You should not work hard to manage firewall by iptables, from CentOS 7 the firewall management is very easy with firewalld command.

Firewall Status

First check to see the firewall status, if firewall is installed.

systemctl is-active firewalld

If already installed you will get the status, or else you will get an error result if not installed.

Install Firewall

You can install the firewalld service by the command.

yum -y install firewalld

systemctl enable firewalld

systemctl start firewalld

Now you can check the firewalld status again.

systemctl status firewalld

Check Firewall Rules

Now we should find out which firewall zone is active or default. Firewall zone means the firewall profile. Firewall zone name could be home, internal, public, work, external, trusted, etc.

Active or default zone should be “public”. Now check it by the command.

firewall-cmd --reload

firewall-cmd --get-default-zone

You can also make the public zone as default by command.

firewall-cmd --set-default-zone=public --permanent

Now, check the active ports which are open to the world.

firewall-cmd --zone=public --list-ports

And check which services are currenly open to the world.

firewall-cmd --zone=public --list-services

We can also check all services and ports opened in public profile by the command.

firewall-cmd --zone=public --list-all

 

Additionally we can check if any rich rule or direct rule exists.

firewall-cmd --zone=public --list-rich-rules

firewall-cmd --direct --get-all-rules

Firewall Key Rules

Now that we saw all existing setup on the current firewall rules. You can now decide which rule need to remove and which rule need to add in the public profile.

It’s time to understand the service and port things. The service example is http, ftp, smtp, dns, etc. and the individual port example is 80/tcp, 21/tcp, 25/tcp, 53/udp, etc.

How people want to secure their servers ?

Actually, I want to secure my servers hardly so that the hackers are kicked out and my server can run smoothly. What my plan is I will only open the http/https service so that people can visit my website, any other service and ports should be restricted to the world, and only allowed my own dedicated IP or device. If needed you can open the ftp, dns and smtp ports to the world.

But we must restrict ssh access to the open world, and only accept our own IP.

Add or Remove Firewall Service or Port

Here is the command example to add/remove service and port.

Add the http service by command.

firewall-cmd --zone=public --add-service=http --permanent

Remove the smtp service by command.

firewall-cmd --zone=public --remove-service=smtp --permanent

Add the ftp port by command.

firewall-cmd --zone=public --add-port=21/tcp --permanent

Remove the MySQL port by command.

firewall-cmd --zone=public --remove-port=3306/tcp --permanent

Firewall Rich Rule

It’s time to learn rich rule so that we can add/remove service or port to an specific address. Suppose here, we can add the ssh port allowed only to our own IP (eg. ssh only accepted from 192.168.1.35).

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.35 port port=22 protocol=tcp accept'

firewall-cmd --zone=public --remove-service=ssh --permanent

The above command confirms that the ssh service is closed to the open world, and the ssh port 22 is still accepted from the specific IP 192.168.1.35 only.

Firewall Direct Rule

Direct rule is a special rule which we can apply on traffic chain. (eg. incoming permission only, or outgoing permission only)

This rule will effect for INPUT , OUTPUT , and FORWARD by the command.

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 25 -j ACCEPT

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 587 -j ACCEPT

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -p tcp --dport 22 -j DROP

Firewall Reload and Save

The last thing after firewall configuration done, is reload the configured rules, and reboot the server.

firewall-cmd --reload

reboot

 

Remove Firewall Rule

If you want to remove a rule, use the above whole example command, and just replace the add with remove.

Suppose, --add-rule will be --remove-rule , or --add-port will be --remove-port

 

Thats it !

Happy firewall…ing……