Firewall-CMD

1 minute read

Description:

In CentOS I created the following firewall zones:

To Resolve:

  1. First, I create a new zone, and then allow only hosts/ports that I specify:

    1
2
3
4
5
6
7

    firewall-cmd --new-zone=gerry --permanent
firewall-cmd --reload
firewall-cmd --set-default-zone=gerry #NOTE: You have to reload first before you can select a custom zone as your default zone
firewall-cmd --zone=gerry --add-source 192.168.0.20/32 --permanent
firewall-cmd --zone=gerry --add-port=22/tcp --permanent
firewall-cmd --zone=gerry --add-service=ssh --permanent
firewall-cmd --reload

  2. Next, to stop other hosts even on the same network from being able to access ports:

    1
2
3
4
5
6

    firewall-cmd --remove-active-zone=public
# Learned quickly that interfaces override source addresses, put that interface in DROP!
firewall-cmd --zone=public --remove-interface=enp0s3 --permanent
firewall-cmd --zone=drop --add-interface=enp0s3 --permanent
firewall-cmd --get-active-zone
# Should see: gerry - source and drop - interface
    • Steps 1 and 2 are my setup for initial CentOS VM’s. With this setup all incoming ports are blocked except 192.168.0.20:22. You can then add hosts/ports as needed.

  3. To check firewall settings:

    1
2
3
4
5

    sudo firewall-cmd --zone=gerry --list-all
# Or
sudo firewall-cmd --zone=gerry --list-sources
sudo firewall-cmd --zone=gerry --list-services
sudo firewall-cmd --zone=gerry --list-ports

  4. To add sources, services, and ports:

    1
2
3
4
5
6
7

    # See services:
firewall-cmd --get-services

# Then to add (examples from above):
firewall-cmd --zone=gerry --add-source 192.168.0.20/32 --permanent
firewall-cmd --zone=gerry --add-port=22/tcp --permanent
firewall-cmd --zone=gerry --add-service=ssh --permanent

  5. To enable/disable panic mode (block all):

    1
2

    sudo firewall-cmd --panic-on
sudo firewall-cmd --panic-off

  6. Common task that I do is add a ‘Rich Rule’:

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

    sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.254.24.12/32" port port="3306" protocol="tcp" accept'
   
# if I need to remove it:
firewall-cmd --permanent --remove-rich-rule 'rule family="ipv4" source address="10.254.24.12/32" port port="3306" protocol="tcp" accept'

firewall-cmd --reload
   
# To view the list of ports being used in total:
# firewall-cmd --zone=public --list-all

# Lastly, to test the connection
curl -v telnet://127.0.0.1:3306

# look for 'connected'
# if it doesn't work, see if the port is listening state
netstat -natl
# netstat --all --listening --numeric --tcp

Comments

You May Also Enjoy