linux_security_firewalld

Overview

Native firewall in Linux and security in general is done by two components:

  • Firewall: Iptables for old linux and firewalld for new ones
  • Selinux: The most annoying form of security, which blocks everything

So we have to control both in order to maintain our connections and to determine who is allowed in and out.

That is done mainly with the firewall by allowing / blocking ports. Let's see how it is done.

Firewall Management

The firewall management depend on the operation linux type:

  • RedHat based
  • Debian Based

In Redhat based Linux, the firewall is controlled by either:

  • Iptables (older)
  • Firewalld (newer)

Firewalld is the newer version of the iptables and allows port forwarding and connection management. In other words we can limit certain requests on certain ports. Let's see how to manage it:

By default firewalld is installed although if you using minimal installation it might not be. So to install it use the following command:

systemctl enable firewalld
systemctl start firewalld

So let's allow SSH to our server:

firewall-cmd --permanent --add-port=22/tcp

Let's see you web server running on port 8000, but you want be able to access it with port 80 or 443. In that case we can use port forwarding in order for incomming requests for ports: 80/443 to be redirected to port 8000:

firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8000
firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=8000

That's it, now we have to just reload the configuration:

firewall-cmd --reload

That's it, now our rules can be seen below:

[root@ip-172-31-7-118 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports: port=443:proto=tcp:toport=8000:toaddr=
        port=80:proto=tcp:toport=8000:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

[root@ip-172-31-7-118 ~]#

In order to delete a rule, we can use the same command as for addition, just intead of add we use “remove” :)

firewall-cmd --permanent --remove-forward-port=port=80:proto=tcp:toport=8000
firewall-cmd --permanent --remove-forward-port=port=443:proto=tcp:toport=8000

To delete ALL rules from firewalld, we can also remove the zones:

rm -rf  /etc/firewalld/zones/

That will delete all rules and the firewalld will re-create the public zone once it is restarted.

In debian based, the configuration is a little bit different:

To install the firewall management tool in Debian based use the following command:

apt-get install -y ufw
update-rc.d ufw enable
service ufw start

ufw allow 22
ufw allow 443
ufw allow 5901

To allow port forwarding in debian based, we have to edit the file: /etc/ufw/before.rules

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8000
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8000
COMMIT

And then reload/enable the configuration again :)

ufw enable

You might need to reboot the entire server, but before that try to remove the service itself :).

Cheers.

  • linux_security_firewalld.txt
  • Last modified: 2019/11/14 21:34
  • by 127.0.0.1