) And services, rather than iptables strings and rules. Depending on the areas and services you will configure, you can control which traffic is allowed or not allowed to or from the system.

The firewall can be configured and managed using command line utilities firewall-cmd.

Firewall zones

A zone is a set of specific rules for determining which traffic to allow. This criterion depends on the level of trust in the network that the computer is connected to.

The following regions are provided by FirewallD which are defined according to the level of trust, and the regions available from the untrusted to the trusted regions:

  • Drop: All incoming connections without notice will be rejected. Only outgoing connections are allowed.
  • blockMessage: All incoming connections are rejected with a messageicmp-host-prohibited For IPv4, icmp6-adm-prohibited For IPv6n. Only outgoing connections are allowed.
  • General: For use in untrusted public places. Do not trust other computers on the network, but you can allow specific incoming connections.
  • external: For use on an external network with NAT enabled when your system is acting as a gateway or router. Only specified incoming connections are allowed.
  • internal: For use on an internal network when your system is operating as a gateway or router. Other systems on the network are generally reliable. Only specified incoming connections are allowed.
  • dmz: Used for computers located in the DMZ (Demilitarized ZoneYou will have limited access to the rest of your network. Only specified incoming connections are allowed.
  • Action: Used (generally) for machines at work. Other computers on the network are generally reliable. Only specified incoming connections are allowed.
  • Homepage: Used for machines in your home. Other computers on the network are generally reliable. Only specified incoming connections are allowed.
  • trusted: All network connections are accepted. Trust all computers on the network.

Firewall services

Firewall services are rules that are defined and implemented in an area that specify the necessary settings to allow inbound traffic for specific services.

Firewall runtime and persistent settings

The firewall uses two separate configuration groups, runtime and permanent configuration.

Runtime configurations are discontinuous running configurations on reboots. When the Firewalld service starts, a permanent configuration is loaded that becomes a runtime configuration.

By default, when changes are made to the firewall configuration using the utility firewall-cmd, Changes are applied to the runtime configuration, and to make your changes permanent we need to use flags --permanent.

Install and enable firewall d

In this section we will discuss how to install and activate FirewallD on CentOS 7.

  1. Install FirewallD

    Firewalld is installed by default on CentOS 7, but if it is not already installed on your system then use the following command to install the firewallD package:

    sudo yum install firewalld
  2. Check firewall status

    To enable and enable the FirewallD service on boot, use the command:

    sudo firewall-cmd --state

    If it was installed recently or not activated before, the command will print the output not runningOtherwise if it’s on, you’ll see the output running.

  3. Enable firewall d

    To start and enable the FirewallD service at boot up:

    sudo systemctl start firewalld
    sudo systemctl enable firewalld

Manage firewall zones

After enabling FirewallD service for the first time, Region public Set as default. You can see virtual areas by typing:

sudo firewall-cmd --get-default-zone
public

For a list of all available areas, type:

sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work

By default, all network interfaces are assigned a default region. To check which area your network interface is using, use the following command:

sudo firewall-cmd --get-active-zones
public
  interfaces: eth0 eth1

The above output tells us that both interfaces are eth0 And the eth1 Designated for the public area.

You can print the region configuration settings by:

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

From the above output, we can see that the public area is active and set as default, that public area is used by the interface eth0 And the eth1. DHCP and SSH clients associated connections are also allowed.

If you want to check the configuration of all available types of zones:

sudo firewall-cmd --list-all-zones

The command will print a large list of all available region settings.

Change the facade area

You can easily change interface area using flag --zone Use combination with flags --change-interface. The following command will define the interface eth1 To the work area:

sudo firewall-cmd --zone=work --change-interface=eth1

Check for changes by typing:

sudo firewall-cmd --get-active-zones
work
  interfaces: eth1
public
  interfaces: eth0

Change the default region

To change the virtual region, use the tags --set-default-zone Followed by the name of the region that you want to set as the default. For example, to change the default region to Homepage, Then run the following command:

sudo firewall-cmd --set-default-zone=home

Check for changes by:

sudo firewall-cmd --get-default-zone
home

How to open a port or service on Linux

With FirewallD, you can allow traffic to specific ports based on predefined rules called services.

For a list of all the standard services available, type:

sudo firewall-cmd --get-services

Firewall services

You can find more information about each service by opening .xml Files in the directory /usr/lib/firewalld/services. For example, an HTTP service is defined as follows:

nano /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

To allow incoming HTTP traffic (port 80) to interfaces in the public area, Just For current session type (runtime configuration):

sudo firewall-cmd --zone=public --add-service=http

If you modify the default region, you can remove the tags --zone.

To verify that the service has been successfully added, use the tag --list-service:

sudo firewall-cmd --zone=public --list-services
ssh dhcpv6-client http

If you were to keep port 80 open after restarting, you would have to type the same command again but this time with a tick --permanent:

sudo firewall-cmd --permanent --zone=public --add-service=http

use --list-service Along with flags --permanent To check your changes:

sudo firewall-cmd --permanent --zone=public --list-services
ssh dhcpv6-client http

The syntax for removing a service is the same as when adding a service. Just use it --remove-service Instead of flags--add-service:

sudo firewall-cmd --zone=public --remove-service=http --permanent

The above command will remove the http service from your permanent public zone configuration.

Let’s look at a case example, suppose you run an app like Plex Media Server, the app doesn’t provide the proper default service. In such a situation, you have two options. You can open the appropriate port or specify a new firewall service.

For example, the Plex server listens on port 32400 and uses TCP to open the port in the current session’s public region with this flag --add-port= :

sudo firewall-cmd --zone=public --add-port=32400/tcp

Protocols can be tcp or udp.

To verify that the port has been added successfully, use the tag --list-ports:

sudo firewall-cmd --zone=public --list-ports
32400/tcp

For the port 32400 It remains open after restart, add a rule to make it permanent by running the same command, but by adding a tag --permanent.

The syntax for deleting a port is the same as when adding a port. Just use it --remove-port Instead of flags --add-port.

sudo firewall-cmd --zone=public --remove-port=32400/tcp

Create a new firewall service

As mentioned, default services are stored in a directory /usr/lib/firewalld/services. The easiest way to create a new service is to copy an existing services file to a directory /etc/firewalld/services

For example, to create a service definition for a Plex Media Server, we can use an HTTP service file:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/plexmediaserver.xml

Open the file plexmediaserver.xml Create and change the name of the shortcut and the description of the service within the tag <short> And the <description>. The most important tag that you need to change is the port tag, which specifies the port number and protocol you want to open.

In the following example we open the port 1900 UDP and 32400 TCP.

sudo nano /etc/firewalld/services/plexmediaserver.xml
<?xml version="1.0" encoding="utf-8"?>
<service version="1.0">
<short>plexmediaserver</short>
<description>Plex is a streaming media server that brings all your video, music and photo collections together and stream them to your devices at anytime and from anywhere.</description>
<port protocol="udp" port="1900"/>
<port protocol="tcp" port="32400"/>
</service>

Save the file and reload the FirewallD service:

sudo firewall-cmd --reload

You can now use the service plexmediaserver In your area like any other service.

How to forward a port using a firewall

To redirect (redirect) traffic from one port to another port or address, first enable the incognito mode for the desired area with the key--add-masquerade. For example, to enable disguise of types of regions external :

sudo firewall-cmd --zone=external --add-masquerade
  • It redirects traffic to different ports on the same server
    In the next example, we will be redirecting the traffic from the port 80 To the port 8080 On the same server:
    sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
  • Direct traffic to Another server
    In the following example, we are redirecting the traffic from the port 80 To the port 80 On the server by IP 10.10.10.2:
    sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=10.10.10.2
  • Direct traffic to Another server in a Different ports
    In the following example we are redirecting traffic from the port 80 To the port 8080 On a server with IP 10.10.10.2:
    sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.10.10.2

    If you want to make the forwarding changes permanent, just add a tag --permanent.

Create a set of rules using firewall d

In the following example, we’ll show you how to configure a firewall for anyone running a web server. We assume your server Just One interface eth0, And you want to allow only incoming traffic on the port SSH, HTTPAnd and HTTPS.

  1. Change the default region to dmz
    We will be using dmz (demilitarized) zone because by default it only allows SSH traffic. To change the default region to dmz and assign it to the interface eth0 Run the following command:
    sudo firewall-cmd --set-default-zone=dmz
    sudo firewall-cmd --zone=dmz --add-interface=eth0
  2. Opens HTTP and HTTPS ports :
    To open HTTP and HTTPS ports, add permanent service rules to the dmz zone:
    sudo firewall-cmd --permanent --zone=dmz --add-service=http
    sudo firewall-cmd --permanent --zone=dmz --add-service=https

    Make changes right away by reloading the firewall:

    sudo firewall-cmd --reload
  3. Check for changes
    To check the type of dmz zone configuration setting:
    sudo firewall-cmd --zone=dmz --list-all
    dmz (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources:
      services: ssh http https
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:

    The above output tells us that dmz is the default region, and the settings are applied to the interface eth0 And ssh port (22(http)80(And https port)443) Open.

Conclusion

You learned how to configure and manage the firewall service on your CentOS system.

Ensure that all incoming connections are allowed for the proper operation of your system, while limiting all unnecessary connections.

.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *