Useful FirewallD Rules to Configure and Manage Firewall in Linux

Firewalld provides a way to configure dynamic firewall rules in Linux that can be applied instantly, without the need of firewall restart and also it support D-BUS and zone concepts which makes configuration easy.Firewalld replaced old Fedoras firewall (Fedora 18 onwards) mechanism, RHEL/CentOS 7 and other latest distributions rely on this new mechanism. One of the biggest motive of introducing new firewall system is that the old firewall needs a restart after making each change, thus breaking all active connections. As said above, that the latest firewalld supports dynamic zones which is useful in configuring different set of zones and rules for your office or home network via a command line or using a GUI method.Initially, firewalld concept looks very difficult to configure, but services and zones makes it easier by keeping both together as covered in this article.In our earlier article, where we have seen how to play with firewalld and its zones, now here, in this article, we will see some useful firewalld rules to configure your current Linux systems using command line way.1. Firewalld Configuration in RHEL/CentOS 7 All the examples covered in this article are practically tested on CentOS 7 distribution, and also works on RHEL and Fedora distributions.Before implementing firewalld rules, make sure to first check whether firewalld service enabled and running.# systemctl status firewalld

The above picture shows that firewalld is active and running. Now its time to check all the active zones and active services.# firewall-cmd --get-active-zones# firewall-cmd --get-services

Check Zones and Services

If incase, youre not familiar with command line, you can also manage firewalld from the GUI, for this you need to have GUI package installed on the system, if not install it using the following command.# yum install firewalld firewall-configAs said above, this article is specially written for command line lovers and all the examples, which were going to cover are based on command line only, no GUI way..sorry..Before moving further, first make sure to confirm on which public zone youre going to configure Linux firewall and list all active services, ports, rich rules for public zone using following command.# firewall-cmd --zone=public --list-all

Check Public Zones

In the above picture, there isnt any active rules are added yet, lets see how to add, remove and modify rules in the remaining part of this article.1. Adding and Removing Ports in FirewalldTo open any port for public zone, use the following command. For example, the following command will open port 80 for public zone.# firewall-cmd --permanent --zone=public --add-port=80/tcpSimilarly, to remove added port, just use the remove option with firewalld command as shown below.# firewall-cmd --zone=public --remove-port=80/tcpAfter adding or removing specific ports, make sure to confirm whether the port is added or removed by using list-ports option.# firewall-cmd --zone=public --list-ports

Add Port in Firewalld

2. Adding and Removing Services in FirewalldBy default firewalld comes with pre-defined services, if you want to add a list of specific services, you need to create a new xml file with all services included in the file or else you can also define or remove each service manually by running following commands.For example, the following commands will help you to add or remove specific services, like we did for FTP here in this example.# firewall-cmd --zone=public --add-service=ftp# firewall-cmd --zone=public --remove-service=ftp# firewall-cmd --zone=public --list-services

Add Services in Firewalld

3. Block Incoming and Outgoing Packets (Panic Mode)If you wish to block any incoming or outgoing connections, you need to use a panic-on mode to block such requests. For example, the following rule will drop any existing established connection on the system.# firewall-cmd --panic-onAfter enabling panic mode, try to ping any domain (say google.com) and check whether the panic mode is ON using query-panic option as listed below.# ping google.com -c 1# firewall-cmd --query-panic

Block Incoming Connections in Firewalld

Do you see in the above picture, the panic query says Unknown host google.com. Now try to disable the panic mode and then once again ping and check.# firewall-cmd --query-panic# firewall-cmd --panic-off# ping google.com -c 1

Disable Panic Mode in Firewalld

Now this time, there will be a ping request from google.com..4. Masquerading IP AddressMasquerade also known as Network Address Translation (NAT), which is basically a simple method for allowing a computer to connect with internet with the help of base machine just a intermediary work.Here, we will see how to forward a port to outside network. For example, if I want to do a ssh into my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).Before doing a port forwarding, first make sure check whether Masquerade enabled for external zone, because we are going to access the machine from outside network.# firewall-cmd --zone=external --query-masqueradeIf its not enabled, you can enable it by following command.# firewall-cmd --zone=external --add-masqueradeNow lets forward all ssh port 22 connections to port 2222 for IP address 192.168.0.132.# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132# firewall-cmd --zone=external --list-all

Port Forwarding

5. How to Block and Enable ICMPFirst, check the type of icmp we are using with below command.# firewall-cmd --get-icmptypesTo add icmp block on any zone, you can use the following command. For example, here I am going to add icmp block on external zone, before blocking, just do a icmp ping to confirm the status of icmp block.# firewall-cmd --zone=public --query-icmp-block=echo-replyIf you get no, that means there isnt any icmp block applied, lets enable (block) icmp.# firewall-cmd --zone=public --add-icmp-block=echo-reply

Block ICMP in Firewalld

6. Adding and Removing Chain using Direct InterfaceTo add a Custom direct interface rule, we can use direct option in any chain (Public, Work, Internal, External). For example, here were going to add a rule in Public Zone.Before adding any rule, first make sure to list all the current rules in public zone using get-rules.# irewall-cmd --direct --get-rules ipv4 filter IN_public_allowTo add the rules use add-rules as show below.# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPTTo remove the rules just replace add-rule with remove-rule.# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT

Add Remove Chains

7 Firewalld Lockdown RulesIts possible to change the firewalld rules by any local applications, which have the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in firewalld.conf file. This mostly used to protect the firewalld from any unwanted rules changes by any applications.# vim /etc/firewalld/firewalld.confChange no to yesLockdown=yes

Lock Down Firewalld Rules

To make it permanent reload the changes using reload.# firewall-cmd --reloadAfter making above changes, make sure to verify whether firewalld was lockdown using query.# firewall-cmd --query-lockdownTo On/Off lockdown mode, use the following combination.# firewall-cmd --lockdown-on# firewall-cmd --lockdown-off

On Off Lock Down Rules in Firewalld

8: Enabling Fail2ban-firewalld SupportTo enable support of fail2ban in firewalld, we need to install the package called fail2ban-firewalld by enabling epel repository under RHEL/CentOS systems. The fail2ban support provides some additional secure rules for SSH, SSH-DDOS, MariaDB, Apache etc..After enabling epel, lets install the fail2ban-firewalld package using the following command.

# yum install fail2ban-firewalld -y

Install Fail2ban Firewalld

After installing the package, start the fail2ban service and enable to make it persistent.# systemctl start fail2ban# systemctl enable fail2ban

Enable Fail2ban Firewalld

9. Adding & Blocking IP AddressesTo add specific IP address (192.168.0.254) to trusted public zone, use the following command.# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'After adding above rule, dont forget to list all the trusted public zone rules.# firewall-cmd --zone=public --list-allTo remove any added rule, just replace the add-rich-rule with remove remove-rich-rule as show in below command.# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'

Add Block IP Address

To reject or drop a IP address from the trusted zones, just replace accept with reject as shown in the below command.# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.250" reject'# firewall-cmd --zone=public --list-all

Reject IP Address

ConclusionHere we have seen how to configure some of the rules and default services in firewalld. If there any query regarding above firewalld rules, feel free to leave your valuable comments below.