Enable firewall

• firewall-config → GUI for options

  • add ports
• firewall-cmd → CLI
• cat /etc/sysconfig/iptables-config
• cat /etc/firewalld/firewalld.conf

Firewall config

• iptables = old, firewalld = new (use in all Linux distros)
• Check iptables rules → iptables -L
• Flush rules → iptables -F

Iptables packet filtering

• Tables (process packets) → filter

  • attached to chains (inspect traffic)

  • INPUT → incoming traffic

  • FORWARD → going to router from another device

  • OUTPUT → outgoing traffic

• Target (what happens when a rule is met)

  • ACCEPT
  • REJECT → send reject response
  • DROP → drop without response

Firewalld

• firewall-cmd --list-all

  • check the rule

• firewall-cmd --get-services

  • list service firewall is aware of

• firewall-cmd --reload

  • reload for new rules

• firewall-cmd --get-zones

  • get a list of all zones
  • public zone is used most of the time

• firewall-cmd --get-actives-zones

  • get active zones

• firewall-cmd --zone=public --list-all

  • get firewall rule for public zone

Add extra service:

• cp /usr/lib/firewalld/services/allservices.xml

  • change service and port number
• sap.xml → firewall-cmd --add-service=sap

• firewall-cmd --add-service=http

  • add a service (http)
  • --permanent

• firewall-cmd --remove-service=http

  • remove a service (http)
  • --permanent

• firewall-cmd --reload

  • reload configuration

• firewall-cmd --add-port=1110/tcp

  • add a port
  • --permanent

• firewall-cmd --remove-port=1110/tcp

  • remove a port
  • --permanent

• firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.8.1" drop'

  • block certain IP address

• firewall-cmd --add-icmp-block=ipv6-redirect

  • block ping

• firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d 8.9.10.11 -j DROP

  • block website (host → www.website.com)