How To Configure Firewall on CentOS 7 Step by Step

Configure Firewall on CentOS 7

FirewallD is a complete firewall solution that manages the system’s iptables rules and provides a D-Bus interface for operating on them. Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool. In this tutorial we will learn how to Configure Firewall on CentOS 7.

Prerequisites

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step, configure Firewall on CentOS 7 server.

Configure Firewall on CentOS 7

Step 1. First, let’s start by ensuring your system is up-to-date.

yum clean all
yum -y update

Step 2. Installing FirewallD on CentOS 7.

Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can execute the following command for its installation:

sudo yum install firewalld

After you install firewalld, you can enable the service and reboot your server. Keep in mind that enabling firewalld will cause the service to start up at boot:

sudo systemctl start firewalld
sudo systemctl enable firewal
sudo reboot

We can verify that the service is running and reachable by typing:

sudo firewall-cmd --state

Step 3. Setup and configuration of FirewallD on CentOS 7.

FirewallD uses services and zones instead of iptables rules and chains. By default the following zones are available:
drop – Drop all incoming network packets with no reply, only outgoing network connections are available.
block – Reject all incoming network packets with an icmp-host-prohibited message, only outgoing network connections are available.
public – Only selected incoming connections are accepted, for use in public areas
external For external networks with masquerading is enabled, only selected incoming connections are accepted.
dmz – DMZ demilitarized zone, publicly-accessible with limited access to the internal network, only selected incoming connections are accepted.
work – For computers in your home area, only selected incoming connections are accepted.
home – For computers in your home area, only selected incoming connections are accepted.
internal -For computers in your internal network, only selected incoming connections are accepted.
trusted – All network connections are accepted.

To list all available zones run:

firewall-cmd --get-zones
work drop internal external trusted home dmz public block

To list the default zone:

firewall-cmd --get-default-zone
public

To change the default zone:

firewall-cmd --set-default-zone=dmz
firewall-cmd --get-default-zone
dmz

Example, here is how you can configure your VPS firewall with FirewallD if you were running a web server, SSH on port 8888 and mail server.

First we will set the default zone to dmz.
firewall-cmd --set-default-zone=dmz
firewall-cmd --get-default-zone
dmz

To add permanent service rules for HTTP and HTTPS to the dmz zone, run:

firewall-cmd --zone=dmz --add-service=http --permanent
firewall-cmd --zone=dmz --add-service=https --permanent

Since the SSH port is changed to 7022, we will remove the ssh service (port 22) and open port 8888

firewall-cmd --remove-service=ssh --permanent 
firewall-cmd --add-port=8888/tcp --permanent

To implement the changes we need to reload the firewall with:

firewall-cmd --reload

Finally, you can list the rules with:

### firewall-cmd --list-all
 dmz
 target: default
 icmp-block-inversion: no
 interfaces:
 sources:
 services: http https imap imaps pop3 pop3s smtp smtps
 ports: 7022/tcp
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:

Congratulation’s! You have successfully configure Firewall. Thanks for using this tutorial for installing firewalld on CentOS 7 system. For additional help or useful information, we recommend you to check the official firewalld website.

How To Configuration Iptables Firewall on CentOS

Configuration Iptables Firewall on CentOS

Iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables for Ethernet frames. (Read more on: wikipedia)

Configuration Iptables Firewall on CentOS

Setting up iptables

You can use the following procedure to verify that iptables has been installed and view the status of iptables. Open terminal and type the following command:

# iptables -V
# yum info iptables

iptables-centos

If the above message does not appear, you can type the following command to install iptables:

 # yum -y install iptables

Understanding Firewall, At present here are total four chains:

  • INPUT : The default chain is used for packets addressed to the system.
  • OUTPUT : The default chain generating from system.
  • FORWARD : The default chains is used when packets send through another interface.
  • RH-Firewall-1-INPUT : The user-defined custom chain.

Target Meanings

  • The target ACCEPT means allow packet.
  • The target REJECT means to drop the packet and send an error message to remote host.
  • The target DROP means drop the packet and do not send an error message to remote host or sending host.

The default iptables configuration on CentOS does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by Nginx web server. You can do step by step to configure:

Step 1: Flush all iptables rules

# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

Step 2: Set default rules

# iptables -P INPUT DROP
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

Step 3: Allow access to HTTP (port 80) and HTTPS (port 443)

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

 Turn on and save iptables

Type the following two commands to turn on firewall:

# chkconfig iptables on
# service iptables save