Friends in this tutorial we will know, what is Linux firewall? and how to manage Linux Firewall rules in Centos 7 and RHEL 7? So let’s see first off all what is Linus Firewall?

What is Firewall?

Firewalld is a firewall management tool available by default on CentOS7, RHEL7 /Fedora 21 servers. Firewalld is a service which is use to manage firewall with support for networks zones. In earlier version, RHEL & CentOS 6 we have been using iptables as a service for packet filtering framework. In RHEL7/CentOS 7 and Fedora 21 iptables interface is being replaced by firewalld.

If you want to use iptables you can install with yum command but make sure iptables and firewalld both in same server may be conflict. You have to choose one of them. You should start working with firewall service may be in feature iptables will not be available on latest release.

We were used to configure as INPUT, OUTPUT & FORWARD CHAINS in iptables but in firewalld we are using zones. Some basic zones are: – public zone and private zone.

Installing and Managing Firewalld

Firewalld service is installed by default with CentOS7 but its inactive mode.

 To start and enable Firewalld service on boot we can use below command like this.

[root@dns ~]# systemctl start firewalld
[root@dns ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.serviceto /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@dns ~]#

We can use below commands to stop and disable firewalld service:-

[root@dns ~]# systemctl stop firewalld
[root@dns ~]# systemctl disable firewalld
Removed symlink/etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@dns ~]#

Check the firewall running status using below commands:-

[root@dns ~]# firewall-cmd --state
running
[root@dns ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-05-31 17:04:08 CEST; 26s ago
Docs: man:firewalld(1)
Main PID: 2755 (firewalld)
CGroup: /system.slice/firewalld.service
└─2755 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...t name.
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...t name.
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete OUTPUT...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
Hint: Some lines were ellipsized, use -l to show in full.
[root@dns ~]#

Reload the Firewalld configuration using below  command:-

[root@dns ~]# firewall-cmd --reload
success
[root@dns ~]#

Configuring Firewalld

Firewall Configuration files are located in two directories:

1. /usr/lib/FirewallD keeps default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update.
2. /etc/firewalld keeps system configuration files. These files will overwrite a default configuration.

Firewalld uses two configuration sets:- First is Runtime and Second is Permanent. Runtime configuration changes are not retained on reboot or upon restarting Firewalld whereas permanent changes are not applied to a running system.

Add rule to both the permanent and runtime sets. Like this:-

[root@dns ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@dns ~]#
[root@dns ~]# firewall-cmd --zone=public --add-service=http
success
[root@dns ~]#

After rule add to the permanent we need to reload Firewalld.

[root@dns ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@dns ~]#
[root@dns ~]# firewall-cmd --reload
success
[root@dns ~]#

We can  view the default zone using below commands:-

[root@dns ~]# firewall-cmd --get-default-zone
public
[root@dns ~]#

To change the default zone we can use below command:-

[root@dns ~]# firewall-cmd --set-default-zone=internal
success
[root@dns ~]# firewall-cmd --get-default-zone
internal
[root@dns ~]#

We can check the zones used by our network interface(s) using below commands:-

[root@dns ~]# firewall-cmd --get-default-zone
public
[root@dns ~]# firewall-cmd --get-active-zones
public interfaces: enp0s3 enp0s8
[root@dns ~]#

To get all configurations for a specific zone use below commands:-

[root@dns ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh ntp mountd rpc-bind nfs http
ports: 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@dns ~]#

We can get all configurations for all zones using below commands:-

[root@dns ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh ntp mountd rpc-bind nfs http
ports: 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@dns ~]#

Firewalld can allow traffic based on predefined rules for specific network services. We can create our own custom service rules and add them to any zone.

We can view the default available services using below commands:-

[root@dns ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@dns ~]#

Now I am going to show you how to enable or disable the HTTP service:-

[root@dns ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@dns ~]# firewall-cmd --zone=public --remove-service=http --permanent
success
[root@dns ~]#

That’s all, So in this tutorial we have seen how to manage firewalld service.