Projekt

Allgemein

Profil

Config firewalld » Historie » Version 2

Jeremias Keihsler, 09.09.2021 18:25

1 1 Jeremias Keihsler
h1. Config firewalld
2
3
have a look at 
4
* https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8
5
* https://www.certdepot.net/rhel7-get-started-firewalld/
6 2 Jeremias Keihsler
* https://www.liquidweb.com/kb/an-introduction-to-firewalld/
7 1 Jeremias Keihsler
8 2 Jeremias Keihsler
h2. Add a Port for TCP or UDP
9
10
You do have to specify TCP or UDP and to open a port for both. You will need to add rules for each protocol.
11
12
<pre><code class="shell">
13
firewall-cmd --permanent --add-port=22/TCP
14
firewall-cmd --permanent --add-port=53/UDP
15
</code></pre>
16
17
h2. Remove a Port for TCP or UDP
18
19
Using a slight variation on the above structure, you can remove a currently open port, effectively closing off that port.
20
21
<pre><code class="shell">
22
firewall-cmd --permanent --remove-port=444/tcp
23
</code></pre>
24
25
h2. Add a Service
26
27
These services assume the default ports configured within the /etc/services configuration file; if you wish to use a service on a non-standard port, you will have to open the specific port, as in the example above.
28
29
<pre><code class="shell">
30
firewall-cmd --permanent --add-service=ssh
31
firewall-cmd --permanent --add-service=http
32
</code></pre>
33
34
h2. Remove a Service
35
36
As above, you specify the remove-service option, and you can close off the port that is defined for that service.
37
38
<pre><code class="shell">
39
firewall-cmd --permanent --remove-service=mysql
40
</code></pre>
41
42
h2. Whitelist an IP Address
43
44
To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.
45
46
<pre><code class="shell">
47
firewall-cmd --permanent --add-source=192.168.1.100
48
</code></pre>
49
50
You can also allow a range of IPs using what is called CIDR notation. CIDR is outside the scope of this article but is a shorthand that can be used for noting ranges of IP addresses.
51
52
<pre><code class="shell">
53
firewall-cmd --permanent --add-source=192.168.1.0/24
54
</code></pre>
55
56
h2. Remove a Whitelisted IP Address
57
58
To remove a whitelisted IP or IP range, you can use the --remove-source option.
59
60
<pre><code class="shell">
61
firewall-cmd --permanent --remove-source=192.168.1.100
62
</code></pre>
63
64
h2. Block an IP Address
65
66
As the firewall-cmd tool is mostly used for opening or allowing access, rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.
67
68
<pre><code class="shell">
69
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
70
</code></pre>
71
72
You can again use CIDR notation also block a range of IP addresses.
73
74
<pre><code class="shell">
75
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
76
</code></pre>
77
78
h2. to forward a specific port (not yet working!)
79
<pre><code class="shell">
80 1 Jeremias Keihsler
firewall-cmd --zone=public --permanent --add-port=2222/tcp
81
firewall-cmd --zone=public --add-masquerade --permanent
82
firewall-cmd --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.80 --permanent
83
firewall-cmd --reload
84
firewall-cmd --zone=public --list-all
85
</code></pre>
86
87
h1. Testing
88
89
you may consider http://portquiz.net/
90
91 2 Jeremias Keihsler
<pre><code class="shell">
92 1 Jeremias Keihsler
http://portquiz.net:1234/
93
</code></pre>
94
95
This example tests whether you are able to visit outbound port 1234. You simply change the port number to whatever you like. Also, the site gives some examples that could be used in a command line script:
96
97 2 Jeremias Keihsler
<pre><code class="shell">
98 1 Jeremias Keihsler
wget -qO- portquiz.net:1234 
99
</code></pre>
100
101 2 Jeremias Keihsler
<pre><code class="shell">
102 1 Jeremias Keihsler
Port 1234 test successful!
103
Your IP: 198.252.206.16
104
</code></pre>