4. Masquerading IP Address
Masquerade also known as Network Address Translation (NAT), which is basically a simple method for allowing a computer to connect with internet with the help of base machine just a intermediary work.
Here, we will see how to forward a port to outside network. For example, if I want to do a ssh into my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).
Before doing a port forwarding, first make sure check whether Masquerade enabled for external zone, because we are going to access the machine from outside network.
# firewall-cmd --zone=external --query-masquerade
If it’s not enabled, you can enable it by following command.
# firewall-cmd --zone=external --add-masquerade
Now let’s forward all ssh port 22 connections to port 2222 for IP address 192.168.0.132.
# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132 # firewall-cmd --zone=external --list-all
5. How to Block and Enable ICMP
First, check the type of icmp we are using with below command.
# firewall-cmd --get-icmptypes
To add icmp block on any zone, you can use the following command. For example, here I am going to add icmp block on external zone, before blocking, just do a icmp ping to confirm the status of icmp block.
# firewall-cmd --zone=public --query-icmp-block=echo-reply
If you get ‘no‘, that means there isn’t any icmp block applied, let’s enable (block) icmp.
# firewall-cmd --zone=public --add-icmp-block=echo-reply
6. Adding and Removing Chain using Direct Interface
To add a Custom direct interface rule, we can use ‘–direct‘ option in any chain (Public, Work, Internal, External). For example, here we’re going to add a rule in Public Zone.
Before adding any rule, first make sure to list all the current rules in public zone using ‘–get-rules‘.
# irewall-cmd --direct --get-rules ipv4 filter IN_public_allow
To add the rules use ‘–add-rules‘ as show below.
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
To remove the rules just replace ‘–add-rule‘ with ‘–remove-rule‘.
# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
7 Firewalld Lockdown Rules
It’s possible to change the firewalld rules by any local applications, which have the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in ‘firewalld.conf‘ file. This mostly used to protect the firewalld from any unwanted rules changes by any applications.
# vim /etc/firewalld/firewalld.conf
Change no to yes
To make it permanent reload the changes using ‘–reload‘.
# firewall-cmd --reload
After making above changes, make sure to verify whether firewalld was lockdown using query.
# firewall-cmd --query-lockdown
To On/Off lockdown mode, use the following combination.
# firewall-cmd --lockdown-on # firewall-cmd --lockdown-off
8: Enabling Fail2ban-firewalld Support
To enable support of fail2ban in firewalld, we need to install the package called ‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems. The fail2ban support provides some additional secure rules for SSH, SSH-DDOS, MariaDB, Apache etc..
After enabling epel, let’s install the ‘fail2ban-firewalld‘ package using the following command.
# yum install fail2ban-firewalld -y
After installing the package, start the ‘fail2ban‘ service and enable to make it persistent.
# systemctl start fail2ban # systemctl enable fail2ban
9. Adding & Blocking IP Addresses
To add specific IP address (192.168.0.254) to trusted public zone, use the following command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
After adding above rule, don’t forget to list all the trusted public zone rules.
# firewall-cmd --zone=public --list-all
To remove any added rule, just replace the ‘–add-rich-rule‘ with remove ‘–remove-rich-rule‘ as show in below command.
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
To reject or drop a IP address from the trusted zones, just replace ‘accept‘ with ‘reject‘ as shown in the below command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.250" reject' # firewall-cmd --zone=public --list-all
Here we have seen how to configure some of the rules and default services in firewalld. If there any query regarding above firewalld rules, feel free to leave your valuable comments below.