How to configure Firewalld in Linux and top commands

Firewalld is front-end tool for managing iptables configurations.  Firewalld can be used dynamically i.e. changes can be done without affecting running sessions and connections. Firewalld has zone and services which are equivalent to chains and tables in iptables.

What is Firewalld Zones

Zones are predefined set of rules  for different networks which set as per trust user has defined to that network. Different 

zones will allow different network services and incoming traffic while blocking other type of traffic. Once FirewallD is enabled for the first time, Public will be the default zone.

Different network interfaces are part of different zones. For example you can allow DHCP on an internal zone but only HTTP on external zone. Any interface with is not part of any  specific zone will be attached to the default zone.

How to set Firewalld zones

Before making any changes you should know what is your default zone

Syntax

firewall-cmd –get-default-zone

Change Default Zone

To change default zone use below command

Syntax

firewall-cmd –set-default-zone=zone-name

Example

firewall-cmd –set-default-zone=internal

Get active zone

To view active zone for available interfaces 

Syntax

firewall-cmd –get-active-zones

Change zone of specific interface

To change active zone for any of the interfaces 

Syntax

firewall-cmd –zone=zone-name –change-interface=<interface-name>

View all available zones

This command will display all available zones. 

Syntax

firewall-cmd –get-zones

View configuration of specific zone

This command will display all configuration (ports, services, sources, rules etc) available for specific zone.

Syntax

firewall-cmd –zone=home –list-all

View configuration of all zone

This command will display all configuration (ports, services, sources, rules etc) available for specific zone.

Syntax

firewall-cmd –list-all-zones

Adding port to any zone

To add port in any specific zone use below command

Syntax

firewall-cmd –permanent –zone=<zone-name> –add-port=<port_number/tcp|udp|sctp|dccp>

Example

firewall-cmd –permanent –zone=public –add-service=21/tcp

Once done check your ports by listing zone configuration.

firewall-cmd –zone=public –list-port

Removing port to any zone

In case a port is required to be removed from any zone use option –remove

Syntax

firewall-cmd –zone=<zone-name> –remove-port=<port_number/tcp|udp|sctp|dccp>

Example

firewall-cmd –zone=public –remove-port=80/tcp

You should check your ports configuration for zone after removing port.

Adding service to any zone 

To make changes in services allowed in any specific zone use below command

Syntax

firewall-cmd –zone=<zone-name> –add-service=<service-name>

Example

firewall-cmd –zone=public –add-service=http

Once done check your services by viewing zone configuration.

firewall-cmd –zone=public –list-all

Removing services from any zone

To remove services from any zone use switch –remove

Syntax

firewall-cmd –zone=<zone-name> –remove-service=<service-name>

Example

firewall-cmd –zone=public –remove-service=http

Enable masquerading with firewalld

In order to forward traffic from one port to another port or IP address, foremost you should enable masquerading for the relevant zone. 

Syntax

firewall-cmd –zone=<zone-name> –add-masquerade

Example

firewall-cmd –zone=external –add-masquerade

In above example masquerading is enabled in external zone.

To check whether masquerading is enabled or not use command 

firewall-cmd –zone=external –query-masquerade

Port forwarding with firewalld

Forwarding port can be done on same server different port or different server same port or different server on different port. 

Port forwarding with firewalld on same server different port

Syntax 

firewall-cmd –zone=<zone-name> –add-forward-port=port=<initial port number:proto=<protocol>:toport=<destination port>

Example

Forwarding ftp from port 21 to port 2221 (tcp)  with same ip address can be done with firewalld command

firewall-cmd –zone=”public” –add-forward-port=port=21:proto=tcp:toport=2221

Port forwarding with firewalld on different server different port

Syntax 

firewall-cmd –zone=<zone-name> –add-forward-port=port=<initial port number:proto=<protocol>:toport=<destination port>:toaddr=<destination ip address>

Example

Forwarding ftp from port 21 to port 2221 (tcp)  with different ip address with this command

firewall-cmd –zone=public –add-forward-port=port=21:proto=tcp:toport=2221:toaddr=10.1.78.0

Port forwarding with firewalld on different server same port

Syntax 

firewall-cmd –zone=<zone-name> –add-forward-port=port=<initial port number:toport=<destination port>:toaddr=<destination ip address>

Example

Forwarding ftp from port 21 to same port with different ip address

firewall-cmd –zone=external –add-forward-port=port=21:proto=tcp:toaddr=10.1.78.0

Adding or Block ip address with Firewalld

Options available when you want to deal with specific ip address is “drop”, “reject” and “accept”.  Accept is clear that it allows you to communicate with that specific ip address. For drop and reject, when using reject an error message is sent to server from where packets were generated. In case drop is used not error message is sent back to server.

Syntax

firewall-cmd –zone=<zone> –add-rich-rule=’rule family=”<ipv4 or ipv6>” source address=”<ip addres >” <reject|drop>’

Example

firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.1.78.0″ reject’