Friends in this tutorial we will know, what is Linux firewall? and how to manage Linux Firewall rules in Centos 7 and RHEL 7? So let’s see first off all what is Linus Firewall?

What is Firewall?

Firewalld is a firewall management tool available by default on CentOS7, RHEL7 /Fedora 21 servers. Firewalld is a service which is use to manage firewall with support for networks zones. In earlier version, RHEL & CentOS 6 we have been using iptables as a service for packet filtering framework. In RHEL7/CentOS 7 and Fedora 21 iptables interface is being replaced by firewalld.

If you want to use iptables you can install with yum command but make sure iptables and firewalld both in same server may be conflict. You have to choose one of them. You should start working with firewall service may be in feature iptables will not be available on latest release.

We were used to configure as INPUT, OUTPUT & FORWARD CHAINS in iptables but in firewalld we are using zones. Some basic zones are: – public zone and private zone.

Installing and Managing Firewalld

Firewalld service is installed by default with CentOS7 but its inactive mode.

 To start and enable Firewalld service on boot we can use below command like this.

[[email protected] ~]# systemctl start firewalld
[[email protected] ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.serviceto /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[[email protected] ~]#

We can use below commands to stop and disable firewalld service:-

[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl disable firewalld
Removed symlink/etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[[email protected] ~]#

Check the firewall running status using below commands:-

[[email protected] ~]# firewall-cmd --state
running
[[email protected] ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-05-31 17:04:08 CEST; 26s ago
Docs: man:firewalld(1)
Main PID: 2755 (firewalld)
CGroup: /system.slice/firewalld.service
└─2755 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...t name.
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWAR...t name.
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete OUTPUT...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
May 31 17:04:09 dns.tzclouds.local firewalld[2755]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT ...hain?).
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]#

Reload the Firewalld configuration using below  command:-

[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#

Configuring Firewalld

Firewall Configuration files are located in two directories:

1. /usr/lib/FirewallD keeps default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update.
2. /etc/firewalld keeps system configuration files. These files will overwrite a default configuration.

Firewalld uses two configuration sets:- First is Runtime and Second is Permanent. Runtime configuration changes are not retained on reboot or upon restarting Firewalld whereas permanent changes are not applied to a running system.

Add rule to both the permanent and runtime sets. Like this:-

[[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[[email protected] ~]#
[[email protected] ~]# firewall-cmd --zone=public --add-service=http
success
[[email protected] ~]#

After rule add to the permanent we need to reload Firewalld.

[[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[[email protected] ~]#
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#

We can  view the default zone using below commands:-

[[email protected] ~]# firewall-cmd --get-default-zone
public
[[email protected] ~]#

To change the default zone we can use below command:-

[[email protected] ~]# firewall-cmd --set-default-zone=internal
success
[[email protected] ~]# firewall-cmd --get-default-zone
internal
[[email protected] ~]#

We can check the zones used by our network interface(s) using below commands:-

[[email protected] ~]# firewall-cmd --get-default-zone
public
[[email protected] ~]# firewall-cmd --get-active-zones
public interfaces: enp0s3 enp0s8
[[email protected] ~]#

To get all configurations for a specific zone use below commands:-

[[email protected] ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh ntp mountd rpc-bind nfs http
ports: 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[[email protected] ~]#

We can get all configurations for all zones using below commands:-

[[email protected] ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh ntp mountd rpc-bind nfs http
ports: 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[[email protected] ~]#

Firewalld can allow traffic based on predefined rules for specific network services. We can create our own custom service rules and add them to any zone.

We can view the default available services using below commands:-

[[email protected] ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[[email protected] ~]#

Now I am going to show you how to enable or disable the HTTP service:-

[[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[[email protected] ~]# firewall-cmd --zone=public --remove-service=http --permanent
success
[[email protected] ~]#

That’s all, So in this tutorial we have seen how to manage firewalld service.