Linux Admin Tutorial
Linux Admin Useful Resources
Selected Reading
- Volume Management
- Package Management
- Shell Scripting
- System Updates
- Backup and Recovery
- Log Management
- Traffic Monitoring in CentOS
- Remote Management
- Install Anonymous FTP
- Set Up Postfix MTA and IMAP/POP3
- MySQL Setup On CentOS 7
- Install Apache Web Server CentOS 7
- Create SSL Certificates
- Install and Configure Open LDAP
- Set Up Perl for CentOS Linux
- Configure Ruby on CentOS Linux
- Set Up Python with CentOS Linux
- Configure PHP in CentOS Linux
- Firewall Setup
- Process Management
- Resource Mgmt with crgoups
- Resource Mgmt with systemctl
- Systemd Services Start and Stop
- Quota Management
- User Management
- File / Folder Management
- Basic CentOS Linux Commands
- CentOS Overview
- Home
Linux Admin Useful Resources
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Firewall Setup
Linux Admin - Firewall Setup
firewalld is the default front-end controller for iptables on CentOS. The firewalld front-end has two main advantages over raw iptables −
Uses easy-to-configure and implement zones abstracting chains and rules.
Rulesets are dynamic, meaning stateful connections are uninterrupted when the settings are changed and/or modified.
Remember, firewalld is the wrapper for iptables - not a replacement. While custom iptables commands can be used with firewalld, it is recommended to use firewalld as to not break the firewall functionapty.
First, let s make sure firewalld is both started and enabled.
[root@CentOS rdc]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/pb/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-01-26 21:42:05 MST; 3h 46min ago
Docs: man:firewalld(1)
Main PID: 712 (firewalld)
Memory: 34.7M
CGroup: /system.spce/firewalld.service
└─712 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
We can see, firewalld is both active (to start on boot) and currently running. If inactive or not started we can use −
systemctl start firewalld && systemctl enable firewalld
Now that we have our firewalld service configured, let s assure it is operational.
[root@CentOS]# firewall-cmd --state running [root@CentOS]#
We can see, the firewalld service is fully functional.
Firewalld works on the concept of zones. A zone is appped to network interfaces through the Network Manager. We will discuss this in configuring networking. But for now, by default, changing the default zone will change any network adapters left in the default state of "Default Zone".
Let s take a quick look at each zone that comes out-of-the-box with firewalld.
| Sr.No. | Zone & Description |
|---|---|
| 1 | drop Low trust level. All incoming connections and packetsare dropped and only outgoing connections are possible via statefullness |
| 2 | block Incoming connections are repped with an icmp message letting the initiator know the request is prohibited |
| 3 | pubpc All networks are restricted. However, selected incoming connections can be exppcitly allowed |
| 4 | external Configures firewalld for NAT. Internal network remains private but reachable |
| 5 | dmz Only certain incoming connections are allowed. Used for systems in DMZ isolation |
| 6 | work By default, trust more computers on the network assuming the system is in a secured work environment |
| 7 | hone By default, more services are unfiltered. Assuming a system is on a home network where services such as NFS, SAMBA and SSDP will be used |
| 8 | trusted All machines on the network are trusted. Most incoming connections are allowed unfettered. This is not meant for interfaces exposed to the Internet |
The most common zones to use are:pubpc, drop, work, and home.
Some scenarios where each common zone would be used are −
pubpc − It is the most common zone used by an administrator. It will let you apply the custom settings and abide by RFC specifications for operations on a LAN.
drop − A good example of when to use drop is at a security conference, on pubpc WiFi, or on an interface connected directly to the Internet. drop assumes all unsopcited requests are mapcious including ICMP probes. So any request out of state will not receive a reply. The downside of drop is that it can break the functionapty of apppcations in certain situations requiring strict RFC comppance.
work − You are on a semi-secure corporate LAN. Where all traffic can be assumed moderately safe. This means it is not WiFi and we possibly have IDS, IPS, and physical security or 802.1x in place. We also should be famipar with the people using the LAN.
home − You are on a home LAN. You are personally accountable for every system and the user on the LAN. You know every machine on the LAN and that none have been compromised. Often new services are brought up for media sharing amongst trusted inspaniduals and you don t need to take extra time for the sake of security.
Zones and network interfaces work on a one to many level. One network interface can only have a single zone appped to it at a time. While, a zone can be appped to many interfaces simultaneously.
Let s see what zones are available and what are the currently appped zone.
[root@CentOS]# firewall-cmd --get-zones work drop internal external trusted home dmz pubpc block
[root@CentOS]# firewall-cmd --get-default-zone pubpc [root@CentOS]#
Ready to add some customized rules in firewalld?
First, let s see what our box looks pke, to a portscanner from outside.
bash-3.2# nmap -sS -p 1-1024 -T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:36 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00046s latency). Not shown: 1023 filtered ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds bash-3.2#
Let s allow the incoming requests to port 80.
First, check to see what zone is appped as default.
[root@CentOs]# firewall-cmd --get-default-zone pubpc [root@CentOS]#
Then, set the rule allowing port 80 to the current default zone.
[root@CentOS]# firewall-cmd --zone=pubpc --add-port = 80/tcp success [root@CentOS]#
Now, let s check our box after allowing port 80 connections.
bash-3.2# nmap -sS -p 1-1024 -T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:42 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00053s latency). Not shown: 1022 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp closed http Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds bash-3.2#
It now allows unsopcited traffic to 80.
Let s put the default zone to drop and see what happens to port scan.
[root@CentOS]# firewall-cmd --set-default-zone=drop success [root@CentOS]# firewall-cmd --get-default-zone drop [root@CentOs]#
Now let s scan the host with the network interface in a more secure zone.
bash-3.2# nmap -sS -p 1-1024 -T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:50 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00094s latency). All 1024 scanned ports on centos.shared (10.211.55.1) are filtered Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds bash-3.2#
Now, everything is filtered from outside.
As demonstrated below, the host will not even respond to ICMP ping requests when in drop.
bash-3.2# ping 10.211.55.1 PING 10.211.55.1 (10.211.55.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2
Let s set the default zone to pubpc again.
[root@CentOs]# firewall-cmd --set-default-zone=pubpc success [root@CentOS]# firewall-cmd --get-default-zone pubpc [root@CentOS]#
Now let s check our current filtering ruleset in pubpc.
[root@CentOS]# firewall-cmd --zone=pubpc --pst-all pubpc (active) target: default icmp-block-inversion: no interfaces: enp0s5 sources: services: dhcpv6-cpent ssh ports: 80/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [root@CentOS rdc]#
As configured, our port 80 filter rule is only within the context of the running configuration. This means once the system is rebooted or the firewalld service is restarted, our rule will be discarded.
We will be configuring an httpd daemon soon, so let s make our changes persistent −
[root@CentOS]# firewall-cmd --zone=pubpc --add-port=80/tcp --permanent success [root@CentOS]# systemctl restart firewalld [root@CentOS]#
Now our port 80 rule in the pubpc zone is persistent across reboots and service restarts.
Following are the common firewalld commands appped with firewall-cmd.
| Command | Action |
|---|---|
| firewall-cmd --get-zones | Lists all zones that can be appped to an interface |
| firewall-cmd —status | Returns the currents status of the firewalld service |
| firewall-cmd --get-default-zone | Gets the current default zone |
| firewall-cmd --set-default-zone=<zone> | Sets the default zone into the current context |
| firewall-cmd --get-active-zone | Gets the current zones in context as appped to an interface |
| firewall-cmd --zone=<zone> --pst-all | Lists the configuration of suppped zone |
| firewall-cmd --zone=<zone> --addport=<port/transport protocol> | Apppes a port rule to the zone filter |
| --permanent | Makes changes to the zone persistent. Flag is used inpne with modification commands |
These are the basic concepts of administrating and configuring firewalld.
Configuring host-based firewall services in CentOS can be a complex task in more sophisticated networking scenarios. Advanced usage and configuration of firewalld and iptables in CentOS can take an entire tutorial. However, we have presented the basics that should be enough to complete a majority of daily tasks.
Advertisements