How to setup Firewall in CentOS 7 and RHEL 7

Dear Friends, today we will see how to setup Firewall in CentOS 7 and RHEL 7. We will see what is firewalld in CentOS 7 and RHEL 7. First of all let’s start to see what is Firewalld?

What is Firewalld in CentOS 7 and RHEL 7?

Firewalld is the default front-end controller for iptables on CentOS 7 and RHEL 7. Firewalld is the wrapper for iptables. it’s not a replacement. while Custom iptables commands can be used with firewalld. it is recommended to use firewalld as to not break the firewall functionality.

For more details about Firewalld you can Click Here

What is Zone in Linux Firewalld

Firewalld works on the concept of zone and zone will be applied to network interfaces through the Network Manager. We can see below zones and zone description.

  • Drop: – Its a low trust level. All incoming connections and packetsare will be dropped and only outgoing connection will be possible via state fullness.
  • Block: – Incoming connections are replied with an ICMP message letting the initiator know the request is prohibited.
  • Public: – All networks will be restricted, but selected incoming connections will be explicitly allowed.
  • External: – Configures Firewalld for NAT (Network Address Translate). Internal network remains private but reachable.
  • DMZ: – Only certain incoming traffic will be allowed.
  • Work: – By default, trust more computers on the network assuming the system is in a secured work environment.
  • Home: – By default, more services are unfiltered in-home zone. Assuming a system is on a home network where such services as NFS, SAMBA and SSDP will be used.
  • Trusted: – All machines on the network are trusted. Most incoming connections are allowed unfettered.

Firewalld should be started and enabled at boot time with below commands.

[[email protected] ~]# systemctl status firewalld
 ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
    Active: active (running) since Sun 2020-02-02 16:44:00 IST; 12min ago
      Docs: man:firewalld(1)
  Main PID: 8217 (firewalld)
    CGroup: /system.slice/firewalld.service
            └─8217 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: B… chain?).
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables… chain?).
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' fail… chain?).
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' fa… chain?).
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate REL… chain?).
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKE…hat name.
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! …hat name.
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptable…hat name.
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION' failed: iptables…hat name.
Feb 02 16:44:01 urclouds-master firewalld[8217]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables… chain?).
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]#
[[email protected] ~]# systemctl enable firewalld
[[email protected] ~]#
[[email protected] ~]# firewall-cmd --state
running
[[email protected] ~]#

We can check available firewall zone in Linux with below commands.

[[email protected] ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[[email protected] ~]#

Which zone currently applied we can check with below commands.

[[email protected] ~]# firewall-cmd --get-default-zone
public
[[email protected] ~]#

Set the rule allowing port 80 to the current default zone with below command.

[[email protected] ~]# firewall-cmd --zone=public --add-port=80/tcp
success
[[email protected] ~]#

You can see in below output we have successfully added 80 TCP port.

setup Firewalld

This change will not be persistent, if we want to setup firewall persistent this changes then we need to run below commands.

[[email protected] ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[[email protected] ~]#

After that we need to be restart firewalld.

[[email protected] ~]# systemctl restart firewalld
[[email protected] ~]#

We can change the zone with below commands.

[[email protected] ~]# firewall-cmd --set-default-zone=drop
success
[[email protected] ~]# firewall-cmd --get-default-zone
drop
[[email protected] ~]#

Now let’s revert back it.

[[email protected] ~]# firewall-cmd --set-default-zone=public
success
[[email protected] ~]# firewall-cmd --get-default-zone
public
[[email protected] ~]#

That’s all in this tutorial we have seen how to setup firewall in CentOS 7 and RHEL 7.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *