Show pageOld revisionsBacklinksODT exportBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======Overview====== Native firewall in Linux and security in general is done by two components: * Firewall: Iptables for old linux and firewalld for new ones * Selinux: The most annoying form of security, which blocks everything So we have to control both in order to maintain our connections and to determine who is allowed in and out. That is done mainly with the firewall by allowing / blocking ports. Let's see how it is done. ======Firewall Management====== The firewall management depend on the operation linux type: * RedHat based * Debian Based =====Redhat base===== In Redhat based Linux, the firewall is controlled by either: * Iptables (older) * Firewalld (newer) Firewalld is the newer version of the iptables and allows port forwarding and connection management. In other words we can limit certain requests on certain ports. Let's see how to manage it: ====Install Firewalld==== By default firewalld is installed although if you using minimal installation it might not be. So to install it use the following command: <sxh bash> systemctl enable firewalld systemctl start firewalld </sxh> ====Allow Port==== So let's allow SSH to our server: <sxh bash> firewall-cmd --permanent --add-port=22/tcp </sxh> ====Port Fowarding==== Let's see you web server running on port 8000, but you want be able to access it with port 80 or 443. In that case we can use port forwarding in order for incomming requests for ports: 80/443 to be redirected to port 8000: <sxh bash> firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8000 firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=8000 </sxh> That's it, now we have to just reload the configuration: <sxh bash> firewall-cmd --reload </sxh> That's it, now our rules can be seen below: <sxh bash> [root@ip-172-31-7-118 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: port=443:proto=tcp:toport=8000:toaddr= port=80:proto=tcp:toport=8000:toaddr= source-ports: icmp-blocks: rich rules: [root@ip-172-31-7-118 ~]# </sxh> ====Delete a rule==== In order to delete a rule, we can use the same command as for addition, just intead of add we use "remove" :) <sxh bash> firewall-cmd --permanent --remove-forward-port=port=80:proto=tcp:toport=8000 firewall-cmd --permanent --remove-forward-port=port=443:proto=tcp:toport=8000 </sxh> To delete ALL rules from firewalld, we can also remove the zones: <sxh bash> rm -rf /etc/firewalld/zones/ </sxh> That will delete all rules and the firewalld will re-create the public zone once it is restarted. =====Debian based===== In debian based, the configuration is a little bit different: ====Install/Enable==== To install the firewall management tool in Debian based use the following command: <sxh bash> apt-get install -y ufw update-rc.d ufw enable service ufw start </sxh> ====Allow port==== <sxh bash> ufw allow 22 ufw allow 443 ufw allow 5901 </sxh> ====Port Forwarding==== To allow port forwarding in debian based, we have to edit the file: /etc/ufw/before.rules <sxh bash> *nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8000 -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8000 COMMIT </sxh> And then reload/enable the configuration again :) <sxh bash> ufw enable </sxh> You might need to reboot the entire server, but before that try to remove the service itself :). Cheers. linux_security_firewalld.txt Last modified: 2019/11/14 21:34by 127.0.0.1