You should not work hard to manage firewall by iptables, from CentOS 7 the firewall management is very easy with firewalld command.
First check to see the firewall status, if firewall is installed.
systemctl is-active firewalld
If already installed you will get the status, or else you will get an error result if not installed.
You can install the firewalld service by the command.
yum -y install firewalld
systemctl enable firewalld
systemctl start firewalld
Now you can check the firewalld status again.
systemctl status firewalld
Check Firewall Rules
Now we should find out which firewall zone is active or default. Firewall zone means the firewall profile. Firewall zone name could be home, internal, public, work, external, trusted, etc.
Active or default zone should be “public”. Now check it by the command.
You can also make the public zone as default by command.
firewall-cmd --set-default-zone=public --permanent
Now, check the active ports which are open to the world.
firewall-cmd --zone=public --list-ports
And check which services are currenly open to the world.
firewall-cmd --zone=public --list-services
We can also check all services and ports opened in public profile by the command.
firewall-cmd --zone=public --list-all
Additionally we can check if any rich rule or direct rule exists.
firewall-cmd --zone=public --list-rich-rules
firewall-cmd --direct --get-all-rules
Firewall Key Rules
Now that we saw all existing setup on the current firewall rules. You can now decide which rule need to remove and which rule need to add in the public profile.
It’s time to understand the service and port things. The service example is http, ftp, smtp, dns, etc. and the individual port example is 80/tcp, 21/tcp, 25/tcp, 53/udp, etc.
How people want to secure their servers ?
Actually, I want to secure my servers hardly so that the hackers are kicked out and my server can run smoothly. What my plan is I will only open the http/https service so that people can visit my website, any other service and ports should be restricted to the world, and only allowed my own dedicated IP or device. If needed you can open the ftp, dns and smtp ports to the world.
But we must restrict ssh access to the open world, and only accept our own IP.
Add or Remove Firewall Service or Port
Here is the command example to add/remove service and port.
Add the http service by command.
firewall-cmd --zone=public --add-service=http --permanent
Remove the smtp service by command.
firewall-cmd --zone=public --remove-service=smtp --permanent
Add the ftp port by command.
firewall-cmd --zone=public --add-port=21/tcp --permanent
Remove the MySQL port by command.
firewall-cmd --zone=public --remove-port=3306/tcp --permanent
Firewall Rich Rule
It’s time to learn rich rule so that we can add/remove service or port to an specific address. Suppose here, we can add the ssh port allowed only to our own IP (eg. ssh only accepted from 192.168.1.35).
firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.35 port port=22 protocol=tcp accept'
firewall-cmd --zone=public --remove-service=ssh --permanent
The above command confirms that the ssh service is closed to the open world, and the ssh port 22 is still accepted from the specific IP 192.168.1.35 only.
Firewall Direct Rule
Direct rule is a special rule which we can apply on traffic chain. (eg. incoming permission only, or outgoing permission only)
This rule will effect for
OUTPUT , and
FORWARD by the command.
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 25 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 587 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -p tcp --dport 22 -j DROP
Firewall Reload and Save
The last thing after firewall configuration done, is reload the configured rules, and reboot the server.
Remove Firewall Rule
If you want to remove a rule, use the above whole example command, and just replace the
--add-rule will be
--remove-rule , or
--add-port will be
Thats it !