iptables and firewalld

Linux

Firewalld

Firewall stack

–permanent param added to prevent invalid when restart.

Check Status

Get default services that are available.

1
firewall-cmd --get-services

1
2
firewall-cmd --list-all-zones
firewall-cmd --get-active-zones
1
2
3
4
5
firewall-cmd --list-all
firewall-cmd --permanent --zone=public --list-sources
firewall-cmd --permanent --list-service
firewall-cmd --list-rich-rules
firewall-cmd --permanent --list-ports

Set Zone to Active

1
firewall-cmd --permanent --zone=public --change-interface=eth0

Set Zone to Drop

1
firewall-cmd --permanent --zone=public --set-target=DROP

Commands

make it count.

1
firewall-cmd --reload

others

1
2
3
4
5
6
7
8
9
10
11
12
13
14
firewall-cmd --permanent --zone=public --add-source=192.168.86.0/24
firewall-cmd --permanent --zone=public --add-source=210.10.220.42/32

# Query state of port
firewall-cmd --zone=public --query-port=80/tcp

# Open port
firewall-cmd --permanent --zone=public --add-port=8080/tcp

# Remove
firewall-cmd --permanent --zone=public --remove-port=8080/tcp
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=mysql
firewall-cmd --permanent --zone=public --remove-service=ssh

Port Forward

1
2
firewall-cmd --permanent --zone=public --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.1.113
firewall-cmd --permanent --zone=public --remove-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.1.113

Rich Rules

firewalld.richlanguage(5)

1
man firewalld.richlanguage

--add-rich-rule, --list-rich-rules, --remove-rich-rule to manage.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Allow all traffic from 192.168.0.14 
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'

# Reject all traffic from 192.168.0.14 to port 22
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'

firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="1.2.3.4/32"
  port protocol="tcp" port="4567" accept'

# Or

firewall-cmd --zone=work --add-source=00:11:22:33:44:55
firewall-cmd --zone=work --add-rich-rule='rule source mac=11:22:33:44:55:66 drop'
1
2
3
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" reject'

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port port="22" protocol="tcp" reject'

Let internal access freely, but refuse public access of ssh

1
2
3
4
5
6
firewall-cmd --permanent --zone=trusted --change-interface=em4
firewall-cmd --zone=trusted --list-all
firewall-cmd --zone=public --list-all
firewall-cmd --permanent --zone=trusted --add-service=ssh
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --list-all-zones

iptables

1
2
3
4
5
iptables --list
iptables -P INPUT DROP
iptables --line -vnL # To check Chain IN_public_allow
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

Issues

mysql can not connect to ip and port.

Got error: no route to host

1
2
3
> telnet 192.168.1.108 4006
Trying 192.168.1.108...
telnet: Unable to connect to remote host: No route to host

Shutdown Firewalld, still no good.
Issue this works:

1
iptables -F

FirewallD Official Websites

RHEL 7 USING FIREWALLS