How to setup a Firewall using FirewallD on CentOS and Almalinux
In today’s interconnected world, securing your servers is not optional – it’s a necessity. A firewall acts as a crucial barrier, controlling network traffic and preventing unauthorized access. On CentOS, AlmaLinux, and Red Hat Enterprise Linux (RHEL) systems, FirewallD is the default firewall management tool. This article provides a comprehensive guide on How to setup a Firewall using FirewallD on CentOS and Almalinux, covering installation, configuration, and verification. Let’s delve into how you can use FirewallD to bolster your server’s defenses.
Introduction
In the modern digital landscape, ensuring the security of your systems and networks is of paramount importance. One of the key tools in safeguarding your CentOS 7 server is FirewallD, a dynamic firewall management utility. FirewallD provides an easy-to-use interface for configuring and managing firewalls, allowing you to control incoming and outgoing network traffic. In this article, we will guide you through the process of setting up a firewall using FirewallD on CentOS 7, Alma Linux or Redhat (RHLE), enabling you to strengthen the security of your server.
Step 1: Installing FirewallD
Before diving into the firewall configuration, ensure that FirewallD is installed on your CentOS 7 system. By default, CentOS 7 ships with FirewallD, but if it is not installed, you can install it using the following command:
$ sudo yum install firewalldStep 2: Starting and Enabling FirewallD
Once FirewallD is installed, start the service and enable it to start at boot by executing the following commands:
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalldStep 3: Understanding FirewallD Concepts
Before we proceed with firewall configuration, it is essential to understand a few key concepts of FirewallD:
Step 4: Configuring FirewallD Zones
By default, FirewallD comes with several predefined zones, including “public,†“work,†and “home.†To view the available zones, use the following command:
$ sudo firewall-cmd --get-zonesTo assign an interface to a specific zone, use the following command:
$ sudo firewall-cmd --zone=zone_name --add-interface=interface_name --permanentReplace zone_name with the desired zone and interface_name with the name of the interface you wish to assign.
Step 5: Opening Ports and Allowing Services
To enable specific services or open ports, you can use the following commands:
To allow a service:
$ sudo firewall-cmd --zone=zone_name --add-service=service_name --permanentTo open a port:
$ sudo firewall-cmd --zone=zone_name --add-port=port_number/tcp --permanentRemember to replace zone_name, service_name, and port_number with the appropriate values.
Step 6: Applying Changes and Reloading FirewallD
After making any changes to the firewall configuration, apply the changes and reload FirewallD using the following commands:
$ sudo firewall-cmd --reload
$ sudo systemctl restart firewalldStep 7: Verifying the Firewall Configuration
To verify that the firewall configuration is applied correctly, you can use various commands, such as:
To view the active zones:
$ sudo firewall-cmd --get-active-zonesTo list all the services allowed in a specific zone:
$ sudo firewall-cmd --zone=zone_name --list-servicesTo check the open ports in a specific zone:
$ sudo firewall-cmd --zone=zone_name --list-portsConclusion
By following the steps outlined in this article, you can easily set up a firewall using FirewallD on CentOS 7. Taking the time to configure and manage your firewall is a crucial step in ensuring the security and integrity of your server. FirewallD provides a user-friendly interface for controlling network traffic and allows you to define rules based on zones, services, and ports. By actively monitoring and updating your firewall configuration, you can protect your CentOS 7 server from unauthorized access and potential security threats.
Now, let’s explore alternative solutions to configuring a firewall on CentOS, AlmaLinux, or RHEL. While FirewallD is the default and often the most convenient choice, other options exist that might be better suited for specific needs or preferences.
Alternative 1: Using iptables Directly
While FirewallD acts as a front-end to iptables, the underlying packet filtering framework in the Linux kernel, you can configure iptables rules directly. This provides more granular control and flexibility, but it also requires a deeper understanding of networking concepts and iptables syntax. This can be more complex, but potentially more powerful. It’s important to note that iptables configurations are not persistent across reboots by default and require saving the ruleset using a tool like iptables-save.
Explanation:
iptables works by examining network packets and comparing them against a set of rules. Each rule specifies criteria (e.g., source IP address, destination port) and an action to take if the criteria are met (e.g., ACCEPT, DROP, REJECT). Rules are organized into tables (e.g., filter, nat, mangle) and chains (e.g., INPUT, OUTPUT, FORWARD).
Code Example:
To allow SSH traffic (port 22) from any source IP address, you would use the following iptables command:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT: Appends the rule to theINPUTchain of thefiltertable (the default table). TheINPUTchain handles incoming traffic to the server.-p tcp: Specifies that the rule applies to TCP traffic.--dport 22: Specifies that the rule applies to traffic destined for port 22 (the destination port).-j ACCEPT: Specifies that matching packets should be accepted.-A OUTPUT: Appends the rule to theOUTPUTchain of thefiltertable. TheOUTPUTchain handles outgoing traffic from the server.--sport 22: Specifies that the rule applies to traffic originating from port 22 (the source port).-m state --state RELATED,ESTABLISHED: Allows established connections and related traffic through. This is crucial for allowing responses to connections initiated from inside the server.
To save the iptables rules so they persist across reboots (on CentOS/RHEL systems):
sudo iptables-save > /etc/sysconfig/iptablesTo restore the rules after a reboot:
sudo iptables-restore < /etc/sysconfig/iptablesCase Study: Imagine you need to block all incoming traffic from a specific IP address, say 192.168.1.100. Using iptables, you can easily accomplish this:
sudo iptables -A INPUT -s 192.168.1.100 -j DROPThis rule will drop all packets originating from the IP address 192.168.1.100.
Alternative 2: Using nftables
nftables is the successor to iptables. It provides a more modern and efficient framework for packet filtering, classification, and network address translation. It uses a simpler configuration syntax and offers improved performance. While iptables is still widely used, nftables is gradually becoming the preferred choice for new deployments.
Explanation:
nftables uses a different approach to rule management compared to iptables. Instead of having separate tables and chains, nftables uses a more unified structure based on tables, chains, and sets. This allows for more flexible and efficient rule creation.
Code Example:
To achieve the same SSH access rule as above using nftables, you would use the following commands:
sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0 ; policy drop ; }
sudo nft add chain inet filter output { type filter hook output priority 0 ; policy accept ; }
sudo nft add rule inet filter input tcp dport 22 ct state new,established counter accept
sudo nft add rule inet filter output tcp sport 22 ct state established counter accept
sudo nft add rule inet filter input ct state related,established counter acceptnft add table inet filter: Creates a table named "filter" in the "inet" family (IPv4 and IPv6).nft add chain inet filter input ...: Creates an input chain within the "filter" table, specifying the hook (input) and priority. Thepolicy dropmeans that any packet not explicitly accepted will be dropped.nft add chain inet filter output ...: Creates an output chain within the "filter" table. Thepolicy acceptmeans that any packet not explicitly dropped will be accepted.nft add rule inet filter input tcp dport 22 ct state new,established counter accept: Adds a rule to the input chain to accept new and established TCP connections to port 22.ct staterefers to the connection tracking state.nft add rule inet filter output tcp sport 22 ct state established counter accept: Adds a rule to the output chain to accept established TCP connections originating from port 22.nft add rule inet filter input ct state related,established counter accept: Accepts related and established connections.
To make the nftables rules persistent across reboots (on CentOS/RHEL):
sudo nft list ruleset > /etc/nftables/firewall.rulesTo restore the rules after a reboot:
sudo nft -f /etc/nftables/firewall.rulesCase Study: Let’s say you want to limit the rate of incoming connections to port 80 (HTTP) to prevent denial-of-service attacks. nftables can handle this efficiently:
sudo nft add rule inet filter input tcp dport 80 limit rate over 10/second dropThis rule limits incoming connections to port 80 to 10 per second. Any connections exceeding this rate will be dropped.
Conclusion:
How to setup a Firewall using FirewallD on CentOS and Almalinux is a fundamental aspect of server security. While FirewallD offers a convenient and user-friendly approach, understanding alternative methods like direct iptables or nftables configuration provides greater flexibility and control. Choosing the right tool depends on your specific requirements, technical expertise, and the complexity of your network environment. Mastering How to setup a Firewall using FirewallD on CentOS and Almalinux alongside these alternatives, ensures robust protection for your systems. How to setup a Firewall using FirewallD on CentOS and Almalinux should always be considered best practices when securing your infrastructure.