•  Home
  •  Dashboard
  •  Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
  •  Hosting Services
    • Backup
    • Content Delivery Network
    • Colocation Hosting
    • Dedicated Hosting
    • DDoS Mitigation
    • IP Transit
    • Private Cloud
    • Wavelength
  •  Solutions
    • Ecommerce
    • Finance
    • Gaming
    • Hosting
    • Management
    • Security
    • System Integrator
  •  Support
    • Community
    • Knowledge Base
    • Open A Ticket
  •  USA & Canada: 800-933-1517
  •  International: 626-549-2801
  •  Email: sales@psychz.net
  • Services
    • Dedicated Servers
    • Colocation
    • Private Cloud
    • DDos Protection
    • IP Transit
    • CDN
    • Backup
  • Solutions
    • Ecommerce
    • Security
    • Gaming
    • Hosting
    • Management
    • Finance
    • System Integrator
  • Dashboard

Firewalld commands for CentOS 7 and CentOS 8

  • Home
  • Client
  • Knowledgebase
  • Linux
  • Firewalld commands for CentOS 7 and CentOS 8

Table Of Content

Related Articles

  • Linux File Permissions Cheat Sheet
  • The ELK Stack: Elasticsearch, Logstash, Kibana.
  • How to install Node.js on AlmaLinux 8
  • Managing systemd services and units using systemctl commands
  • How to check RAM for error using Ubuntu Live CD?
  • How to remotely connect to a Linux machine using a smartphone?
  • Unable to Access The Server Via SSH
  • How to clone and migrate a Linux hard drive to another server?
  • SCP Command Syntax Examples in Linux
  • Whitelisting Edge Server IPs
  • traceroute in Linux
  • Ubuntu remove mysql
  • ssh host key verification failed error
  • logrotate
  • How to rsync two directories
  • setup hourly crontab
  • Views: (242)
  • Votes: (0)
Was this article helpful?
VOTE

Firewalld commands for CentOS 7 and CentOS 8

Publisher: Psychz Networks,  June 22,2021

With the Red Hat Enterprise Linux 7.0 (RHEL) introduction in 2011, iptables superseded as firewalld was born. At its core, firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on defined rules applied against incoming/outgoing packets.
Firewalld provides firewall features by acting as a front-end for the Linux kernel's Netfilter framework via the nftables user space utility. It provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it's recommended to use only FirewallD commands with FirewallD.
 

  • Managing FirewallD
  • Firewall Zones
  • Using  Services
  • Port Forwarding
  • Constructing a Ruleset with FirewallD
  • Advanced Configuration
  • Conclusion

 
Managing FirewallD

FirewallD is included by default with CentOS 7 or 8 but it's inactive. Controlling it is the same as with other systemd units.


Start and Enable Firewalld

To start the service and enable FirewallD on system boot, use the following two commands.

# systemctl start firewalld

 

# systemctl enable firewalld


Stop and Disable Firewalld

In most of the troubleshooting scenarios, you will have to stop or disable the firewalld to perform the test. You can use the following commands to do the needful.

# systemctl stop firewalld

 

# systemctl disable firewalld


Checking the status of Firewalld

# firewall-cmd --state

The output should say either running or not running.
 

View the status of the FirewallD daemon

# systemctl status firewalld

Output

● firewalld.service - firewalld - dynamic firewall daemon  
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2021-06-21 23:02:44 PDT; 3h 8min ago
     Docs: man:firewalld(1)
Main PID: 15984 (firewalld)
    Tasks: 2 (limit: 49784)
   Memory: 24.5M
   CGroup: /system.slice/firewalld.service
           └─15984 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Jun 21 23:02:43 centos-8 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 21 23:02:44 centos-8 systemd[1]: Started firewalld - dynamic firewall daemon.

 

To reload a FirewallD configuration:

# firewall-cmd --reload

 

Firewall Zones

Zones are a predefined set of rules for various scenarios. Different zones allow different network services and incoming traffic types while denying everything else. Zones can also be applied to other network interfaces. For example, with separate interfaces for both an internal and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on an external zone.

To view the default zone:

# firewall-cmd --get-default-zone

The output should be 'public.'
 

Changing the default Zone of firewalld

# firewall-cmd --set-default-zone=internal


View the Zones in use

To see the zones used by your network interface(s):

# firewall-cmd --get-active-zones

Example output:

public
  interfaces: eth0


Get configurations for all zones

# firewall-cmd --list-all-zones

Output

It shows the output of 5 different zones, including Block, DMZ, Drop, External, Home, Internal, Public, Trusted, Work in the following format.

  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

 

Using  Services

FirewallD can allow traffic based on predefined rules for specific network services. You can create your own custom service rules and add them to any zone. The configuration files for the default supported services are located at /usr/lib/firewalld/services, and user-created service files would be in /etc/firewalld/services.
 


View default available services

# firewall-cmd --get-services

Output

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server


Enable a service

Let us now see how to enable a service. We will try to enable the HTTP service.

# firewall-cmd --zone=public --add-service=http --permanent

The output of the above command is "Success."


Disable the HTTP service

# firewall-cmd --zone=public --remove-service=http --permanent

The output of the above command is "Success."

 

Allowing or Denying an Arbitrary Port/Protocol

With an example, let us see how to allow or disable TCP traffic on port 12345.

# firewall-cmd --zone=public --add-port=12345/tcp --permanent

 

# firewall-cmd --zone=public --remove-port=12345/tcp --permanent

The output of both the commands is 'Success.'


Port Forwarding


Forward traffic to port on same Server

We will now create a rule to forwards traffic from port 80 to port 12345 on the same server.

# firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345


Forward traffic to port on different Server

If you want to forward a port to a different server, you need to activate masquerade in the desired zone.

# firewall-cmd --zone=public --add-masquerade

This example forwards traffic from local port 80 to port 8080 on a remote server located at the IP address: 192.10.10.0.

# firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.10.10.0

 

Remove rules

To remove the rules, replace '--add' with '--remove.'

# firewall-cmd --zone=public --remove-masquerade

 

Constructing a Ruleset with FirewallD

If you are using a web server, you can use FirewallD to assign rules to your server.

Let us assign the DMZ as the default zone to eth0 as it allows only SSH and ICMP.

# firewall-cmd --set-default-zone=dmz

 

# firewall-cmd --zone=dmz --add-interface=eth0

 

Permenant rule for HTTP and HTTPS

Add permanent service rules for HTTP and HTTPS to the dmz zone:

# firewall-cmd --zone=dmz --add-service=http --permanent

 

# firewall-cmd --zone=dmz --add-service=https --permanent

Reload FirewallD so the rules take effect immediately:

# firewall-cmd --reload

If you now run

#firewall-cmd --zone=dmz --list-all

this should be the output:

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

 

Advanced Configuration

We are now going to use Rich Rules and Direct Interface that will allow you to add fully custom firewall rules to any zone for any port, protocol, address, and action.

Rich Rules

Following are some of the common examples


Allow traffic from a particular host

Allowing all IPv4 traffic from host 198.10.10.0

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=198.10.10.0 accept'

 

Allow traffic(TCP) from a host to specific port

Allow IPv4 traffic from host 198.10.10.0 to port 22.

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="198.10.10.0" port port=22 protocol=tcp accept'

 

Discard traffic(TCP) from a host

Deny IPv4 traffic over TCP from host 198.10.10.0 to port 22.

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="198.10.10.0" port port=22 protocol=tcp reject'


Allow traffic(TCP) from a host and forward to different port within system

Allow IPv4 traffic over TCP from host 198.10.10.0 to port 80 and forward it locally to port 6789.

# firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=198.10.10.0 forward-port port=80 protocol=tcp to-port=6532'

 

Foward traffic (TCP) from one port to another on a different host

Forward all IPv4 traffic on port 80 to port 8080 on host 198.20.10.0 (masquerade should be active on the zone).

# firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=198.51.100.0'


List all Rich Rules

To list your current Rich Rules in the public zone:

# firewall-cmd --zone=public --list-rich-rules

 

Conclusion

It would help if you now had a pretty good understanding of administering the firewalld service on your CentOS system for day-to-day use. The firewalld service allows you to configure maintainable rules for your network environment. It will enable you to transition between different firewall policies through zones seamlessly and enable administrators to abstract the port management into more friendly service definitions. Acquiring a working knowledge of this system will allow you to take advantage of this tool's flexibility and power.

 

Hosting Services
  • Dedicated Hosting
  • Colocation Hosting
  • Backup
  • IP Transit
  • DDoS Mitigation
Support
  • Portal Login
  • Knowledgebase
  • Community
Company
  • About Us
  • Contact Us
  • Network
  • Data Centers
  • Looking Glass
  • Affiliates
  • Reseller
  • Blog
Policies
  • Privacy Policy
  • Acceptable Usage Policy
  • Terms and Conditions
  • Service Level Agreement
Company
  • Psychz Networks,
    A Profuse Solutions Company
    611 Wilshire Blvd #300
    Los Angeles,California 90017
    USA
  • US/Canada: 800-933-1517
  • International: 626-549-2801
Subscribe to Our Mailing List
* indicates required
Copyright © 2023 Psychz Networks, A Profuse Solutions Inc Company