Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux

Firewalld provides a way to configure dynamic firewall rules in Linux that can be applied instantly, without the need of firewall restart and also it support D-BUS and zone concepts which makes configuration easy.

Useful Firewalld Rules to Manage Linux Firewall
Useful Firewalld Rules to Manage Linux Firewall

Firewalld replaced old Fedora’s firewall (Fedora 18 onwards) mechanism, RHEL/CentOS 7 and other latest distributions rely on this new mechanism. One of the biggest motive of introducing new firewall system is that the old firewall needs a restart after making each change, thus breaking all active connections. As said above, that the latest firewalld supports dynamic zones which is useful in configuring different set of zones and rules for your office or home network via a command line or using a GUI method.

Initially, firewalld concept looks very difficult to configure, but services and zones makes it easier by keeping both together as covered in this article.

In our earlier article, where we have seen how to play with firewalld and its zones, now here, in this article, we will see some useful firewalld rules to configure your current Linux systems using command line way.

  1. Firewalld Configuration in RHEL/CentOS 7

All the examples covered in this article are practically tested on CentOS 7 distribution, and also works on RHEL and Fedora distributions.

Before implementing firewalld rules, make sure to first check whether firewalld service enabled and running.

# systemctl status firewalld
Firewalld Status Check
Firewalld Status Check

The above picture shows that firewalld is active and running. Now it’s time to check all the active zones and active services.

# firewall-cmd --get-active-zones
# firewall-cmd --get-services
Check Firewalld Zones and Services
Check Zones and Services

If incase, you’re not familiar with command line, you can also manage firewalld from the GUI, for this you need to have GUI package installed on the system, if not install it using the following command.

# yum install firewalld firewall-config

As said above, this article is specially written for command line lovers and all the examples, which we’re going to cover are based on command line only, no GUI way..sorry…..

Before moving further, first make sure to confirm on which public zone you’re going to configure Linux firewall and list all active services, ports, rich rules for public zone using following command.

# firewall-cmd --zone=public --list-all
Check Firewalld Public Zones
Check Public Zones

In the above picture, there isn’t any active rules are added yet, let’s see how to add, remove and modify rules in the remaining part of this article….

1. Adding and Removing Ports in Firewalld

To open any port for public zone, use the following command. For example, the following command will open port 80 for public zone.

# firewall-cmd --permanent --zone=public --add-port=80/tcp

Similarly, to remove added port, just use the ‘–remove‘ option with firewalld command as shown below.

# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether the port is added or removed by using ‘–list-ports‘ option.

# firewall-cmd --zone=public --list-ports
Add Port in Firewalld
Add Port in Firewalld

2. Adding and Removing Services in Firewalld

By default firewalld comes with pre-defined services, if you want to add a list of specific services, you need to create a new xml file with all services included in the file or else you can also define or remove each service manually by running following commands.

For example, the following commands will help you to add or remove specific services, like we did for FTP here in this example.

# firewall-cmd --zone=public --add-service=ftp
# firewall-cmd --zone=public --remove-service=ftp
# firewall-cmd --zone=public --list-services
Add Services in Firewalld
Add Services in Firewalld

3. Block Incoming and Outgoing Packets (Panic Mode)

If you wish to block any incoming or outgoing connections, you need to use a ‘panic-on‘ mode to block such requests. For example, the following rule will drop any existing established connection on the system.

# firewall-cmd --panic-on

After enabling panic mode, try to ping any domain (say google.com) and check whether the panic mode is ON using ‘–query-panic‘ option as listed below.

# ping google.com -c 1
# firewall-cmd --query-panic
Block Incoming Connections in Firewalld
Block Incoming Connections in Firewalld

Do you see in the above picture, the panic query says “Unknown host google.com“. Now try to disable the panic mode and then once again ping and check.

# firewall-cmd --query-panic
# firewall-cmd --panic-off
# ping google.com -c 1
Disable Panic Mode in Firewalld
Disable Panic Mode in Firewalld

Now this time, there will be a ping request from google.com..

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Babin Lonston
I'm Working as a System Administrator for last 10 year's with 4 years experience with Linux Distributions, fall in love with text based operating systems.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

14 Comments

Leave a Reply
  1. Hi, I want to know if I could add certain I.P.s (approx 5 I.P.s) to access my Linux Server using SSH so that no one except those I.P.s would be able to access the server. I don’t want to use rich-rule. How can I do that?

    My server is RHEL 7.4.

    Reply
      • Babin,

        I followed the url you have provided in your above comment. Looking at that I think I was not able to brief my problem.

        Actually I have a Linux server on a network. I have 100s of other computers (running windows) on the same network. All of them can access my server but I want to allow only 5 I.P.s (i.e. 5 other computers) which are on the same network to access my Linux server using ssh. So I want to set up a firewall-cmd rule so that apart from those 5 I.P.s no one on the network would be able to access my Linux server. How can I do that?

        Once again thanks for your earlier response.

        Reply
        • @Naushad,

          We assume your 5 IP’s are in 192.168.1.x range.

          # firewall-cmd --zone=public --add-source=192.168.1.1
          # firewall-cmd --zone=public --add-port=22/tcp
          # firewall-cmd --zone=public --add-source=192.168.1.2
          # firewall-cmd --zone=public --add-port=22/tcp
          # firewall-cmd --zone=public --remove-interface=eno16777728
          # firewall-cmd --reload
          

          Thanks & Regards,
          Babin Lonston

          Reply
          • Thanks Babin for your kind response. Now I have got it. Doing this will automatically block all the other users except those which are added by add- source option, right?

            But I didn’t get why I need to remove my interface.

        • Sure, I understand your requirement now.

          To achieve this, you can use the firewall-cmd command to configure the firewall rules on your Linux server.

          Here’s how you can set it up to allow only specific IP addresses to access your server via SSH:

          # Allow SSH connections from specific IP addresses
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_1" port protocol="tcp" port="22" accept'
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_2" port protocol="tcp" port="22" accept'
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_3" port protocol="tcp" port="22" accept'
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_4" port protocol="tcp" port="22" accept'
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_5" port protocol="tcp" port="22" accept'
          
          # Drop SSH connections from all other IP addresses
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_1" reject'
          sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_2" reject'
          # Add similar rules for other IP addresses if needed
          
          # Reload firewall to apply changes
          sudo firewall-cmd --reload
          

          Replace ‘IP_ADDRESS_1’, ‘IP_ADDRESS_2’, etc., with the actual IP addresses you want to allow SSH access from. Also, replace ‘NOT_IP_ADDRESS_1’, ‘NOT_IP_ADDRESS_2’, etc., with the IP addresses you want to block.

          After executing these commands, only the specified IP addresses will be able to access your Linux server via SSH, while all other connections will be rejected by the firewall. Make sure to adjust the rules according to your specific requirements.

          Reply
    • Yes, you can certainly add networks in CIDR notation like ‘172.5.0.0/24’ to the firewall rules.

      Here’s how you would modify the commands to allow SSH access from a specific network range:

      # Allow SSH connections from specific IP addresses or networks
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_1" port protocol="tcp" port="22" accept'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="IP_ADDRESS_2" port protocol="tcp" port="22" accept'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.5.0.0/24" port protocol="tcp" port="22" accept'
      # Add similar rules for other IP addresses or networks if needed
      
      # Drop SSH connections from all other IP addresses
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_1" reject'
      sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="NOT_IP_ADDRESS_2" reject'
      # Add similar rules for other IP addresses if needed
      
      # Reload firewall to apply changes
      sudo firewall-cmd --reload
      

      Just replace ‘IP_ADDRESS_1’, ‘IP_ADDRESS_2’, etc., with the specific IP addresses you want to allow SSH access from, or replace ‘172.5.0.0/24’ with the desired network range.

      All other connections will be rejected by the firewall.

      Reply
  2. Note that fail2ban does not monitor any services by default, so simply installing it will achieve nothing without configuring it.

    Reply
  3. Observo que se hace referencia al bloqueo de un IP pero lo único que se bloquea es el acceso a servidor sin embargo pueden navegar al internet usando como puerta de enlace el servidor.

    ¿ Cuál sería la forma de bloquear un IP para que no navegue a través del servidor?.

    ============

    I note that referred to the blockade of IP, but the only thing that is blocking access to server but can browse the internet using Gateway as the server.

    What would be the way to block an IP to not navigate through the server ?.

    Reply
  4. Thanks a million for your really great tutorials.
    Although I am having a problem blocking ICMP . I get ‘yes’‘, that means there is a icmp block applied, and it’s enabled. However, when I –zone e=external –list-all there are no entries for icmp-blocks: (empty).
    Using Fedora 21 Workstation. Thanks again for your invaluable articles.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.