How to Configure Firewalld in Linux CentOS 7 / RHEL7

Linux kernel includes powerful network filtering subsystem called Netfilter. It allows kernel modules to inspect each packet crossing the linux system such as to allow or drop incoming and outgoing network packet. In older Red Hat Enterprise Linux (RHEL) release such as RHEL 5 and RHEL 6, iptables was the main method of interacting with the kernel netfilter subsystem. The firewall capabilities were provided by the iptables utility, and configured either at the command line or through the graphical configuration tool, system-config-firewall.

configure firewalld in linux

In RHEL 7, firewalld has been introduced as a new method of interacting with netfilter. It is a default method for managing host-level firewalls. Basically the firewall capabilities are still provided by iptables. But linux administrators now interact with iptables through the dynamic firewall daemon, firewalld, and its configuration tools: firewall-config, firewall-cmd, and firewall-applet, which is not included in the default installation of Red Hat Enterprise Linux 7. Traffic management becomes easier after firewalld classifies all network traffic into a specific zone. Based on criteria such as source IP address of packets through the network, traffic was diverted into the firewall rules for approriate zone.

See also  How to Grep Multiples Lines and using Specific Keyword on Linux

How to Configure Firewalld in Linux

There are three main ways for system administrators to interact with firewalld.

  • By directly editing congfiguration files in /etc/firewalld
  • By using the graphical firewall-config tool
  • By using firewalld-cmd from the command line (will be discussed in this article)

This article will discuss how to configure firewalld in linux CentoS 7, RHEL 7 and Oracle linux 7 by using firewalld-cmd command line. Please take note that the firewalld daemon is installed from the firewalld package. It is part of a base install, but not part of a minimal installation.

1. How to install Firewalld :

See also  How to Secure Squid Proxy Server with Firewall Rules

Firewalld package is installed by default in RHEL 7.1 and CentOS 7.1. If you noticed it is not installed, you can install it using the following YUM command.

# sudo yum install firewalld -y

2. How to disable or enable Firewalld at boot :

a) To disable start at boot :

# sudo systemctl disable firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'

b) To enable start at boot :

# sudo systemctl enable firewalld

3. Verify that firewalld is enabled and running on your server system :

# sudo systemctl status firewalld.service

Example :

# sudo systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: active (running) since Wed 2015-09-09 21:26:25 MYT; 1 weeks 0 days ago
 Main PID: 2348 (firewalld)
   CGroup: /system.slice/firewalld.service
           ??2348 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Sep 09 21:26:25 centos71.ehowstuff.local systemd[1]: Started firewalld - dynamic firewall daemon.

4. How to query the current default zone ?

# sudo firewall-cmd --get-default-zone
public

In this case, the default zone is public.

See also  How to Enable mod_status Apache module on Ubuntu/CentOS

5. How to list all available zones ?

# sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work

This will display all available zones.

6. Open up incoming http,https and mysql traffic for public zone :

# sudo firewall-cmd --permanent --zone=public --add-service=http
# sudo firewall-cmd --permanent --zone=public --add-service=https
# sudo firewall-cmd --permanent --zone=public --add-service=mysql

7. Activate the changes to your server firewall :

# sudo firewall-cmd --reload

8. Check the configuration of the running firewall on your system :

a) Query active zone :

# sudo firewall-cmd --get-active-zones

b) Display all running firewall configuration :

# sudo firewall-cmd --zone=public --list-all

Example :

# sudo firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: ens32
  sources:
  services: dhcpv6-client http https mysql ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

I hope that this gives you some ideas and essential guidance on how to configure firewalld in linux RHEL 7 / CentOS 7.

 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *