Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux

4. Masquerading IP Address

Masquerade also known as Network Address Translation (NAT), which is basically a simple method for allowing a computer to connect with internet with the help of base machine just a intermediary work.

Here, we will see how to forward a port to outside network. For example, if I want to do a ssh into my home virtual machine from anywhere, I need to forward my ssh port 22 to different port (i.e. 2222).

Before doing a port forwarding, first make sure check whether Masquerade enabled for external zone, because we are going to access the machine from outside network.

# firewall-cmd --zone=external --query-masquerade

If it’s not enabled, you can enable it by following command.

# firewall-cmd --zone=external --add-masquerade

Now let’s forward all ssh port 22 connections to port 2222 for IP address 192.168.0.132.

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132
# firewall-cmd --zone=external --list-all
Port Forwarding in Firewalld
Port Forwarding

5. How to Block and Enable ICMP

First, check the type of icmp we are using with below command.

# firewall-cmd --get-icmptypes

To add icmp block on any zone, you can use the following command. For example, here I am going to add icmp block on external zone, before blocking, just do a icmp ping to confirm the status of icmp block.

# firewall-cmd --zone=public --query-icmp-block=echo-reply

If you get ‘no‘, that means there isn’t any icmp block applied, let’s enable (block) icmp.

# firewall-cmd --zone=public --add-icmp-block=echo-reply
Block ICMP in Firewalld
Block ICMP in Firewalld

6. Adding and Removing Chain using Direct Interface

To add a Custom direct interface rule, we can use ‘–direct‘ option in any chain (Public, Work, Internal, External). For example, here we’re going to add a rule in Public Zone.

Before adding any rule, first make sure to list all the current rules in public zone using ‘–get-rules‘.

# irewall-cmd --direct --get-rules ipv4 filter IN_public_allow

To add the rules use ‘–add-rules‘ as show below.

# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT

To remove the rules just replace ‘–add-rule‘ with ‘–remove-rule‘.

# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT
Add Remove Chains
Add Remove Chains

7 Firewalld Lockdown Rules

It’s possible to change the firewalld rules by any local applications, which have the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down in ‘firewalld.conf‘ file. This mostly used to protect the firewalld from any unwanted rules changes by any applications.

# vim /etc/firewalld/firewalld.conf

Change no to yes

Lockdown=yes
Lock Down Firewalld Rules
Lock Down Firewalld Rules

To make it permanent reload the changes using ‘–reload‘.

# firewall-cmd --reload

After making above changes, make sure to verify whether firewalld was lockdown using query.

# firewall-cmd --query-lockdown

To On/Off lockdown mode, use the following combination.

# firewall-cmd --lockdown-on
# firewall-cmd --lockdown-off
On Off Lock Down Rules in Firewalld
On Off Lock Down Rules in Firewalld

8: Enabling Fail2ban-firewalld Support

To enable support of fail2ban in firewalld, we need to install the package called ‘fail2ban-firewalld‘ by enabling epel repository under RHEL/CentOS systems. The fail2ban support provides some additional secure rules for SSH, SSH-DDOS, MariaDB, Apache etc..

After enabling epel, let’s install the ‘fail2ban-firewalld‘ package using the following command.

# yum install fail2ban-firewalld -y
Install Fail2ban Firewalld
Install Fail2ban Firewalld

After installing the package, start the ‘fail2ban‘ service and enable to make it persistent.

# systemctl start fail2ban
# systemctl enable fail2ban
Enable Fail2ban Firewalld
Enable Fail2ban Firewalld

9. Adding & Blocking IP Addresses

To add specific IP address (192.168.0.254) to trusted public zone, use the following command.

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'

After adding above rule, don’t forget to list all the trusted public zone rules.

# firewall-cmd --zone=public --list-all

To remove any added rule, just replace the ‘–add-rich-rule‘ with remove ‘–remove-rich-rule‘ as show in below command.

# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
Add Block IP Address
Add Block IP Address

To reject or drop a IP address from the trusted zones, just replace ‘accept‘ with ‘reject‘ as shown in the below command.

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.250" reject'
# firewall-cmd --zone=public --list-all
Reject IP Address in Firewalld
Reject IP Address

Conclusion

Here we have seen how to configure some of the rules and default services in firewalld. If there any query regarding above firewalld rules, feel free to leave your valuable comments below.

Babin Lonston
I'm Working as a System Administrator for last 10 year's with 4 years experience with Linux Distributions, fall in love with text based operating systems.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

12 thoughts on “Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux”

  1. Hi, I want to know if I could add certain I.P.s (approx 5 I.P.s) to access my Linux Server using SSH so that no one except those I.P.s would be able to access the server. I don’t want to use rich-rule. How can I do that?

    My server is RHEL 7.4.

    Reply
      • Babin,

        I followed the url you have provided in your above comment. Looking at that I think I was not able to brief my problem.

        Actually I have a Linux server on a network. I have 100s of other computers (running windows) on the same network. All of them can access my server but I want to allow only 5 I.P.s (i.e. 5 other computers) which are on the same network to access my Linux server using ssh. So I want to set up a firewall-cmd rule so that apart from those 5 I.P.s no one on the network would be able to access my Linux server. How can I do that?

        Once again thanks for your earlier response.

        Reply
        • @Naushad,

          We assume your 5 IP’s are in 192.168.1.x range.

          # firewall-cmd --zone=public --add-source=192.168.1.1
          # firewall-cmd --zone=public --add-port=22/tcp
          # firewall-cmd --zone=public --add-source=192.168.1.2
          # firewall-cmd --zone=public --add-port=22/tcp
          # firewall-cmd --zone=public --remove-interface=eno16777728
          # firewall-cmd --reload
          

          Thanks & Regards,
          Babin Lonston

          Reply
          • Thanks Babin for your kind response. Now I have got it. Doing this will automatically block all the other users except those which are added by add- source option, right?

            But I didn’t get why I need to remove my interface.

  2. Note that fail2ban does not monitor any services by default, so simply installing it will achieve nothing without configuring it.

    Reply
  3. Observo que se hace referencia al bloqueo de un IP pero lo único que se bloquea es el acceso a servidor sin embargo pueden navegar al internet usando como puerta de enlace el servidor.

    ¿ Cuál sería la forma de bloquear un IP para que no navegue a través del servidor?.

    ============

    I note that referred to the blockade of IP, but the only thing that is blocking access to server but can browse the internet using Gateway as the server.

    What would be the way to block an IP to not navigate through the server ?.

    Reply
  4. Thanks a million for your really great tutorials.
    Although I am having a problem blocking ICMP . I get ‘yes’‘, that means there is a icmp block applied, and it’s enabled. However, when I –zone e=external –list-all there are no entries for icmp-blocks: (empty).
    Using Fedora 21 Workstation. Thanks again for your invaluable articles.

    Reply

Leave a Reply to Bobin Lonston Cancel reply

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.