IPTables, nfTables and firewalld Note Packet # 7
CSN190 - Advanced Linux Ken Mead Genesee Community College
Firewalls on RedHat
A local firewall can be used to allow and/or deny access to services on a system or a network. The standard firewall service on RedHat based systems is firewalld.
For a long time, iptables was the standard command for modifying the firewall rules.
In Redhat 8, iptables has been replaced with nftables, which is very similar. You can still swap out nftables for iptables if you wish.
In either situation, instead of invoking these commands directly, the desired way to work with these options is to use the firewall-cmd command, or the firewall-config GUI. Firewalls on RedHat
For RHCSA, you need basic knowledge of how to modify the iptables rules to block or allow network communication through one or more ports, and may use iptables, nftables, firewall-cmd, or firewall-config (the GUI).
Redhat doctrine suggests you don't use iptables (of nftables) directly.
We'll directly work with only firewall-cmd and firewall-config in this discussion.
Standard Ports
Some standard ports for well known services. The iptables command
In RedHat 7, iptables is how firewalls are built behind the scenes.
In RedHat 8, nftables is the replacement for iptables, and is similar in structure. We'll discuss iptables here.
iptables is based on chains, which is a set of rules applied to each network packet, chained together.
There are two basic table types: filter and nat.
We'll focus on filter, which allows us to open or close ports to network packets based on certain conditions.
Simple Examples:
# iptables -L (lists the current rules in the filter table)
# iptables -F (flushes out all rules on filter table)
iptables overview
You can allows append or delete rules using -A and -D. These need to be appended to one of three directions:
● INPUT (for all incoming packets) ● OUTPUT (for all outgoing packets) ● FORWARD (to be routed to another machine through this machine)
We'll focus on INPUT for now. iptables overview
You might want to specify a source IP address (or network) for your packets using -s ip_address (e.g. -s 192.168.200.0/24)
You could specify a destination port using --dport portnum (e.g. -p 443)
You could specify a protocol using the -p switch (e.g. -p tcp)
You should specify an action using the -j switch, with three possibilities:
● -j DROP - drop the packet and don't notify the sender ● -j REJECT - drop the packet and send a rejection notice to the sender ● -j ACCEPT - allow the packet to proceed
There are other useful options as well, for instance -m match_rule.
Adding a Rule - examples
To allow http traffic to everyone
# iptables -A INPUT -p tcp -m state --state NEW -m tcp \ --dport 80 -j ACCEPT
To deny http traffic to one IP address
# iptables -A INPUT -s 65.55.44.100 -p tcp \ --destination-port 80 -j DROP
To deny ssh traffic to a whole subnet
# iptables -A INPUT -s 65.55.0.0/16 -p tcp \ --destination-port 22 -j DROP Using firewalld
Firewalld uses the concept of zones to help you configure your firewall.
You can add interfaces and ip ranges to whichever zone you wish.
For example, if you trust all servers on the 192.168.122.0/24 network, you can add them to the internal or trusted zones.
The public zone is the default zone, but that can be changed.
Make sure firewalld is enabled and started:
# systemctl enable firewalld
# systemctl start firewalld
Firewalld Zones
The zones of firewalld, all of which can be modified and reconfigured. The firewall-config GUI
Modifying Rules and Sources
Here we add 192.168.122.50 to our internal zone Opening Ports for Services
Adding the ftp, http, and https services to the default public zone.
Saving the configuration
If you want your changes to "stick", make sure you configure in Permanent mode. Standard Services - brief list
Standard Services - continued Adding Custom Ports
firewall-cmd examples
firewall-cmd allows you to modify firewalld at the shell.
A few examples:
# firewall-cmd --get-default-zone public
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: dhcp dhcpv6-client ftp http https ssh ports: 5909/tcp ... firewall-cmd examples
To add the imap service to the default zone:
# firewall-cmd --add-service imap success
# firewall-cmd --list-all
To do so permanently:
# firewall-cmd --add-service imap --permanent success
# firewall-cmd --reload