In this how-to use CentOS Firewall guide, we will give you all the needed information to set up your firewall on a Cent OS device. We will start with some definitions and dive into the configuration.
Firewall:
A firewall is a system made or designed to protect a private network from access by unauthorized or unrecognized individuals. There are two forms of any firewalls out there that is Hardware and Software Firewall.
The hardware firewall is just a physical device that is connected to your network device. In contrast, a software firewall is installed on computers, network devices like routers, and in operating systems(built-in).
Depending on your safety needs, you can choose to install the hardware or software one. You can also combine both of them to safeguard your network is also possible. Although protecting your Intranet from Unauthorized internet users using a Firewall is considered the first measure before installing your local system. It cannot be your only shield against intruders on the internet.
How does a Firewall work?
Many people do confuse a Firewall with the other security measures put in place to protect your network on the internet. Firewalls prevent intruders from access of a private network by simply scrutinizing or examining all the messages that enter or leave the private network.
It allows relevant and those that the security measures put in place and blocks those that do not meet the set security parameters. It is also essential to note that Firewalls do not verify or perform authentication on users accessing the network; they are only concerned with protecting the network connections and the network traffic.
Types of Firewalls:
There are several types of firewalls, including those that act as a proxy server, packet filters, Circuit-level gateway implementation, Stateful packet inspection, and the web application firewall. Many networks or systems employ two or more of these techniques to safeguard there networks.
Most small office and home intranets tend to have firewalls built into the broadband routers. It is also worth mentioning that operating systems like Windows and macOS have firewalls ready-built in their software. Just like the Anti-virus providers, there are also Third-party firewall packages like Norton, MacAfee firewall, and many more.
What is CentOS (Community Enterprise Operating System?)
Derived from Red hat enterprise Linux, CentOS is a distribution of Linux that has grown popular among DevOps Engineers, home users and the system administrators. CentOS provides resources to assist in building, testing, releasing and maintaining codes on different platforms.
It merely provides a rich base platform for open source communities to build upon. Many companies and organizations also use CentOS for production and development servers. Unlike the Red hat Enterprise Linux, CentOS is free of charge, and no subscription fee is needed.
Since it is a community operating system, if you experience any problems or you need clarification on some feature of CentOS, the community members all over the world ranging from System administrators to software developers will sort you out.
Many developers and Linux enthusiasts believe that CentOS is boring, unlike Red hat enterprise Linux, CentOS is where well developed and established software and technologies come to live for a long time.
Linux has three distributions that are Fedora, Red hat enterprise Linux and then there is CentOS. CentOS is the mirror image of Red hat Enterprise Linux. Even the version numbers tend to be derived from the red hat enterprise Linux.
Releasing of CentOS updates and software, tend to lag behind the CentOS team that works around the clock to remove the Red hat brand and also build the CentOs from the Red Hat software. This perfectly explains why the CentOS 7 has been the current version since 2014 as has been Red Hat Enterprise Linux 7.
Many businesses, organizations, and schools prefer CentOS due to the diversity and vibrant support community, and its maintenance is quite remarkable. However, you can also choose to blend both CentOS with compatible Red hat Enterprise systems.
Firewall Installation on CentOS:
If you are a Linux Enthusiast, you probably know about Firewalld. If not well, Firewalld is a Firewall management solution available on many Linux distributions including CentOS and Red Hat Enterprise. It acts as a frontend for the iptables packet filter system offered by the Linux Kernel. Below I will be discussing how to set up a firewall for your device or server and how to manage it using a Firewall.cmd tool or iptables with CentOS.
Basic Firewalld Concepts and features:
Instead of iptables chain and rules, firewalld uses zones and services. When you configure the zones and services, you can then easily manage or control the traffic and filter what is allowed into and out of the system. Below I will be discussing how to configure a firewall using the command-line firewall-cmd.
Firewalld Zones:
These are predefined rules, and they specify what traffic is allowed depending on the trust in the networks connected to your computer or server. The zones provided by Firewalld depending on the level of confidence on the network. Below are zones from most trusted to the least trusted:
- trusted – you trust all the machines on the network. Many more services and options are allowed and should be used sparingly.
- home – you trust most of the other computers on the network, and more services are accepted.
- work – Used mostly for work machines. Most computers on the network are trusted. More services might be allowed.
- internal – this is used when the computers are reasonably trusted, and additional services are available. It is used for the internal portion of a gateway.
- External – if you are using the firewall as a gateway. You configure it as NAT masquerading. Hence the internal network remains private, but it can be reached.
- public – This usually represents untrusted networks. It may also allow incoming connections on one by one basis.
- block – All the incoming connections and messages are rejected using icmp6-adm-prohibited for IPv6n and icmp-host-prohibited for IPv4.all the outgoing connections are allowed.
- drop – Only outgoing connections are allowed. The incoming messages and connections are all discarded.
To use any firewall, you have to make the rules, alter their properties if you need to assign the network interface to the most appropriate zones. Rules can be assigned immediate or permanent status. When rules are modified, changed, or added, the working of the current firewall is also changed until when the system is rebooted, the old rules will be reverted.
Adding the –permanent flag in the firewall-cmd is used to build all set of rules that will take effect when the reload command is issued. The flag was also used to indicate that the non-ephemeral firewall should be targeted.
Requirements before installing a firewall and using Firewalld:
- You need a VPS running on Cent6OS.
- You should also login into your server with the root user or using a user account with sudo privileges. This one is more preferred.
Installing a Firewall on CentOS
Most Linux distributions come with firewalld built-in by default. But you can also easily install fiewalld only by using the following command line:
$sudo yum install firewalld
Immediately after installing the firewald, enable the service and then reboot your computer or server. It is recommended that you should create rules to your firewall and then test them before configuring them to avoid any possible issues.
$sudo systemctl enable firewalld
$sudo reboot
After the server has restarted and your firewall is put up, network interfaces should go back to their default zones, or into the zones, you configured them into. Rules of the zones will also be applied to the associated network interfaces.
To verify if a service is running and reachable type:
$sudo firewall-cmd –state
The output should read running, which means the firewall is running with the default configuration.
Familiarizing with the default or current firewall rules.
Familiarizing with the default rules and environment before beginning to modify them is very important.
Defaults:
To find what is the default zone, you can type the following:
$firewall-cmd –get-default–zone
The output should be:
public.
Because you haven’t given the Firewalld command to move from the default zone and also none of the interfaces are configured to bind to any other zone. That zone should be the only active’ zone and to verify that type:
$firewall–cmd –get–active-zones
The output should be:
public
Interfaces: int3 int6
This simply means the above server has int3 and int6 network interfaces being controlled by the server according to the rules defined by the public zone.
To print out the current default zone configuration type:
$sudo firewall–cmd –list–all
The output should be:
public (default, active)
target: default
Icmp-block-inversion: no
Interfaces: int3 int6
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The output tells us that the zone is both active and default, and also two network interfaces int3 and int6 associated with the above zone. It also shows us that the zone allows normal operations with SSH (remote administration) and a DHCP client (IP address assignment).
Alternative zones:
After knowing the default configurat6ion and the active zone, we should proceed to find out more about the other zones.
For you to obtain a list of the available zones, type:
$firewall-cmd –get–zones
The output should be:
block dmz drop external home internal public trusted work
To see a specific configuration associated with a zone type:
$sudo firewall-cmd –zone=home –list-all
The output should be:
home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
You can also output all of the zones definitions by typing:
$sudo firewall-cmd –list-all-zones | less
Changing zones of an Interface:
Each interface should be put in the default zone when the firewall is rebooted if you haven’t configured your interfaces differently.
You can move a network interface from one zone to another type:
$sudo firewall-cmd –zone=int3 –change-interface=home
In this case, we are moving our interface from the home zone to the int3 zone.
The output should be:
Success
It is also worth mentioning since you are moving an interface from one zone to another, in the process, you are modifying the services operational.
To verify if the transitioning of zones as successful type:
$firewall-cmd –get-active-zones
The output should be:
home
interfaces: int3
public
interfaces: int6
Adjusting the Default Zone:
If a single zone can easily manage all of your network interfaces. You should select the best default zone and use it for your configuration.
To change the default zone type:
$sudo firewall-cmd –set-default-zone=home
The output should be:
Success
Setting Rules for your applications
Adding a service to your zones
To get a list of the services you are using type:
$firewall-cmd –get-services
If everything is working fine, you should then modify the permanent firewall rules so that the service can be available after a reboot. We can also make our public zone change to permanent by typing:
$sudo firewall-cmd –zone=public –permanent –add-service=http
The output should be:
Success
If no Appropriate service is available:
Here there are two possible situations one is opening a port for your zones, and the other is defining a service.
Opening a Port for Your Zones
For example, if our application runs on port 3000 and uses TCP, we could add a public zone by typing:
$sudo firewall-cmd –zone=public –add-port=5000/tcp
The output should be:
Success
You can also specify a range of ports by using a dash between the ending and the beginning port.
For example, we could open UDP ports 3900 to 5000 by typing:
$sudo firewall-cmd –zone=public –add-port=3900-5000/udp
Forwarding a port:
To forward any t6raffic from one port to another port or address, you first have to enable masquerading by typing:
$sudo firewall-cmd –zone=external –add-masquerade
To forward traffic from one port to another on the same server for example from port 75 to port 8080 type:
$sudo firewall-cmd –zone=external –add-forward-port=port=75:proto=tcp:toport=8080
To forward traffic to another server type:
$sudo firewall-cmd –zone=external –add-forward-port=port=75:proto=tcp:toport=8080:toaddr=10.10.10.8
Defining a Service:
As much as opening ports is easy, it can be hard to keep track of what each one is for especially if you decommission a service on your server. To avoid all this confusion, you should consider defining the services.
The simplest way to start is to copy an existing script (found in /usr/lib/firewalld/services) to the /etc/firewalld/services directory where the firewall looks for non-standard definitions.
For example, we could copy the SSH service definition. The filename minus the .xml suffix will dictate the name of the service within the firewall services list:
$sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/example.xml
Now, you can adjust the definition found in the file you copied:
$sudo vi /etc/firewalld/services/example.xml
To start, the file will contain the SSH definition that you copied:
/etc/firewalld/services/example.xml
SSH:
Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your computer remotely via SSH over a firewalled interface, enable this option. You need the open ssh-server package installed for this option to be useful.
Creating your Zones:
The predefined zones can be enough, but you should know how to create and define your zones. When creating zones, it is worth mentioning that you should add it to the permanent firewall configuration. For example, you can create two zones publicdomain and privatedomain by typing:
$sudo firewall-cmd –permanent –new-zone=publicdomain
$sudo firewall-cmd –permanent –new-zone=privatedomain
To bring the above two zones into the active configuration reload the firewall by typing:
$sudo firewall-cmd –reload
$firewall-cmd –get-zones
The output should be:
block dmz drop external home internal privatedomain public publicwdomain trusted work
You can now easily administer a firewalld service on any CentOS system. For advanced configuration, you should use Rich rules and direct interface.