In this article, we show you how to configure a firewall with FirewallD in CentOS 7 and some of the basic FirewallD concepts. For system security, the main thing is a firewall so that you need to configure properly that is one of the most important for overall system security. FirewallD is the solution for a firewall that controls the system’s iptables rules to the proper interface for operating on them. FirewallD is a wrapper for iptables to enable more accessible management of iptables rule it is not an iptables replacement.
Basic FirewallD Concepts
In the FirewallD applies the concepts of zones and services, preferably of iptables chain and rules. Here you can configure your zones and services that help to control what traffic is allowed or refused from the system. The FirewallD is configured and maintained using the firewall-cmd command.
FirewallD services are predefined rules that you can use within a zone and specify the important settings to allow incoming traffic for a particular service.
FirewallD Configuration Sets
FirewallD uses two configuration sets. One is Runtime and another one is Permanent configuration. The runtime configuration is the real running configuration and it is not defined on reboots. Once the FirewallD service begins it loads the permanent configuration which transforms the runtime configuration. While doing modifications to the FirewallD configuration using the firewall-cmd utility the modifications are implemented to the runtime configuration if you like to change to permanent you want to use the –permanent flag.
Discussing FirewallD Zones
FirewallD Zones are predefined collections of rules defining what traffic should be permitted based on the faith of networks your workstation is connected to. You can able to add network interfaces and sources to a zone. By default, there are some available zones. A zone can hold services & ports. Below are the zones given by FirewallD required according to the faith level of the zone from untrusted to trusted.
Drop Zone: All incoming connections are lost without any warning. Only outgoing connections are enabled. If we use the drop rule means there is no answer, only outgoing network connections will be available.
Block Zone: All incoming connections will refuse the incoming network connections are denied with an
icmp-host-prohibited. Simply outgoing connections are allowed.
Public Zone: Allow the preferred connections you can set rules in the public zone. That controls allow the particular port to initiate in our server and other connections will be dropped.
External Zone: Here zone will act as a gateway or router options with masquerading is allowed other connections will be dropped and will not trust only specified connection will be allowed.
Internal Zone: The use of private networks when your system acts as a gateway or router. Common systems on the network are usually trusted.
DMZ Zone: If we need to allow access to some of the services to the public, you can define in the demilitarized zone. This only selected incoming connections are allowed.
Work Zone: You can specify only internal networks. Other networks are usually trusted. Particularly incoming connections are allowed.
Home Zone: This is generally used for home network zone, Other computers on the network are usually trusted. Particularly selected incoming connections are allowed.
Trusted Zone: Use these network connections all the traffic are allowed.
Install and Enable FirewallD
By default on CentOS 7 Firewall in installed. If you not having in your system you can use the below command to install the package.
sudo yum install firewalld
Check the firewall status
In the system, the FirewallD services are disabled by default. Here using the below command you check the status of your firewall.
sudo firewall-cmd --state
To start and enable the FirewallD service on boot type.
sudo systemctl start firewalld
sudo systemctl enable firewalld
Managing with FirewallD Zones
Once you completed enabling the FirewallD services for the start time, the public zone is set as a default zone.
sudo firewall-cmd --get-default-zone
To see a list of all available zones
sudo firewall-cmd --get-zones
All network interfaces are assigned the default zone. The below command is useful to check what zones are used by your network interfaces.
sudo firewall-cmd --get-active-zones
Here you can display the zone configuration settings using below command.
sudo firewall-cmd --zone=public --list-all
You can check enormous configurations for all the available zones using below command.
sudo firewall-cmd --list-all-zones
Modifying the Zone of an Interface
Here you can simply modify the Interface Zone by using the using –zone flag in sequence with the –change-interface flag. Here using the below command that allows the eth1 interface to the work zone.
sudo firewall-cmd --zone=work --change-interface=eth1
Confirm the modification by typing
sudo firewall-cmd --get-active-zones
Replacing the Default Zone
You can change the default zone by using –set-default-zone flag.
sudo firewall-cmd --set-default-zone=home
Confirm the modification zone
sudo firewall-cmd --get-default-zone
Initiating a Service or Port
Using below command it allows incoming HTTP traffic port 80 for the public zone.
sudo firewall-cmd --zone=public --add-service=http
To check the services added successfully use the below command.
sudo firewall-cmd --zone=public --list-services
After reboot your server if you like to keep open the port 80, you need to use the below command but this time with the –permanent flag.
sudo firewall-cmd --permanent --zone=public --add-service=http
To verify changes use the below command.
sudo firewall-cmd --permanent --zone=public --list-services
If you like to remove the service, For example: below command will remove the HTTP service from the public zone.
sudo firewall-cmd --zone=public --remove-service=http --permanent
To add any port for the public zone, use the following command this will help to activate the public port. For example, the following command will activate port 80 for the public zone.
sudo firewall-cmd --zone=public --add-port=80/tcp
To check the port
sudo firewall-cmd --zone=public --list-ports
To you like remove the public port using the below command but the port 80 is main for the web if your requirement based on that means you can use the below code.
sudo firewall-cmd --zone=public --remove-port=80/tcp
FirewallD Forwarding Port
If you like to forward your traffic from exiting to another port, for that first you need to enable masquerading for the desired zone using the following command.
sudo firewall-cmd --zone=external --add-masquerade
FirewallD Forwarding traffic from one port to another port in the existing server
If you like to forward the port on the same server from one port 80 to port 8080 the following command will help to do that.
sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
Forward traffic from the current server to another server
From the port 80 to port 80 on another server with IP address 188.8.131.52
sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=184.108.40.206
For Forwarding traffic to another server with different port
Below command forward the traffic from the port 80 to port 8080 on another server with the IP 220.127.116.11
sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=18.104.22.168