CentOS Firewall Tutorial – How to Install and Setup the CentOS Firewall?

In this tutorial, we will be installing and configuring the CentOS firewall. We will be using a very powerful and popular Firewall management tool called firewalld. Firewalld is built over iptables (which was previously used to filter network traffic) and comes preinstalled in all newer versions of CentOS, RHEL, and Fedora.

Fundamentals of Firewalld

Firewalld or firewall daemon filters network traffic with the help of zones. These zones have a set of rules which then defines the level of security. These are the nine predefined zones with increasing order of reliability:

  • drop: All incoming network packets are dropped without any reply.
  • block: All incoming network packets are dropped but are rejected with an ICMP message as a reply.
  • public: These are for use in public areas. You do not trust other users on your network.
  • external: For use on external networks with masquerading enabled especially for routers. Only selected network traffics are allowed.
  • dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
  • work: For use in work areas. You mostly trust the other computers on networks, however, only selected incoming connections are accepted.
  • home: For use in home areas. You mostly trust the other computers on networks with very few restriction on incoming traffic.
  • internal: For use internal areas. You mostly trust the other computers on networks with very few restriction on incoming traffic.
  • trusted: All network connections are accepted.

You can refer the firewalld official documentation for more details on zones.

Any network interface on your machine can be added to these zones. For example you can put your Ethernet interface in work zone where you can trust other users on the network and let’s say your wireless network interface in public zone which is much more secure and restricts most incoming traffic.

Installing CentOS firewalld

Let’s get right into the first step of working with the CentOS firewall – The installation.

1. Checking previous instance of firewalld

Firewalld comes preinstalled on CentOS 7 and newer. You can test your installation by running the following command on the terminal:

rpmquery firewalld

If you have firewalld installed, it should be looking something like this:

Checking Firewalld Installation Edited
Checking Firewalld Installation Edited

2. Installing firewalld using yum

If after running the previous command you see an error stating that the package firewalld is not installed, don’t worry. Just run the following command:

yum install firewalld

3. Starting and Enabling firewalld

And to start and enable firewalld from runtime, run the following few commands:

systemctl disable --now iptables.service
systemctl disable --now ip6tables.service
systemctl disable --now etables.service
systemctl disable --now ipset.service
systemctl unmask --now firewalld.service
systemctl enable --now firewalld.service

To check if firewalld is running, run the systemctl command:

systemctl status firewalld
firewall-cmd --state

You should probably see something like this:

Firewall Running Status Edited
Firewall Running Status Edited

Configuring firewalld

Once we are ready with the installation, let’s see how can we configure and use firewalld.

1. Checking Existing Configuration

So before we dive in to configure our firewall, let’s see what existing configuration do we have. So let’s run our first command:

firewall-cmd --list-all

This command will list all the active zones in our configuration. Take a look at what I see when I run this command:

Firewalld List All Command Edited
Firewalld List All Command Edited

So there are few things that we can check in the output. The first line says the zone which is public (active). Then we see the list of all interfaces attached to that zone. In this case, we have ‘enp0s3’ (which is our ethernet interface) in the public zone. Then we look at services, these are all the services that are allowed in that zone, so we have dhcpv6-client and ssh related services allowed in the zone.

Ports will have the details of all the allowed ports on the network zone and then similar to this we have protocols which are all the allowed protocols like smtp, tcp, udp etc.

To check all the services that can be added to a zone, we can run the following command:

firewall-cmd --get-services
Firewalld Services 1
Firewalld Services

You can add or allow any of these services to any zones according to your need. We will be discussing that in the next part. If you need more details on these services, you can explore the .xml file which is available for each services in the directory /usr/etc/firewalld/services/.

To list all the predefined zones and configuration attached to all the zones, you can run the following two command:

firewall-cmd --get-zones
firewall-cmd --list-all-zones
Firewall Zones 1
Firewall Zones 1

2. Adding interface to a zone

So first let’s see what all interfaces we have on our machine by running the following command:

ip a

This command will list all the interface on your machine. When I run this command, it looks something like this:

Ip A Command
Checking interface with ip a command

After we’ve checked the interface, we can add the interface to a zone with the following command:

firewall-cmd --permanent --zone=ZONE --add-interface=INTERFACE

You can also change the zone of an interface with the following command:

firewall-cmd --permanent --zone=ZONE --change-interface=INTERFACE

Similarly to remove an interface from a zone, you can run the above command with --remove-interface tag. It’s important to use the --permanent tag to keep changes after a restart.

To check zone of an interface, you can run:

firewall-cmd --get-zone-of-interface=INTERFACE

3. Adding services/rules to a zone

You can allow a service by adding them to a zone by the following command:

firewall-cmd --permanent --zone=ZONE --add-service=SERVICE

To allow a port, similarly, you can run the following command:

firewall-cmd --permanent --zone=ZONE --add-port=port-id/protocol

You can also add series of port with the above command, for example you can use --add-port=100-200/tcp to add all TCP ports between 100-200. To remove a service or port you can run the following command:

firewall-cmd --permanent --zone=ZONE --remove-service=SERVICE
firewall-cmd --permanent --zone=ZONE --remove-port=port-id/protocol

To allow certain specific source ip-address or a set of ip-address, you can run the following command:

firewall-cmd --permanent --zone=ZONE --add-source=source[/mask]

Similarly, you can remove source ip-address by using --remove-source tag. To check all the latest change, you can run the following command:

firewall-cmd --get-active-zones

You can also use GUI to configure firewalld if you’re using a desktop environment, simply run firewall-config and it should be looking something like this:

Firewall Config
Firewall Config

Conclusion

This was just an introduction to firewalld. Firewalld is a very powerful and easy-to-use tool and you can refer the official documentation for more details. I hope you learned something from this tutorial. Thanks for reading this article! Cheers!