Search Our Database
How to change Firewall rules in CentOS 7
A firewall blocks many things, including some web applications that we want (such as Apache), but turning off the firewall also introduces vulnerabilities to our system.
In CentOS 7, iptables are replaced by firewalld service. To maintain the security of our system, there are steps to configure it so that only certain ports are allowed to pass through while blocking access to unauthorized or unknown applications using unlisted ports.
Step 1: Start Firewall Service
Start your firewall service via the command:
systemctl start firewalld.service
Step 2: Understand Firewall “Zones”
In CentOS 7, the firewalld service is introduced, it also introduces “zones”. Each zone has a different set of firewall rules.
To find out which zone your firewall service has, run the command:
firewall-cmd --get-zones
Then, use the following command to see which is the default zone that your firewall runs on startup:
firewall-cmd --get-default-zone
The use this line of command to see which zone is currently active, as well as which Ethernet port is active within the zone:
firewall-cmd --get-active-zones
The following list describes what each of the default zones does:
drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an
icmp-host-prohibitedor
icmp6-adm-prohibitedmessage.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
Step 3: Making Custom Zones
To avoid misconfiguration of the default zones, we can make our zones with its own set of rules, using the command:
firewall-cmd --permanent --new-zone=sshweb
This creates a zone called “ssh web”. A “success” will be outputted to show that the zone is created successfully, or you can confirm it using:
firewall-cmd --permanent --get-zones
But, it won’t be available in the current firewall instance, as you can see by using the command without the “–permanent” prefix:
firewall-cmd --get-zones
To add it into the firewall’s active configuration, we need to reload the firewall first, then check the zones again:
sudo firewall-cmd --reload firewall-cmd --get-zones
Step 4: Configure Zone Services
The example zone “ssh web” is created to allow SSH and HTTP services, and we can add services to our zone using the command:
firewall-cmd --zone=sshweb --add-service=ssh firewall-cmd --zone=sshweb --add-service=http firewall-cmd --zone=sshweb --add-service=https
After that, use the following command to check if the services are added correctly:
firewall-cmd --zone=sshweb --list-all
Now test the configurations. If it works, reapply the rules using “–permanent” prefix:
firewall-cmd --zone=sshweb --permanent --add-service=ssh firewall-cmd --zone=sshweb --permanent --add-service=http firewall-cmd --zone=sshweb --permanent --add-service=https
Important Note: Don’t restart the service yet, as we still need to assign ports for bypassing the firewall. If not you might get locked out from accessing the server.
Step 5: Configure Zone Ports
To allow a specific port to pass through firewall (80 for HTTP and ssh_port number for SSH), use the following command:
firewall-cmd --zone=sshweb --permanent --add-port=80/tcp firewall-cmd --zone=sshweb --permanent --add-port=<your_ssh_port>/tcp
(Note: Adding a “–permanent” prefix will make the setting stay even after the system reboot.)
This adds the port into the zone’s whitelist. To verify if the port is successfully added, type in:
sudo firewall-cmd --reload firewall-cmd --zone=sshweb --list-all
Look at the “port” line and check if the port you added is listed. There is also other information about the zone you are currently using.
Restart the firewall service and check the services using the commands:
systemctl restart firewalld.service
Step 6: Set Zone Interface
To use the custom zone, we need to add our interface, eth0 to the zone that we have created:
firewall-cmd --zone=sshweb --change-interface=eth0
We can then check if it’s added using the command:
firewall-cmd --zone=sshweb --list-all
To fully associate the interface with our custom zone (prevent it from reverting to using default zone “public”), access the network config file for the interface eth0 and add in the line “ZONE=sshweb”.
vi /etc/sysconfig/network-scripts/ifcfg-eth0
Restart your network and firewall services using the following commands:
systemctl restart network.service systemctl restart firewalld.service
Now you can check your active zones using the line:
firewall-cmd --get-active-zones
Now all ports other than the ones you have set in the zone will be blocked.