How to manage firewall rules in CentOS 7


Managing firewall rules in CentOS 7
With the recent release of CentOS 7 came many changes to the way the system is
configured compared to its predecessors. In CentOS 7 you will need to become familiar
with firewalld.
From FIREWALLD(1) man page:
"firewalld provides a dynamically managed firewall with support for network/firewall
zones to define the trust level of network connections or interfaces. It has support
for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime
and permanent configuration options. It also supports an interface for services or
applications to add firewall rules directly."
In this article we will be discussing adding and removing basic firewall rules to allow
incoming traffic to access services that you are running on your server.
The default zone in CentOS 7 is "public". You can change the default zone in
/etc/firewalld/firewalld.conf but for now we will leave it as public.
To open port 80 (http) in your firewall:
[root@srv ]# firewall-cmd --permanent --zone=public --add-port=80/tcp
And now reload the firewall to apply changes:
[root@srv ]# firewall-cmd --reload
This command can be used to verify that the port is open, it will return a simple yes or no:
[root@srv ]# firewall-cmd --zone=public --query-port=80/tcp
Alternatively you can create the rule using a service name:
[root@srv ]# firewall-cmd --permanent --zone=public --add-service=http
And now reload the firewall to apply changes:
[root@srv ]# firewall-cmd --reload
Verify the service port has been opened:
[root@srv ]# firewall-cmd --zone=public --query-service=http
These steps will create a permanent entry in your firewall configuration to allow incoming
TCP connections to TCP port 80 from the internet.
You can use "firewall-cmd --list-all" to get a view of your current firewall configuration.
Example:
[root@srv ]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources:
  services: ssh
  ports: 80/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
To remove the port or service you added.
[root@srv ]# firewall-cmd --zone=public --remove-port=80/tcp
OR
[root@srv ]# firewall-cmd --zone=public --remove-service=http
And then issue a reload to apply the changes.
[root@srv ]# firewall-cmd --reload
Disclaimer: When working on a remote server and modifying the firewall rules be very
            careful not to lock yourself out of your server by removing port 22 (SSHD)
            from your firewall configuration. If you are unsure you can remove the
            --permanent flag from the above commands and if you lock yourself out a
            simple reboot of the server will clear any firewall rules you added. 
How to manage firewall rules in CentOS 7
With the recent release of CentOS 7 came many changes to the way CentOS is
configured compared to its predecessors. In CentOS 7 you will need to become familiar
with firewalld.

 
Reference: FIREWALLD(1) man page:
"firewalld provides a dynamically managed firewall with support for network/firewall
zones to define the trust level of network connections or interfaces. It has support
for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime
and permanent configuration options. It also supports an interface for services or
applications to add firewall rules directly."

 
In this article we will be discussing adding and removing basic firewall rules to allow
incoming traffic to access services that you are running on your server.

 
Warning: When working on a remote server and modifying the firewall rules be very careful not to lock yourself out of your server by removing port 22 (SSHD) from your firewall configuration. If you are unsure you can remove the --permanent flag from the above commands and if you lock yourself out a simple reboot of the server will clear any firewall rules you added.  
 
 
The default zone in CentOS 7 is "public". You can change the default zone in
/etc/firewalld/firewalld.conf but for now we will leave it as public for the purposes of this article.

 
Opening Ports
To open port 80 (http) in your firewall, you can utilize the following command:
[root@srv ]# firewall-cmd --permanent --zone=public --add-port=80/tcp
 
Reload the firewall to apply changes:
[root@srv ]# firewall-cmd --reload
 
 
 
Verifying Rules
The following command can be used to verify that the port is open, it will return a simple yes or no:
[root@srv ]# firewall-cmd --zone=public --query-port=80/tcp
 

 
Creating Rules by Using Service Names
Alternatively you can create the rule using a service name:
[root@srv ]# firewall-cmd --permanent --zone=public --add-service=http
 
And now reload the firewall to apply changes:
[root@srv ]# firewall-cmd --reload
 
Verify the service port has been opened:
[root@srv ]# firewall-cmd --zone=public --query-service=http
 
 
 
Real World Example
These steps will create a permanent entry in your firewall configuration to allow incoming
TCP connections to TCP port 80 from the internet.
You can use "firewall-cmd --list-all" to get a view of your current firewall configuration.
Example:

[root@srv ]# firewall-cmd --list-all
 
public (default, active)
  interfaces: eth0 eth1
  sources:
  services: ssh
  ports: 80/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

 
To remove the port or service you added.
[root@srv ]# firewall-cmd --zone=public --remove-port=80/tcp
 
OR
[root@srv ]# firewall-cmd --zone=public --remove-service=http
 
And then issue a reload to apply the changes.
[root@srv ]# firewall-cmd --reload
 
firewalld allows an easy and convenient way to manage CentOS 7 firewall rules. With a little practice, it can become a critical tools for keeping your infrastructure safe and secure.
Posted in
Last update:
2015-12-03 20:39
Average rating:0 (0 Votes)