Redhat and CentOS distros are using firewalld aka firewall-cmd as base firewall manager.
at first, you can check if the firewall is working or not
$ firewall-cmd --state
in firewalld you have two states: running or current configuration and permanent. some commands requires this switch. for example creating new zone
$ firewall-cmd --permanent
firewall-cmd consists of several zones which any of them can contain several sources or you can connect each of these zones to interfaces.
you can get list of zones by:
$ firewall-cmd --get-zones
you can get the default zone by:
$ firewall-cmd --get-default-zone
also you can check what zones are active.this is very helpful when you have several zones and you want to know which zones are connected to sources, interfaces , etc
$ firewall-cmd --get-active-zones
creating new zone.
remember you have to add the –permanent switch in order to add a new zone. you can only create in permanent mode.
$ firewall-cmd --permanent --new-zone=my-custom-zone
you can add any interface in your network to zones.
you can get list of interfaces with:
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 00:11:22:99:88:55 brd ff:ff:ff:ff:ff:ff
and add to the zone
$ firewall-cmd --zone=public --add-interface=eno1
you can add several IP addresses to a zone like this:
$ firewall-cmd --zone=company --add-source=192.168.1.12/32 # or $ firewall-cmd --zone=another-zone --add-source=10.25.12.0/24
you can add port to a zone so any requests comming to that zone will see this port open
$ firewall-cmd --zone=mongo-server --add-port=23070/tcp
you can decide which service are going to be connected through an specified zone.they are like presets so you don’t need to remember the port name for that service.
for example in order to let access to your MySql, you only have to add the mysql service to the zone and not the 3306 port itself.this is good specially when you are going to query several zones and seeing them by eyes and you can quickly know which zone allows what service, instead of thinking for a while to know what was that port number for 🙂
$ firewall-cmd --zone=company --add-source=mysql
or add several services
$ firewall-cmd --zone=company --add-source=mysql --add-source=ssh
if there is no saved service exist for your port or you are using an unusual port number, you can add by port number
and don’t forget, you have to specify the protocol
$ firewall-cmd --zone=company --add-port=1234/tcp
$ firewall-cmd --add-port=1234/tcp --add-port=4321/udp