20 IPtables Examples For New SysAdmins

In a previous post I’ve showed how to disable firewalld and roll back to our favorite post-systemd iptables firewall. In this post we gonna see how to Configure FirewallD in RHEL/CentOS 7 and Fedora 21/22.

Firewalld is a dynamic daemon to configure and manage firewalls (iptables rules typically) with support for networks zones and more stuff. In earlier versions, RHEL & CentOS 6 we have been using iptables service as a daemon for packet filtering. But in RHEL/CentOS 7 and Fedora 21/22 iptables interface is being replaced by firewalld.

Unfortunately It’s advised to start using Firewalld instead of iptables as it may be discontinued in the near future (I hope not completely). However, iptables is still supported and can be installed with YUM command (soon DNF…). Keep in mind that we can’t work with both Firewalld and iptables enabled in the system it may lead to conflict.

In the old days with iptables, we used to configure INPUT, OUTPUT, FORWARD rules but here in Firewalld, the concept uses Zones. By default, there are different zones in firewalld.

The basic zone which is more likely like a public zone and a private zone. To make things work with these zones, you need to add the interface with the specified zone support we want (public or private) and then we can add the services to firewalld.

Firewalld (hopefully) works with IPv4, IPv6 and Ethernet bridges. Let’s start to work with these zones and create our own services and much more using firewalld.

 

Step 1: Installing Firewalld Package

Firewalld package is installed by default in RHEL/CentOS 7 and Fedora 21. If not, you can install it using the following YUM (DNF soon) command.

 

After firewalld package has been installed, it’s time to verify whether iptables service is running or not, if running, you need to stop and mask (not use anymore) the iptables service with below commands.

 

Step 2: Get used to work with the new Firewalld Zones

Before heading up for firewalld configuration, Let’s see about the zones. By default there are some zones available. We need to assign the interface to the zone. A zone defines that the zone was trusted or denied level to the interface to get connection. A zone can contain services & ports. Here, we’re going describe each zones available in Firewalld.

  1. Drop Zone: Any incoming packets are dropped, if we use this drop zone. This is same as we use to add iptables -j drop. If we use the drop rule, means there is no reply, only outgoing network connections will be available.
  2. Block Zone: Block zone will deny the incoming network connections are rejected with an icmp-host-prohibited. Only established connections within the server will be allowed.
  3. Public Zone: To accept the selected connections we can define rules in public zone. This will only allow the specific port to open in our server other connections will be dropped.
  4. External Zone: This zone will act as router options with masquerading is enabled other connections will be dropped and will not accept, only specified connection will be allowed.
  5. DMZ Zone: If we need to allow access to some of the services to public, you can define in DMZ zone. This too have the feature of only selected incoming connections are accepted.
  6. Work Zone: In this zone, we can define only internal networks i.e. private networks traffic are allowed.
  7. Home Zone: This zone is specially used in home areas, we can use this zone to trust the other computers on networks to not harm your computer as every zone. This too allow only the selected incoming connections.
  8. Internal Zone: This one is similar to work zone with selected allowed connections.
  9. Trusted Zone: If we set the trusted zone all the traffic are accepted.

Now you have a better idea (I hope) about zones and they do, now let’s find out available zones, default zones and list all zones using the following commands.

 

Note: The output of above command won’t fit into single page as this will list all zones. So you cant try with | more or |less or send it to a > file ti read it.

Step 3: Setting the Default Zone you need

If you would like to set the default zone as internal, external, drop, work or any other zone, you can use the below command to set the default zone. Here we using “internal” zone as default.

After setting zone, verify the default zone using below command.

 

Another interesting feature of firewalld is ‘icmptype‘ is the one of the icmp types supported by firewalld. To get the listing of supported icmp types we can use the below command.

Step 4: Creating Own Services in Firewalld

Services are set of rules with ports and options which is used by Firewalld. Services which are enabled, will be automatically loaded when the Firewalld service up and running. By default, many services are available, to get the list of all available services, use the following command.

To get the list of all the default available services, go the the following directory, here you will get the list of services.

To create your own service, you need to define it at the following location. For example, here I want to add a service for RTMP port 1935, first make a copy of any one of the service from.

And then, navigate to the location were our service file was copied, next rename the file ‘ssh.xml‘ to ‘rtmp.xml‘ as shown in the below picture.

To make these changes activate, restart the firewalld service or reload the settings.

 

To confirm, whether service is added or not, run below command to get list of services available.

 

Step 5: Assigning Services to Zones

Here we are going to see how to manage the firewall using firewall-cmd command. To know the current state of the firewall and all active zones, type the following command.

To get the public zone for interface enp0s3, this is the default interface, which is defined in/etc/firewalld/firewalld.conf file as DefaultZone=public.

To list all available services in this default interface zone.

Step 6: Adding Services to Zones

In the above examples, we have seen how to create own services by creating rtmp service, here we will see how to add the rtmp service to the zone as well.

To remove added zone, type.

The above step was temporary period only. To make it permanent we need to run the below command with option –permanent.

Define rules for network source range and open anyone of the port. For example, if you would like to open a network range say ‘192.168.0.0/24′ and port ‘1935’ use the following commands.

Make sure to reload firewalld service after adding or removing any services or ports.

Step 7: Adding Rich Rules for Network Range

If I want to allow the services such as http, https, vnc-server, PostgreSQL, you use the following rules. First add the rule and make it permanent and reload the rules and check the status.

Now, the Network range 192.168.0.0/24 can use the above service from my server. The option –permanent can be used in every rule, but we have to define the rule and check with the client access after that we have to make it permanent.

After adding above rules, don’t forget to reload the firewall rules and list the rules using:

 

That’s it. Any more question try the chaotic man firewalld, grab a coffee and pray that you can understand what’s happening in there!