Firewall-D Cheat Sheet

SETUP 
FirewallD
yum install firewalld firewall-config systemctl enable firewalld
systemctl start firewalld
firewall-cmd –state

Disable FirewallD & Setup Iptables
systemctl disable firewalld
systemctl stop firewalld

yum install iptables-services

touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6

systemctl enable iptables
systemctl enable ip6tables

systemctl start iptables
systemctl start ip6tables

systemctl status iptables
systemctl status ip6tables

HELP
firewall-cmd –help
firewall-cmd –<DOUBLE-TAB> 

SOURCES
## LIST: Of the Default/Specified Zone 
firewall-cmd –list-sources [–zone=<ZONE>] 
## ADD: To the Default/Specified Zone 
firewall-cmd –add-source=<IP[/CIDR]> [–zone=<ZONE>] 
## MOVE: To Default/Specified Zone 
firewall-cmd –change-source=<IP[/CIDR]> [–zone=<ZONE>] 
## REMOVE: From the Default/Specified Zone 
firewall-cmd –remove-source=<IP[/CIDR]> [–zone=<ZONE>] 

SERVICES
## LIST: All Available 
firewall-cmd –get-services 
## LIST: Assigned to the Default/Specified Zone 
firewall-cmd –list-services [–zone=<ZONE>] 
## ADD: Service to the Default/Specified Zone 
firewall-cmd –add-service=<SERVICE> [–zone=<ZONE>] 
## REMOVE:Service FROM the Default/Specified Zone 
firewall-cmd –remove-service=<SERVICE> [–zone=<ZONE>] 
## CREATE: Custom Service 
cp -av /usr/lib/firewalld/services/<ANY>.xml /etc/firewalld/services/<NAME>.xml 
EditAsRequired: 
  /etc/firewalld/services/<NAME>.xml 
chmod 640 /etc/firewalld/services/<NAME>.xml 
restorecon /etc/firewalld/services/<NAME>.xml 

MASQUERADING
## SET: On the Default/Specified Zone 
firewall-cmd –add-masquerade [–zone=<ZONE>] 
## REMOVE: On the Default/Specified Zone 
firewall-cmd –remove-masquerade [–zone=<ZONE>]

DIRECT RULES
## LIST: All 
firewall-cmd –direct –get-all-rules 
## ADD 
firewall-cmd –direct [–permanent] –add-rule <PROTOCOL> <RULE> 
firewall-cmd –direct [–permanent] –add-rule ipv4 filter INPUT 0 -p tcp –dport 9000 -j ACCEPT 
## REMOVE 
firewall-cmd –direct [–permanent] –remove-rule <PROTOCOL> <RULE> 
firewall-cmd –direct [–permanent] –remove-rule ipv4 filter INPUT 0 -p tcp –dport 9000 -j ACCEPT 

RICH RULES
## ADD 
firewall-cmd –add-rich-rule='<RULE>’ [–zone=<ZONE>] 
firewall-cmd –add-rich-rule=\ 
‘rule family=”ipv4″ source address=”192.168.0.2/24″ service name=”http” accept’ –zone=home 
## REMOVE 
firewall-cmd –remove-rich-rule='<RULE>’ [–zone=<ZONE>] 
firewall-cmd –remove-rich-rule=\ 
‘rule family=”ipv4″ source address=”192.168.0.2/24″ service name=”http” accept’ 

PERSISTENT CONFIGURATION
Backup
tar cvf <NAME>.tar /etc/firewalld/ 
Restore
tar xvf <NAME>.tar -C /
Modify
firewall-cmd <COMMAND> –permanent 
Activate Permanent / Discard Transient Changes
firewall-cmd –reload 
Save Running Configuration as Permanent
firewall-cmd –runtime-to-permanent 

ZONES
## LIST: Available 
firewall-cmd –get-zones
## LIST: Active 
firewall-cmd –get-active-zones 
## LIST: Default 
firewall-cmd –get-default-zone 
## SHOW: All 
firewall-cmd –list-all-zones 
## SHOW: Default !!View the rules which are currently applied 
firewall-cmd –list-all 
## SHOW: Specific 
firewall-cmd –list-all –zone=<ZONE> 
## CREATE: New 
firewall-cmd –new-zone=<ZONE> 
## SET: Default 
firewall-cmd –set-default-zone=<ZONE> 

INTERFACES
## LIST: All Available 
nmcli device status 
ip link show 
## LIST: Interface’s Zone 
firewall-cmd –get-zone-of-interface=<INTERFACE> 
## LIST: Zone’s Interface(s) 
firewall-cmd –list-interfaces [–zone=<ZONE>] 
## ADD: To Default/Specified Zone 
firewall-cmd –add-interface=<INTERFACE> [–zone=<ZONE>] 
## MOVE: To Default/Specified Zone 
# Interface will revert to the Default Zone unless 
# ZONE=<ZONE-NAME> is defined in interface’s config: 
#  /etc/sysconfig/network-scripts/ifcfg-<INTERFACE> 
firewall-cmd –change-interface=<INTERFACE> [–zone=<ZONE>] 
# REMOVE: From the Default/Specified Zone 
firewall-cmd –remove-interface=<INTERFACE> [–zone=<ZONE>] 

PORTS
## LIST: Assigned to the Default/Specified Zone 
firewall-cmd –list-ports [–zone=<ZONE>] 
## ADD: Port/Range to the Default/Specified Zone 
firewall-cmd –add-port=<PORT[-PORT]/PROTOCOL> [–zone=<ZONE>] 
## REMOVE: Port/Range from the Default/Specified Zone 
firewall-cmd –remove-port=<PORT[-PORT]/PROTOCOL> [–zone=<ZONE>] 

PORT FORWARDING
## Check if Kernel IP Forwarding is enabled 
sysctl net.ipv4.ip_forward 
## Enable IP Kernel Forwarding: Temporarily 
sysctl -w net.ipv4.ip_forward=1 
## Enable IP Kernel Forwarding: Permanently 
vim /etc/sysctl.conf 
 ++ net.ipv4.ip_forward=1 
sysctl -p /etc/sysctl.conf 
## SET: of a port on the Default/Specific Zone to same/another port on the Same/Other IP 
firewall-cmd –add-forward-port= 
               port=<PORT>:proto=<PROTOCOL>\ 
               :toport=<PORT>[:toaddr=<IP-ADDR>] [–zone=<ZONE>] 
## REMOVE: Forwarding – Destination must be explicitly expressed 
firewall-cmd –remove-forward-port= 
               port=<PORT>:proto=<PROTOCOL> 
               [:toport=<PORT>][:toaddr=<IP-ADDR>] [–zone=<ZONE>] 

PANIC MODE
## CHECK 
firewall-cmd –query-panic 
## ACTIVATE 
firewall-cmd –panic-on 
## DEACTIVATE 
firewall-cmd –panic-off