Etherarp
Etherarp

Networking, Security, Linux

Share


Firewalld Examples

Examples on how to manage firewalld with the firewall-cmd utility

Rohan MolloyRohan Molloy

Check if firewalld is active

[root@desktop ~]# firewall-cmd --state
running
[root@desktop ~]#

Make current rules persistent  

[root@desktop ~]# firewall-cmd --runtime-to-permanent
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Bind a source to a zone  

[root@desktop ~]# firewall-cmd --permanent --add-source 203.0.113.224/27 --zone=home
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Bind an interface to a zone

[root@desktop ~]# firewall-cmd --get-zone-of-interface=tun0
external
[root@desktop ~]# firewall-cmd --permanent --remove-interface=tun0 --zone external
success
[root@desktop ~]# firewall-cmd --permanent --add-interface=tun0 --zone internal
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Adding a service to a zone

$ sudo firewall-cmd --add-service ssh --zone=home
success

Get Active Zones

$ sudo firewall-cmd --get-active-zones
external
 interfaces: ens3
home
 sources: 203.0.113.224/27
internal
 interfaces: tun0
[root@desktop ~]$

Get default zone

$ sudo firewall-cmd --get-default-zone
external

Describe all zones (and their rules)

$ sudo firewall-cmd --list-all-zones
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: openvpn
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

home (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 203.0.113.224/27
  services: cockpit ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources:
  services: http https ssh cockpit dns
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@desktop ~]$

Rich-rule example

$ firewall-cmd --add-rich-rule="rule family=ipv4
source address=192.168.122.0/24
destination address=192.168.1.2
port protocol=tcp port=22
accept"
success

Adding traditional iptables rules

[root@desktop ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i tun+ -d 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 -j DROP
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Block sources by ipset

[root@desktop ~]# firewall-cmd --permanent --new-ipset china --type hash:net
success
[root@desktop ~]# firewall-cmd --permanent --ipset china --add-entries-from-file <(curl -s https://iplists.firehol.org/files/ip2location_country/ip2location_country_cn.netset|grep -v ^#)
[root@desktop ~]# firewall-cmd --permanent --zone=drop --source ipset:china
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Create a new zone

[root@desktop ~]# firewall-cmd --permanent --new-zone=dmz
success
[root@desktop ~]# firewall-cmd --permanent --set-target=default --zone=dmz
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Configure NAT Masquerading

[root@desktop ~]# firewall-cmd --permanent --add-masquerade --zone=dmz
success
[root@desktop ~]# firewall-cmd --reload
success
[root@desktop ~]#

Configure port forwarding

[root@desktop ~]# firewall-cmd --zone=external --add-forward-port="port=8080:proto=tcp:toport=80:toaddr=192.168.122.88"
success
[root@desktop ~]#