CentOS 7 firewalld
General §
The full manual for firewalld on CentOS 7 can be found in section 5 of the RHEL 7 security guide.
Important details about when commands take effect:
- Commands issued without the
--permanent
option take effect instantly, but are lost uponreload
. - Commands issued with the
--permanent
option do not take effect untilreload
is called. - If wanting a command to be permanent and take effect instantly, run it with and then without the
--permanent
option. (This is quicker than doing areload
).
Important details about zones:
- If
--zone
is not specified, the command automatically and silently uses the default zone. - By default, the default zone is
public
. - The default zone can changed through editing
/etc/firewalld/firewalld.conf
and then performingreload
.
Open a port (specifying the service) §
Preferably, rather than allowing a port number, allow a service. This makes it more human friendly. For example, to view the currently allowed services:
To enable smtp:
Open a port (specifying the number) §
Allow port 12345
on the public
zone:
List open ports on the public
zone:
Port forwarding connections through an access machine §
Given the following network configuration:
All following commands, unless otherwise specified, are run from the access machine.
Verify that the interfaces are in the zones shown in the diagram above:
Enable masquerade on the public
zone.
Check whether the public
zone has masquerade enabled.
Inbound packets on port 10022
are sent to port 22
on address 192.168.136.40
.
List configuration for the public
zone.
Reload the firewall. Any non --permanent
changes will be lost.
It is now possible to ssh from the gateway through to the hidden machine using port 10022.