SETUP
FirewallD
yum install firewalld firewall-config systemctl enable firewalld
systemctl start firewalld
firewall-cmd –state
Disable FirewallD & Setup Iptables
systemctl disable firewalld
systemctl stop firewalld
yum install iptables-services
touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6
systemctl enable iptables
systemctl enable ip6tables
systemctl start iptables
systemctl start ip6tables
systemctl status iptables
systemctl status ip6tables
HELP
firewall-cmd –help
firewall-cmd –<DOUBLE-TAB>
SOURCES
## LIST: Of the Default/Specified Zone
firewall-cmd –list-sources [–zone=<ZONE>]
## ADD: To the Default/Specified Zone
firewall-cmd –add-source=<IP[/CIDR]> [–zone=<ZONE>]
## MOVE: To Default/Specified Zone
firewall-cmd –change-source=<IP[/CIDR]> [–zone=<ZONE>]
## REMOVE: From the Default/Specified Zone
firewall-cmd –remove-source=<IP[/CIDR]> [–zone=<ZONE>]
SERVICES
## LIST: All Available
firewall-cmd –get-services
## LIST: Assigned to the Default/Specified Zone
firewall-cmd –list-services [–zone=<ZONE>]
## ADD: Service to the Default/Specified Zone
firewall-cmd –add-service=<SERVICE> [–zone=<ZONE>]
## REMOVE:Service FROM the Default/Specified Zone
firewall-cmd –remove-service=<SERVICE> [–zone=<ZONE>]
## CREATE: Custom Service
cp -av /usr/lib/firewalld/services/<ANY>.xml /etc/firewalld/services/<NAME>.xml
EditAsRequired:
/etc/firewalld/services/<NAME>.xml
chmod 640 /etc/firewalld/services/<NAME>.xml
restorecon /etc/firewalld/services/<NAME>.xml
MASQUERADING
## SET: On the Default/Specified Zone
firewall-cmd –add-masquerade [–zone=<ZONE>]
## REMOVE: On the Default/Specified Zone
firewall-cmd –remove-masquerade [–zone=<ZONE>]
DIRECT RULES
## LIST: All
firewall-cmd –direct –get-all-rules
## ADD
firewall-cmd –direct [–permanent] –add-rule <PROTOCOL> <RULE>
firewall-cmd –direct [–permanent] –add-rule ipv4 filter INPUT 0 -p tcp –dport 9000 -j ACCEPT
## REMOVE
firewall-cmd –direct [–permanent] –remove-rule <PROTOCOL> <RULE>
firewall-cmd –direct [–permanent] –remove-rule ipv4 filter INPUT 0 -p tcp –dport 9000 -j ACCEPT
RICH RULES
## ADD
firewall-cmd –add-rich-rule='<RULE>’ [–zone=<ZONE>]
firewall-cmd –add-rich-rule=\
‘rule family=”ipv4″ source address=”192.168.0.2/24″ service name=”http” accept’ –zone=home
## REMOVE
firewall-cmd –remove-rich-rule='<RULE>’ [–zone=<ZONE>]
firewall-cmd –remove-rich-rule=\
‘rule family=”ipv4″ source address=”192.168.0.2/24″ service name=”http” accept’
PERSISTENT CONFIGURATION
Backup
tar cvf <NAME>.tar /etc/firewalld/
Restore
tar xvf <NAME>.tar -C /
Modify
firewall-cmd <COMMAND> –permanent
Activate Permanent / Discard Transient Changes
firewall-cmd –reload
Save Running Configuration as Permanent
firewall-cmd –runtime-to-permanent
ZONES
## LIST: Available
firewall-cmd –get-zones
## LIST: Active
firewall-cmd –get-active-zones
## LIST: Default
firewall-cmd –get-default-zone
## SHOW: All
firewall-cmd –list-all-zones
## SHOW: Default !!View the rules which are currently applied
firewall-cmd –list-all
## SHOW: Specific
firewall-cmd –list-all –zone=<ZONE>
## CREATE: New
firewall-cmd –new-zone=<ZONE>
## SET: Default
firewall-cmd –set-default-zone=<ZONE>
INTERFACES
## LIST: All Available
nmcli device status
ip link show
## LIST: Interface’s Zone
firewall-cmd –get-zone-of-interface=<INTERFACE>
## LIST: Zone’s Interface(s)
firewall-cmd –list-interfaces [–zone=<ZONE>]
## ADD: To Default/Specified Zone
firewall-cmd –add-interface=<INTERFACE> [–zone=<ZONE>]
## MOVE: To Default/Specified Zone
# Interface will revert to the Default Zone unless
# ZONE=<ZONE-NAME> is defined in interface’s config:
# /etc/sysconfig/network-scripts/ifcfg-<INTERFACE>
firewall-cmd –change-interface=<INTERFACE> [–zone=<ZONE>]
# REMOVE: From the Default/Specified Zone
firewall-cmd –remove-interface=<INTERFACE> [–zone=<ZONE>]
PORTS
## LIST: Assigned to the Default/Specified Zone
firewall-cmd –list-ports [–zone=<ZONE>]
## ADD: Port/Range to the Default/Specified Zone
firewall-cmd –add-port=<PORT[-PORT]/PROTOCOL> [–zone=<ZONE>]
## REMOVE: Port/Range from the Default/Specified Zone
firewall-cmd –remove-port=<PORT[-PORT]/PROTOCOL> [–zone=<ZONE>]
PORT FORWARDING
## Check if Kernel IP Forwarding is enabled
sysctl net.ipv4.ip_forward
## Enable IP Kernel Forwarding: Temporarily
sysctl -w net.ipv4.ip_forward=1
## Enable IP Kernel Forwarding: Permanently
vim /etc/sysctl.conf
++ net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf
## SET: of a port on the Default/Specific Zone to same/another port on the Same/Other IP
firewall-cmd –add-forward-port=
port=<PORT>:proto=<PROTOCOL>\
:toport=<PORT>[:toaddr=<IP-ADDR>] [–zone=<ZONE>]
## REMOVE: Forwarding – Destination must be explicitly expressed
firewall-cmd –remove-forward-port=
port=<PORT>:proto=<PROTOCOL>
[:toport=<PORT>][:toaddr=<IP-ADDR>] [–zone=<ZONE>]
PANIC MODE
## CHECK
firewall-cmd –query-panic
## ACTIVATE
firewall-cmd –panic-on
## DEACTIVATE
firewall-cmd –panic-off