Set Up FirewallD on CentOS 7: Best Firewall Manager

By Posted on

Set Up FirewallD on CentOS 7: Best Firewall Manager

Set Up FirewallD on CentOS 7: Best Firewall Manager

In this article, we aim to guide you through the process of Set Up FirewallD on CentOS 7. Firewalld is a robust and dynamic firewall management solution widely used across various Linux distributions, including Ubuntu, Debian, CentOS, RHEL, and Fedora, along with all their respective versions. Follow the steps outlined in this guide to Set Up FirewallD on CentOS 7 and begin leveraging its powerful features.

Before diving in, ensure you are logged in as a non-root user. If you haven’t already, you can refer to our comprehensive article on Initial server setup with Centos 7 for detailed instructions.

Before you Set Up FirewallD on CentOS 7, let’s familiarize ourselves with FirewallD zones.

FirewallD operates using zones and services, a departure from the traditional IP tables’ chains and rules. Zones represent a predefined set of rules that dictate the type of traffic allowed, based on the level of trust assigned to the network your system is connected to. Network interfaces are assigned to specific zones, thereby influencing the firewall’s behavior.

Set Up FirewallD on CentOS 7
Set Up FirewallD on CentOS 7

1. FirewallD zones

Here is a list of predefined zones for Firewalld:

  1. Drop: This zone has the least level of trust and is used to drop all incoming traffic without sending any acknowledgment to the sender.

  2. Block: This zone is very similar to the Drop zone, the incoming traffic is rejected and the sender gets a message.

  3. Public: This allows traffic from certain public networks.

  4. External: This zone is used when your system acts as a gateway or router.

  5. Internal: The set of rules that apply to the computers in your private internal network.

  6. DMZ: This zone is an isolated patch of computers in your internal network that may not access other internal resources.

  7. Work: This zone is used for work machines. The trust level is high.

  8. Home: Most computers in this zone trust each other. The trust level is higher than at work.

  9. Trusted: This zone has the highest trust level. All computers in the network are trusted.

2. Installing Firewalld on Centos 7

Here you can Set Up FirewallD on CentOS 7 by following these steps.

Install Firewalld on Centos 7 with the following command:

sudo yum install firewalld -y

Then enable it and reboot the system with the following commands:

# sudo systemctl enable firewalld
# sudo reboot

You can see that your service is verified and running with the following command:

sudo firewall-cmd –state

3. Firewall rules on Centos 7

After setting up a firewall with firewalld on Centos 7 you can see firewall rules too.

You can see which zone is selected with the following command:

sudo firewall-cmd --get-active-zones

You can see the default zone’s configuration with:

sudo firewall-cmd --list-all

Get a list of active zones with:

firewall-cmd --get-zones

Now You can see each active zone that you have with the following command for example for home:

sudo firewall-cmd --zone=home --list-all

4. Select zones for your interfaces of Firewall

When you have configured your network interfaces, each interface will be put in the default zone when the firewall is booted.

You can change the interface for example for home with the following command:

sudo firewall-cmd --zone=home --change-interface=eth0

See this was successful with the following command:

firewall-cmd --get-active-zones

5. Adjust a default zone for the Firewall

In Set Up FirewallD on CentOS 7, you can select zones for your interfaces can adjust a default zone.
It’s better to adjust a default zone and use that for your configuration with the following command:

sudo firewall-cmd --set-default-zone=home

Add service in your Firewalld zone

First, you can get a list of available services with the following command:

firewall-cmd --get-services

Enable a service of your list for example HTTP service with:

sudo firewall-cmd --zone=public --add-service=http

You can see it with:

sudo firewall-cmd --zone=public --list-services

Make your public zone change permanent by:

sudo firewall-cmd --zone=public --permanent --add-service=http

You can see it with:

sudo firewall-cmd --zone=public --permanent --list-services

Open a port for your zone on Firewalld

You can add a port for your zone with the following command: For example, your application runs on port 8000 and uses TCP:

sudo firewall-cmd --zone=public --add-port=8000/tcp

List it with:

sudo firewall-cmd --zone=public --list-ports

If your application runs on port 3500-3700 and uses UDP run the following command:

sudo firewall-cmd --zone=public --add-port=3500-3700/udp

Permanent them by:

# sudo firewall-cmd --zone=public --permanent --add-port=8000/tcp
# sudo firewall-cmd --zone=public --permanent --add-port=3500-3700/udp
# sudo firewall-cmd --zone=public --permanent --list-ports

Define a service on FirewallD

At this point, you learn How to set up a firewall with firewalld and learn about firewall rules on Centos 7. Let’s see how to define a service.

If you forget a service on your server maybe it’s difficult to remember the port that opened it.
In this situation, you can define a service to solve that.

For example, you can copy the SSH service to use for the ‘example’ service definition with the following command:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/example.xml

You can set changes to it by Vi editor:

sudo vi /etc/firewalld/services/example.xml

You can change the short name for the service and add a description for it and put your port protocols in it. After you are finished save and close your file.

Reload the firewall:

sudo firewall-cmd –reload

Now you can see it in your available services:

firewall-cmd --get-services

Create your own zone on FirewallD

At this point, you set up firewalld on Centos 7 and learn about its rules. You can also create your own zones. For example, you want to create a zone for your web server, named public web.

Use the following command:

sudo firewall-cmd --permanent --new-zone=publicweb

Then reload the firewall:

sudo firewall-cmd --reload
firewall-cmd --get-zones

Add services for your zone for example:

sudo firewall-cmd --zone=publicweb --add-service=ssh

Change your interfaces by:

sudo firewall-cmd --zone=publicweb --change-interface=eth0

You can set permanent configuration by:

sudo firewall-cmd --zone=publicweb --permanent --add-service=ssh

Restart your network and reload your firewall:

# sudo systemctl restart network
# sudo systemctl reload firewalld

You can set your zone as your default zone:

sudo firewall-cmd --set-default-zone=publicweb

Conclusion

At this point, you learn how to Set Up FirewallD on CentOS 7 and you know about firewalld zones and create your own zone.

Hope you enjoy it. Please subscribe to us on Facebook, Twitter, and YouTube.

Also, you may like to read the following articles:

Securing Alpine Linux with CSF Firewall

Set Up UFW Firewall on Ubuntu 24.04 LTS

Install CSF Firewall on CyberPanel

Enable Firewalld Graphical Interface on Centos 7

Install FirewallD GUI on Fedora 40/39 Linux

Firewalld Configuration on AlmaLinux 9

Alternative Solutions for Firewall Management on CentOS 7

While Firewalld is an excellent choice for managing firewalls on CentOS 7, alternative solutions exist, each offering its own set of features and benefits. Here are two alternative approaches:

1. Using iptables Directly

iptables is the traditional command-line firewall utility for Linux systems. While Firewalld provides a higher-level abstraction, iptables offers more granular control over firewall rules. This approach is suitable for advanced users who require precise rule definitions. It’s important to note that iptables is more complex to configure than Firewalld.

Explanation:

Instead of relying on zones and services, iptables allows you to define rules based on specific criteria, such as source/destination IP addresses, ports, and protocols. Rules are organized into chains, which are traversed in a specific order. You need to understand the concepts of chains (INPUT, OUTPUT, FORWARD) and targets (ACCEPT, DROP, REJECT) to effectively configure iptables.

Code Example:

To allow SSH traffic (port 22) using iptables, you would execute the following command:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
sudo service iptables save
sudo service iptables restart

Explanation of the Code:

  • sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT: This command appends a rule to the INPUT chain, allowing TCP traffic on destination port 22.
  • sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT: This command appends a rule to the OUTPUT chain, allowing TCP traffic on source port 22.
  • sudo service iptables save: This command saves the current iptables rules to a file, so they persist after a reboot.
  • sudo service iptables restart: This command restarts the iptables service, applying the saved rules.

Important Considerations:

  • iptables rules are not persistent by default. You need to save them using service iptables save or a similar command.
  • Incorrect iptables configuration can lock you out of your server. Exercise caution when modifying rules.
  • iptables doesn’t provide a built-in way to manage services like Firewalld. You need to manually define rules for each service.

2. Using nftables

nftables is the successor to iptables. It provides a more flexible and efficient framework for packet filtering and network address translation (NAT). While it shares some similarities with iptables, nftables uses a different syntax and offers several advantages, including improved performance and easier rule management. It is another way to Set Up FirewallD on CentOS 7.

Explanation:

nftables introduces the concept of tables, chains, and rulesets. Tables are containers for chains, and chains contain rules. nftables uses a more concise and expressive syntax than iptables, making it easier to write and understand rules.

Code Example:

To allow HTTP traffic (port 80) using nftables, you would execute the following commands:

sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0 ; policy drop ; }
sudo nft add rule inet filter input tcp dport 80 accept
sudo nft add chain inet filter output { type filter hook output priority 0 ; policy accept ; }
sudo nft add rule inet filter output tcp sport 80 accept

Explanation of the Code:

  • sudo nft add table inet filter: Creates a new table named "filter" in the "inet" family (IPv4 and IPv6).
  • sudo nft add chain inet filter input { type filter hook input priority 0 ; policy drop ; }: Creates an input chain with a default policy of "drop."
  • sudo nft add rule inet filter input tcp dport 80 accept: Adds a rule to the input chain to accept TCP traffic on destination port 80.
  • sudo nft add chain inet filter output { type filter hook output priority 0 ; policy accept ; }: Creates an output chain with a default policy of "accept."
  • sudo nft add rule inet filter output tcp sport 80 accept: Adds a rule to the output chain to accept TCP traffic on source port 80.

Important Considerations:

  • nftables rules are applied immediately but are not persistent by default. You need to save them to a file and load them on system startup.
  • The syntax of nftables is different from iptables. You need to learn the new syntax to effectively configure nftables.
  • nftables offers more advanced features than iptables, such as connection tracking and NAT.

These are two alternatives to Firewalld on CentOS 7, offering varying levels of control and complexity. The choice depends on your specific requirements and technical expertise. While Firewalld provides a user-friendly interface and manages complex rulesets behind the scenes, iptables and nftables give you direct control over packet filtering, allowing for highly customized firewall configurations.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *