Useful FirewallD Rules to Configure and Manage Firewall in Linux

Firewalld provides a way to configure dynamic firewall rules in Linux that can be applied instantly,
without the need of firewall restart and also it support D-BUS and zone concepts which makes configuration
easy.
Firewalld replaced old Fedoras firewall (Fedora 18 onwards) mechanism, RHEL/CentOS 7 and
other latest distributions rely on this new mechanism. One of the biggest motive of introducing new firewall
system is that the old firewall needs a restart after making each change, thus breaking all active connections.
As said above, that the latest firewalld supports dynamic zones which is useful in configuring different set of
zones and rules for your office or home network via a command line or using a GUI method.
Initially, firewalld concept looks very difficult to configure, but services and zones makes it easier by
keeping both together as covered in this article.
In our earlier article, where we have seen how to play with firewalld and its zones, now here, in this
article, we will see some useful firewalld rules to configure your current Linux systems using command line
way.
1. Firewalld Configuration in RHEL/CentOS 7
All the examples covered in this article are practically tested on CentOS 7 distribution, and also works
on RHEL and Fedora distributions.
Before implementing firewalld rules, make sure to first check whether firewalld service enabled and
running.
# systemctl status firewalld

The above picture shows that firewalld is active and running. Now its time to check all the active
zones and active services.
# firewall-cmd --get-active-zones
# firewall-cmd --get-services

Check Zones and Services

If incase, youre not familiar with command line, you can also manage firewalld from the GUI, for this
you need to have GUI package installed on the system, if not install it using the following command.
# yum install firewalld firewall-config

As said above, this article is specially written for command line lovers and all the examples, which
were going to cover are based on command line only, no GUI way..sorry..
Before moving further, first make sure to confirm on which public zone youre going to configure
Linux firewall and list all active services, ports, rich rules for public zone using following command.
# firewall-cmd --zone=public --list-all

Check Public Zones

In the above picture, there isnt any active rules are added yet, lets see how to add, remove and
modify rules in the remaining part of this article.

1. Adding and Removing Ports in Firewalld

To open any port for public zone, use the following command. For example, the following command
will open port 80 for public zone.
# firewall-cmd --permanent --zone=public --add-port=80/tcp

Similarly, to remove added port, just use the remove option with firewalld command as shown
below.
# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether the port is added or removed
by using list-ports option.
# firewall-cmd --zone=public --list-ports

Add Port in Firewalld

2. Adding and Removing Services in Firewalld

By default firewalld comes with pre-defined services, if you want to add a list of specific services, you
need to create a new xml file with all services included in the file or else you can also define or remove each
service manually by running following commands.
For example, the following commands will help you to add or remove specific services, like we did for
FTP here in this example.
# firewall-cmd --zone=public --add-service=ftp
# firewall-cmd --zone=public --remove-service=ftp
# firewall-cmd --zone=public --list-services

Add Services in Firewalld

3. Block Incoming and Outgoing Packets (Panic Mode)

If you wish to block any incoming or outgoing connections, you need to use a panic-on mode to
block such requests. For example, the following rule will drop any existing established connection on the
system.
# firewall-cmd --panic-on

After enabling panic mode, try to ping any domain (say google.com) and check whether the panic
mode is ON using query-panic option as listed below.
# ping google.com -c 1
# firewall-cmd --query-panic

Block Incoming Connections in Firewalld

Do you see in the above picture, the panic query says Unknown host google.com. Now try to
disable the panic mode and then once again ping and check.

# firewall-cmd --query-panic
# firewall-cmd --panic-off
# ping google.com -c 1

Disable Panic Mode in Firewalld

Now this time, there will be a ping request from google.com..

4. Masquerading IP Address
Masquerade also known as Network Address Translation (NAT), which is basically a simple method
for allowing a computer to connect with internet with the help of base machine just a intermediary work.
Here, we will see how to forward a port to outside network. For example, if I want to do a ssh into my
home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).
Before doing a port forwarding, first make sure check whether Masquerade enabled for external zone,
because we are going to access the machine from outside network.
# firewall-cmd --zone=external --query-masquerade

If its not enabled, you can enable it by following command.

# firewall-cmd --zone=external --add-masquerade

Now lets forward all ssh port 22 connections to port 2222 for IP address 192.168.0.132.
# firewall-cmd --zone=external --add-forwardport=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132
# firewall-cmd --zone=external --list-all

Port Forwarding

5. How to Block and Enable ICMP

First, check the type of icmp we are using with below command.
# firewall-cmd --get-icmptypes

To add icmp block on any zone, you can use the following command. For example, here I am going to
add icmp block on external zone, before blocking, just do a icmp ping to confirm the status of icmp block.
# firewall-cmd --zone=public --query-icmp-block=echo-reply

If you get no, that means there isnt any icmp block applied, lets enable (block) icmp.
# firewall-cmd --zone=public --add-icmp-block=echo-reply

Block ICMP in Firewalld

6. Adding and Removing Chain using Direct Interface

To add a Custom direct interface rule, we can use direct option in any chain (Public, Work,
Internal, External). For example, here were going to add a rule in Public Zone.
Before adding any rule, first make sure to list all the current rules in public zone using get-rules.
# irewall-cmd --direct --get-rules ipv4 filter IN_public_allow

To add the rules use add-rules as show below.

# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport
25 -j ACCEPT

To remove the rules just replace add-rule with remove-rule.

# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp
--dport 25 -j ACCEPT

Add Remove Chains

7 Firewalld Lockdown Rules

Its possible to change the firewalld rules by any local applications, which have the root privileges. To
avoid making changes to firewalld rules, we have to put a lock-down in firewalld.conf file. This mostly
used to protect the firewalld from any unwanted rules changes by any applications.
# vim /etc/firewalld/firewalld.conf

Change no to yes
Lockdown=yes

Lock Down Firewalld Rules

To make it permanent reload the changes using reload.
# firewall-cmd --reload

After making above changes, make sure to verify whether firewalld was lockdown using query.
# firewall-cmd --query-lockdown

To On/Off lockdown mode, use the following combination.

# firewall-cmd --lockdown-on
# firewall-cmd --lockdown-off

On Off Lock Down Rules in Firewalld

8: Enabling Fail2ban-firewalld Support

To enable support of fail2ban in firewalld, we need to install the package called fail2ban-firewalld
by enabling epel repository under RHEL/CentOS systems. The fail2ban support provides some additional
secure rules for SSH, SSH-DDOS, MariaDB, Apache etc..
After enabling epel, lets install the fail2ban-firewalld package using the following command.
# yum install fail2ban-firewalld -y

Install Fail2ban Firewalld

After installing the package, start the fail2ban service and enable to make it persistent.
# systemctl start fail2ban
# systemctl enable fail2ban

Enable Fail2ban Firewalld

9. Adding & Blocking IP Addresses

To add specific IP address (192.168.0.254) to trusted public zone, use the following command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source
address="192.168.0.254" accept'

After adding above rule, dont forget to list all the trusted public zone rules.
# firewall-cmd --zone=public --list-all

To remove any added rule, just replace the add-rich-rule with remove remove-rich-rule as
show in below command.
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source
address="192.168.0.254" accept'

Add Block IP Address

To reject or drop a IP address from the trusted zones, just replace accept with reject as shown in
the below command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source
address="192.168.0.250" reject'
# firewall-cmd --zone=public --list-all

Reject IP Address

Conclusion
Here we have seen how to configure some of the rules and default services in firewalld. If there any
query regarding above firewalld rules, feel free to leave your valuable comments below.