Search our database

Change Firewall Rules in CentOS 7

A firewall blocks many things, including some web applications that we want (such as Apache), but turning off the firewall also introduces vulnerabilities to our system.

In CentOS 7, iptables are replaced by firewalld service. To maintain security of our system, there are steps to configure it so that only certain ports are allowed to pass through while blocking access to unauthorized or unknown applications using unlisted ports.


Step 1:  Start Firewall Service

Start your firewall service via the command:

systemctl start firewalld.service


Step 2: Understand Firewall “Zones”

In CentOS 7, the firewalld service is introduced, it also introduces “zones”. Each zone has a different set of firewall rules.

To find out which zone your firewall service has, run the command: 

firewall-cmd --get-zones

Then, use the following command to see which is the default zone that your firewall runs on startup:

firewall-cmd --get-default-zone

The use this line of command to see which zone is currently active, as well as which Ethernet port is active within the zone:

firewall-cmd --get-active-zones

The following list describes what each of the default zones does:

drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.

block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.

public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.

external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.

internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.

dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.

work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.

home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.

trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.


Step 3: Making Custom Zones

To avoid misconfiguration of the default zones, we can make our on zones with it’s own set of rules, using the command:

firewall-cmd --permanent --new-zone=sshweb

This creates a zone called “sshweb”. A “success” will be outputted to show that the zone is created successfully, or you can confirm it using:

firewall-cmd --permanent --get-zones

But, it won’t be available in the current firewall instance, as you can see by using the command without the “–permanent” prefix:

firewall-cmd --get-zones


To add it into the firewall’s active configuration, we need to reload the firewall first, then check the zones again:

sudo firewall-cmd --reload
firewall-cmd --get-zones




Step 4: Configure Zone Services

The example zone “sshweb” is created to allow SSH and HTTP services, and we can add services to our zone using the command:

firewall-cmd --zone=sshweb --add-service=ssh
firewall-cmd --zone=sshweb --add-service=http
firewall-cmd --zone=sshweb --add-service=https

After that, use the following command to check if the services are added correctly:

firewall-cmd --zone=sshweb --list-all


Now test the configurations. If it works, reapply the rules using “–permanent” prefix:

firewall-cmd --zone=sshweb --permanent --add-service=ssh
firewall-cmd --zone=sshweb --permanent --add-service=http
firewall-cmd --zone=sshweb --permanent --add-service=https


Important Note: Don’t restart the service yet, as we still need to assign ports for bypassing the firewall. If not you might get locked out from accessing the server.


Step 5: Configure Zone Ports

To allow a specific port to pass through firewall (80 for HTTP and ssh_port number for SSH), use the following command:

firewall-cmd --zone=sshweb --permanent --add-port=80/tcp
firewall-cmd --zone=sshweb --permanent --add-port=<your_ssh_port>/tcp

(Note: Adding a “–permanent” prefix will make the setting stay even after system reboot.)

This adds the port into the zone’s whitelist. To verify if the port is successfully added, type in:

sudo firewall-cmd --reload
firewall-cmd --zone=sshweb --list-all

Look at “port” line and check if the port you added is listed. There are also other information about the zone you are currently using.


Restart the firewall service and check the services using the commands:

systemctl restart firewalld.service


Step 6: Set Zone Interface

To use the custom zone, we need to add our interface, eth0 to the zone that we have created:

firewall-cmd --zone=sshweb --change-interface=eth0

We can then check if it’s added using the command:

firewall-cmd --zone=sshweb --list-all

To fully associate the interface with our custom zone (prevent it from reverting to using default zone “public”), access the network config file for the interface eth0 and add in the line “ZONE=sshweb”.

vi /etc/sysconfig/network-scripts/ifcfg-eth0


Restart your network and firewall services using the following commands:

systemctl restart network.service
systemctl restart firewalld.service

Now you can check your active zones using the line:

firewall-cmd --get-active-zones



Now all ports other than the ones you have set in the zone will be blocked.

Tags: ,