Chapter 12. Firewall
Prev Part II. ULFS basics Next

Chapter 12. Firewall

Table of Contents

Firewalld
Installation
Ports openning
Ports forwarding
Autoload
Check rules
IPtables
NAT
Rules list
Cleaning a rules list

Firewall is essential network tool which controlls access to configure access to network resources.

ULFS is support various firewalls back-ends like iptables, nftables. But in order to work with firewalld front-end iptables is more suitable back-end.

Firewalld

Firewalld is command-line interface (CLI) which used by libvirt daemon. Both firewalld and libvirt is products of Red Hat Company and used in RedHat, CentOS, Fedora distribs. You can get more information from their documentation.

Installation

To install firewalld just build and install firewalld source package: 

chimp install firewalld

After installing firewalld it's needed to configure firewalld back-end. As mentioned above we recomend to use iptables. Just edit /etc/firewalld/firewalld.conf file and change parameter "FirewallBackend" value to "iptables".

After configuring firewalld we can set firewalld daemon autoload. 

systemctl enable firewalld

To launch firewalld we need to restart a system or run command 

systemctl start firewalld

Ports openning

After launching firewalld all ports in local machine from outside become closed. It's needed to open ports before access to them.

Ports openning for all

To open tcp port to ssh by port number use command: 

firewall-cmd --add-port=22/tcp

To open tcp port by service name use command: 

firewall-cmd --add-service=ssh

It's should be mentioned that if you configure service to use other port (not default from /etc/services file) access can become denied. You have to check firewall settings manualy.

Ports openning for specific IP-address

Some times it's needed to open ports for specific IP-address in order to perform administrative tasks for example.

To open tcp port 5900 to 10.0.0.1 we can use command: 

firewall-cmd --add-rich-rule='
  rule family="ipv4"
  source address="10.0.0.1"
  port protocol="tcp" port="5900" accept'

To open multiple ports from given interval use "-" as delimeter in ports value (for example: "5900-5999").

Ports forwarding

It's possible grant access for local network resources from outside. Openning access to local network nodes ports called ports forwarding.

Port forwardig is very useful when you work witn virtual machines.

Port forwarding for all

To open port 27960 on virtual machine with address 192.168.122.2 we can use command: 

firewall-cmd --add-forward-port=port=27960:proto=udp:toaddr=192.168.122.2

Port forwarding for specific IP-address

To open tcp-port 1194 on local machine with 192.168.122.2 for address 10.0.0.1 we can use command: 

firewall-cmd --zone=public --add-rich-rule='
rule family=ipv4 source address=10.0.0.1 forward-port port=1194 
protocol=tcp to-port=1194 to-addr=192.168.122.2'

Autoload

In order to save firewalld rules for further automatic load durring boot pass additional option "--permanent" to firewall-cmd command.

To clean temporary firewalld rules and to check stored permanent rules use command: 

firewall-cmd --reload

Check rules

In order to check rules use command: 

firewall-cmd --list-all

Prev Up Next
Squid Home IPtables