CentOS 7 firewalld

15 January 2018

General §

The full manual for firewalld on CentOS 7 can be found in section 5 of the RHEL 7 security guide.

Important details about when commands take effect:

Commands issued without the --permanent option take effect instantly, but are lost upon reload.
Commands issued with the --permanent option do not take effect until reload is called.
If wanting a command to be permanent and take effect instantly, run it with and then without the --permanent option. (This is quicker than doing a reload).

Important details about zones:

If --zone is not specified, the command automatically and silently uses the default zone.
By default, the default zone is public.
The default zone can changed through editing /etc/firewalld/firewalld.conf and then performing reload.

Open a port (specifying the service) §

Preferably, rather than allowing a port number, allow a service. This makes it more human friendly. For example, to view the currently allowed services:

$ firewall-cmd --zone=public --list-services
dhcpv6-client ssh

To enable smtp:

$ firewall-cmd --zone=public --add-service=smtp

Open a port (specifying the number) §

Allow port 12345 on the public zone:

$ firewall-cmd --zone=public --add-port=12345/tcp --permanent

List open ports on the public zone:

$ firewall-cmd --zone=public --list-ports
12345/tcp

Port forwarding connections through an access machine §

Given the following network configuration:

       gateway
          |
          | public
          |
      eth0|192.168.57.138
 +--------+--------+
 |  access machine |
 +--------+--------+
      eth1|192.168.136.1
          |
          | internal
          |
    ens160|192.168.136.40
 +--------+--------+
 |  hidden machine |
 +-----------------+

All following commands, unless otherwise specified, are run from the access machine.

Verify that the interfaces are in the zones shown in the diagram above:

$ firewall-cmd --get-active-zones
internal
  interfaces: eth1
public
  interfaces: eth0

Enable masquerade on the public zone.

$ firewall-cmd --zone=public --add-masquerade --permanent
success

Check whether the public zone has masquerade enabled.

$ firewall-cmd --zone=public --query-masquerade
yes

Inbound packets on port 10022 are sent to port 22 on address 192.168.136.40.

$ firewall-cmd --zone=public --add-forward-port=port=10022:proto=tcp:toport=22:toaddr=192.168.136.40

List configuration for the public zone.

$ firewall-cmd --zone=public --list-all

Reload the firewall. Any non --permanent changes will be lost.

$ firewall-cmd --reload
success

It is now possible to ssh from the gateway through to the hidden machine using port 10022.

$ ssh user@192.168.57.138 -p10022