Firewalld is front-end tool for managing iptables configurations. Firewalld can be used dynamically i.e. changes can be done without affecting running sessions and connections. Firewalld has zone and services which are equivalent to chains and tables in iptables.
What is Firewalld Zones
Zones are predefined set of rules for different networks which set as per trust user has defined to that network. Different
zones will allow different network services and incoming traffic while blocking other type of traffic. Once FirewallD is enabled for the first time, Public will be the default zone.
Different network interfaces are part of different zones. For example you can allow DHCP on an internal zone but only HTTP on external zone. Any interface with is not part of any specific zone will be attached to the default zone.
How to set Firewalld zones
View Default Zone
Before making any changes you should know what is your default zone
Syntax
firewall-cmd –get-default-zone
Change Default Zone
To change default zone use below command
Syntax
firewall-cmd –set-default-zone=zone-name
Example
firewall-cmd –set-default-zone=internal
Get active zone
To view active zone for available interfaces
Syntax
firewall-cmd –get-active-zones
Change zone of specific interface
To change active zone for any of the interfaces
Syntax
firewall-cmd –zone=zone-name –change-interface=<interface-name>
View all available zones
This command will display all available zones.
Syntax
firewall-cmd –get-zones
View configuration of specific zone
This command will display all configuration (ports, services, sources, rules etc) available for specific zone.
Syntax
firewall-cmd –zone=home –list-all
View configuration of all zone
This command will display all configuration (ports, services, sources, rules etc) available for specific zone.
Syntax
firewall-cmd –list-all-zones
Adding port to any zone
To add port in any specific zone use below command
Syntax
firewall-cmd –permanent –zone=<zone-name> –add-port=<port_number/tcp|udp|sctp|dccp>
Example
firewall-cmd –permanent –zone=public –add-service=21/tcp
Once done check your ports by listing zone configuration.
firewall-cmd –zone=public –list-port
Removing port to any zone
In case a port is required to be removed from any zone use option –remove
Syntax
firewall-cmd –zone=<zone-name> –remove-port=<port_number/tcp|udp|sctp|dccp>
Example
firewall-cmd –zone=public –remove-port=80/tcp
You should check your ports configuration for zone after removing port.
Adding service to any zone
To make changes in services allowed in any specific zone use below command
Syntax
firewall-cmd –zone=<zone-name> –add-service=<service-name>
Example
firewall-cmd –zone=public –add-service=http
Once done check your services by viewing zone configuration.
firewall-cmd –zone=public –list-all
Removing services from any zone
To remove services from any zone use switch –remove
Syntax
firewall-cmd –zone=<zone-name> –remove-service=<service-name>
Example
firewall-cmd –zone=public –remove-service=http
Enable masquerading with firewalld
In order to forward traffic from one port to another port or IP address, foremost you should enable masquerading for the relevant zone.
Syntax
firewall-cmd –zone=<zone-name> –add-masquerade
Example
firewall-cmd –zone=external –add-masquerade
In above example masquerading is enabled in external zone.
To check whether masquerading is enabled or not use command
firewall-cmd –zone=external –query-masquerade
Port forwarding with firewalld
Forwarding port can be done on same server different port or different server same port or different server on different port.
Port forwarding with firewalld on same server different port
Syntax
firewall-cmd –zone=<zone-name> –add-forward-port=port=<initial port number:proto=<protocol>:toport=<destination port>
Example
Forwarding ftp from port 21 to port 2221 (tcp) with same ip address can be done with firewalld command
firewall-cmd –zone=”public” –add-forward-port=port=21:proto=tcp:toport=2221
Port forwarding with firewalld on different server different port
Syntax
firewall-cmd –zone=<zone-name> –add-forward-port=port=<initial port number:proto=<protocol>:toport=<destination port>:toaddr=<destination ip address>
Example
Forwarding ftp from port 21 to port 2221 (tcp) with different ip address with this command
firewall-cmd –zone=public –add-forward-port=port=21:proto=tcp:toport=2221:toaddr=10.1.78.0
Port forwarding with firewalld on different server same port
Syntax
firewall-cmd –zone=<zone-name> –add-forward-port=port=<initial port number:toport=<destination port>:toaddr=<destination ip address>
Example
Forwarding ftp from port 21 to same port with different ip address
firewall-cmd –zone=external –add-forward-port=port=21:proto=tcp:toaddr=10.1.78.0
Options available when you want to deal with specific ip address is “drop”, “reject” and “accept”. Accept is clear that it allows you to communicate with that specific ip address. For drop and reject, when using reject an error message is sent to server from where packets were generated. In case drop is used not error message is sent back to server.
Syntax
firewall-cmd –zone=<zone> –add-rich-rule=’rule family=”<ipv4 or ipv6>” source address=”<ip addres >” <reject|drop>’
Example
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.1.78.0″ reject’
