How to Configure and Manage Firewall with FirewallD in Linux
To Configure and Manage Firewall with FirewallD in Linux
Firewalld helps you to configure dynamic firewall rules in Linux, which can be applied without the requirement of firewall restart and it also supports D-BUS and zone concepts that makes configuration simple and easy. The following article helps you to Configure and Manage Firewall with Useful FirewallD Rules in Linux.
First run the following command to verify whether firewalld service is enabled or not.
[root@linuxhelp ~]# systemctl status firewalld
Now we know that it is running, next check all the active zones and services.
[root@linuxhelp ~]# firewall-cmd --get-active-zones
[root@linuxhelp ~]# firewall-cmd --get-services
To manage firewalld you need to install GUI package in your system.
[root@linuxhelp ~]# yum install firewalld firewall-config
To list all active services, ports and rich rules for public zone use the following command.
[root@linuxhelp ~]# firewall-cmd --zone=public --list-all
Add and Remove Ports in Firewalld
To open any port for public zone use the below command.
[root@linuxhelp ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp
In order to remove the added port, use the --remove option along with firewalld command.
[root@linuxhelp ~]# firewall-cmd --zone=public --remove-port=80/tcp
Now confirm whether the port is added or removed by using the option, --list-ports.
[root@linuxhelp ~]# firewall-cmd --zone=public --list-ports
Add and Remove Services in Firewalld
The following command will add the service.
[root@linuxhelp ~]# firewall-cmd --zone=public --add-service=ftp
To remove the services, run the following command.
[root@linuxhelp ~]# firewall-cmd --zone=public --remove-service=ftp
Execute the below command to list the services.
[root@linuxhelp ~]# firewall-cmd --zone=public --list-services
Block Incoming and Outgoing Packets
You can block any incoming or outgoing connections by using panic-on mode.
[root@linuxhelp ~]# firewall-cmd --panic-on
Now verify whether the panic mode is ON using query-panic option
[root@linuxhelp ~]# ping google.com -c 1
[root@linuxhelp ~]# firewall-cmd --query-panic
Disable the panic mode, then once again ping and check.
[root@linuxhelp ~]# firewall-cmd --query-panic
[root@linuxhelp ~]# firewall-cmd --panic-off
[root@linuxhelp ~]# ping google.com -c 1
To Masquerade IP Address
Masquerade allows a computer to connect with internet by using the base machine. Verify whether Masquerade is enabled for external zone.
[root@linuxhelp ~]# firewall-cmd --zone=external --query-masquerade
You can enable with the following command.
[root@linuxhelp ~]# firewall-cmd --zone=external --add-masquerade
Now forward all ssh port 22 connections to port 2222 for IP address 192.168.0.132.
[root@linuxhelp ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132
[root@linuxhelp ~]# firewall-cmd --zone=external --list-all
To Block and Enable ICMP
Check the type of ICMP with the below command.
[root@linuxhelp ~]# firewall-cmd --get-icmptypes
Use the following command to add icmp block on any zone.
[root@linuxhelp ~]# firewall-cmd --zone=public --query-icmp-block=echo-reply
If you get ‘ no‘ then enable it using the following command.
[root@linuxhelp ~]# firewall-cmd --zone=public --add-icmp-block=echo-reply
Add/Remove Chain using Direct Interface
To add a Custom direct interface rule, use the option, --direct. Before that make sure to list all the current rules in public zone use --get-rules.
[root@linuxhelp ~]# irewall-cmd --direct --get-rules ipv4 filter IN_public_allow
To add the rules use --add-rules
[root@linuxhelp ~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
To remove the rules use --remove-rule
[root@linuxhelp ~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCE
Firewalld Lockdown Rules
To protect the firewalld from any unwanted changes by any applications, put a lock-down in firewalld.conf file.
[root@linuxhelp ~]# vim /etc/firewalld/firewalld.conf
Now change Lockdown= yes
To make permanent changes reload the changes made using --reload.
[root@linuxhelp ~]# firewall-cmd --reload
Make sure to verify whether firewalld was lockdown using query.
[root@linuxhelp ~]# firewall-cmd --query-lockdown
To On/Off lockdown mode, use the following lines.
[root@linuxhelp ~]# firewall-cmd --lockdown-on
[root@linuxhelp ~]# firewall-cmd --lockdown-off
Enable Fail2ban-firewalld Support
To enable support of fail2ban in firewalld, install the package named fail2ban-firewalld by enabling epel repository under RHEL/CentOS systems.
Install the fail2ban-firewalld package using the following command.
[root@linuxhelp ~]# yum install fail2ban-firewalld -y
Next start the fail2ban service and also enable it to make it persistent.
[root@linuxhelp ~]# systemctl start fail2ban
[root@linuxhelp ~]# systemctl enable fail2ban
Adding & Blocking IP Addresses
To add specific IP address such as 192.168.0.254 to public zone, use the following command
[root@linuxhelp ~]# firewall-cmd --zone=public --add-rich-rule=' rule family=" ipv4" source address=" 192.168.0.254" accept'
Use the following command to list all the trusted public zone rules.
[root@linuxhelp ~]# firewall-cmd --zone=public --list-all
To remove any added rule, use --remove-rich-rule as show below.
[root@linuxhelp ~]# firewall-cmd --zone=public --remove-rich-rule=' rule family=" ipv4" source address=" 192.168.0.254" accept'
To reject an IP address use reject option as shown below
[root@linuxhelp ~]# firewall-cmd --zone=public --add-rich-rule=' rule family=" ipv4" source address=" 192.168.0.250" reject'
[root@linuxhelp ~]# firewall-cmd --zone=public --list-all