firewallD is a front end command line interface to iptables. We use firewall-cmd to manage firewall rules. It allow you to create firewall zones to associate IP, services, ports and rules.
Check if package is installed
# rpm -qa | grep -i firewalld
Find the config file location
# rpm -qc firewalld
View the confile file content
# vi /etc/firewalld/firewalld.conf
Check if firewall is running
# systemctl status firewalld
or
# firewall-cmd --state
Check what is allow or what is not allowed
# firewall-cmd --list-all
Note the active zone and the interface it is using
Playing with zones
List default zone
# firewall-cmd --get-default-zone
[root@sam yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: enp0s25
sources:
services: dhcp dhcpv6-client ssh tftp
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
List the zones available on the system
# firewall-cmd --get-zones
List active zone
# firewall-cmd --get-active-zone
On active zone output, you will also see what interface the rule is defined to.
List the services
# firewall-cmd --get-services
Check the configuration of the services
1. The default service location and 2. Custom/user define services
1. The default service location
# cd /usr/lib/firewalld
[root@sam firewalld]# ls
icmptypes services xmlschema zones
# cd services
# cat ssh.xml
review the file content
Playing with zone
Get default zone
# firewall-cmd --get-default-zone
Change your default zone
# firewall-cmd --set-default-zone=internal
Now, add port to the configuration
# firewall-cmd --add-port=22/tcp
# firewall-cmd --list-all
Now, remove the port
# firewall-cmd --remove-port=22/tcp
# firewall-cmd --add-service=ssh
reload the service
# firewall-cmd --reload
All configuration (run-time) is lost. so you have to use the permanent flag, while adding the service
# firewall-cmd --add-service=mysql --permanent
reload the service to make the change
# firewall-cmd --reload
Make sure to reboad other wise it will not have impack.
adding multiple ports
# firewall-cmd --add-port={2800/tcp,300/tcp,4300/tcp}
Adding port on range
# firewall-cmd --add-port=4000-4200/tcp
or adding multiple services
# firewall-cmd --add-service={mysql,ssh,http,https,ldap}
# firewall-cmd --list-all
You can remove multiple services samway
# firewall-cmd --remove-service={mysql,ssh,http,https,ldap}
# firewall-cmd --list-all
port Forwarding
# netstat -ntlp
# firewall-cmd --list-all
review the ports open
Now add new port to the firewall
# firewall-cmd --add-port=8080/tcp
# firewall-cmd --list-all
# netstat -ntlp
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80
Now, anything comming to port 8080/tcp will be fordwarded to port 80 on the same address. you will see toaddr is empty.
if you want to sent it to different address on different port do the following
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddress=192.168.10.110
- configure more and complex rules Using rich rules
Allow all traffic from .20 server and block from .30 server
# firewall-cmd --add-rich-rule='rule family='ipv4' source address=192.168.10.20" accept'
# firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.10.30" drop'
Now, lets enable web server on this host
# firewall-cmd --add-service=http
Now, go to both server and try to access the web server
on .20 host
$ elink .20
or
$ curl .20
you should be accessing the server
go to .30 host
$ it should block
Check if package is installed
# rpm -qa | grep -i firewalld
Find the config file location
# rpm -qc firewalld
View the confile file content
# vi /etc/firewalld/firewalld.conf
Check if firewall is running
# systemctl status firewalld
or
# firewall-cmd --state
Check what is allow or what is not allowed
# firewall-cmd --list-all
Note the active zone and the interface it is using
Playing with zones
List default zone
# firewall-cmd --get-default-zone
[root@sam yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: enp0s25
sources:
services: dhcp dhcpv6-client ssh tftp
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
List the zones available on the system
# firewall-cmd --get-zones
List active zone
# firewall-cmd --get-active-zone
On active zone output, you will also see what interface the rule is defined to.
List the services
# firewall-cmd --get-services
Check the configuration of the services
1. The default service location and 2. Custom/user define services
1. The default service location
# cd /usr/lib/firewalld
[root@sam firewalld]# ls
icmptypes services xmlschema zones
# cd services
# cat ssh.xml
review the file content
Playing with zone
Get default zone
# firewall-cmd --get-default-zone
Change your default zone
# firewall-cmd --set-default-zone=internal
Now, add port to the configuration
# firewall-cmd --add-port=22/tcp
# firewall-cmd --list-all
Now, remove the port
# firewall-cmd --remove-port=22/tcp
# firewall-cmd --add-service=ssh
reload the service
# firewall-cmd --reload
All configuration (run-time) is lost. so you have to use the permanent flag, while adding the service
# firewall-cmd --add-service=mysql --permanent
reload the service to make the change
# firewall-cmd --reload
Make sure to reboad other wise it will not have impack.
adding multiple ports
# firewall-cmd --add-port={2800/tcp,300/tcp,4300/tcp}
Adding port on range
# firewall-cmd --add-port=4000-4200/tcp
or adding multiple services
# firewall-cmd --add-service={mysql,ssh,http,https,ldap}
# firewall-cmd --list-all
You can remove multiple services samway
# firewall-cmd --remove-service={mysql,ssh,http,https,ldap}
# firewall-cmd --list-all
port Forwarding
# netstat -ntlp
# firewall-cmd --list-all
review the ports open
Now add new port to the firewall
# firewall-cmd --add-port=8080/tcp
# firewall-cmd --list-all
# netstat -ntlp
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80
Now, anything comming to port 8080/tcp will be fordwarded to port 80 on the same address. you will see toaddr is empty.
if you want to sent it to different address on different port do the following
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddress=192.168.10.110
- configure more and complex rules Using rich rules
Allow all traffic from .20 server and block from .30 server
# firewall-cmd --add-rich-rule='rule family='ipv4' source address=192.168.10.20" accept'
# firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.10.30" drop'
Now, lets enable web server on this host
# firewall-cmd --add-service=http
Now, go to both server and try to access the web server
on .20 host
$ elink .20
or
$ curl .20
you should be accessing the server
go to .30 host
$ it should block
No comments:
Post a Comment