Professional Documents
Culture Documents
Net-filter as we all know its a firewall in Linux. Firewalld is a dynamic daemon to manage firewall
with support for networks zones. In earlier version, RHEL & CentOS 6 we have been using iptables as a
daemon for packet filtering framework. In RHEL/CentOS 7 and Fedora 21 iptables interface is being
replaced by firewalld.
Its recommended to start using Firewalld instead of iptables as this may discontinue in future.
However, iptables is still supported and can be installed with YUM command. We cant keep Firewalld and
iptables both in same system which may lead to conflict.
In iptables, we used to configure as INPUT, OUTPUT & FORWARD CHAINS but here in
Firewalld, the concept which uses Zones. By default, there are different zones available in firewalld, which
will be discussed in this article.
The basic zone which are like public zone and private zone. To make things work around with these
zones, we need to add the interface with the specified zone support and then we can add the services to
firewalld.
By default, there are many services are available, one of the best feature of firewalld is, it comes with
pre-defined services and we can take these services as example to add our services by simply copying them.
Firewalld works great with IPv4, IPv6 and Ethernet bridges too. We can have the separate run-time
and permanent configuration in firewalld. Lets get started how to work with zones and create our own
services and much more exciting usage of firewalld.
Our Testing Environment
Operating System :
IP Address
:
Host-name
:
Install Firewalld
2. After firewalld package has been installed, its time to verify whether iptables service is running or
not, if running, you need to stop and mask (not use anymore) the iptables service with below commands.
# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables
5. DMZ Zone: If we need to allow access to some of the services to public, you can define in DMZ zone.
This too have the feature of only selected incoming connections are accepted.
6. Work Zone: In this zone, we can define only internal networks i.e. private networks traffic are allowed.
7. Home Zone: This zone is specially used in home areas, we can use this zone to trust the other
computers on networks to not harm your computer as every zone. This too allow only the selected
incoming connections.
8. Internal Zone: This one is similar to work zone with selected allowed connections.
9. Trusted Zone: If we set the trusted zone all the traffic are accepted.
Now youve better idea about zones, now lets find out available zones, default zones and list all zones
using the following commands.
# firewall-cmd --get-zones
Note: The output of above command wont fit into single page as this will list every zones like block,
dmz, drop, external, home, internal, public, trusted, and work. If the zones have any rich-rules, enabled
services or ports will be also listed with those respective zone informations.
5. After setting zone, verify the default zone using below command.
# firewall-cmd --get-default-zone
And then, navigate to the location were our service file was copied, next rename the file ssh.xml to
rtmp.xml as shown in the below picture.
# cd /etc/firewalld/services/
13. To confirm, whether service is added or not, run below command to get list of services available.
# firewall-cmd --get-services
15. To get the public zone for interface enp0s3, this is the default interface, which is defined in
/etc/firewalld/firewalld.conf file as DefaultZone=public.
To list all available services in this default interface zone.
# firewall-cmd --get-service
The above step was temporary period only. To make it permanent we need to run the below command
with option permanent.
# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload
18. Define rules for network source range and open anyone of the port. For example, if you would like
to open a network range say 192.168.0.0/24 and port 1935 use the following commands.
# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp
Make sure to reload firewalld service after adding or removing any services or ports.
# firewall-cmd --reload
# firewall-cmd --list-all
Now, the Network range 192.168.0.0/24 can use the above service from my server. The option
permanent can be used in every rule, but we have to define the rule and check with the client access after that
we have to make it permanent.
20. After adding above rules, dont forget to reload the firewall rules and list the rules using:
# firewall-cmd --reload
# firewall-cmd --list-all
Thats it, we have seen how to setup net-filter using Firewalld in RHEL/CentOS 7 and Fedora 21.
Conclusion
Net-filter is the framework for firewall for each and every Linux distributions. Back in every RHEL
and CentOS editions we used iptables but in version 7 they have introduced Firewalld. Its easier to
understand and use firewalld. Hope you have enjoyed the write-up.