Use Linux Firewalld to Create Safe Zone

HowtTos / October 16, 2019 / By:

Contents

  1. Step 1: Create a new Zone
  2. Step 2: Define Network Interface to the Zone
  3. Step 3: Accept all request
  4. Step 4: Define the sources IP address
  5. Step 5: Drop all request to a specific port
  6. Step 6: Reload Firewall Service
  7. Step 7: If you need to remove a rule

Firewalld is a zone-based firewall solution that available for many Linux distributions. It provides a dynamically managed firewall rules with zones.Each zone can be configured to accept or deny any requests or services. It supports IPV4 and IPV6. Zones can be associated with different network interfaces.

 

By default firewalld comes with already defined zones. “firewall-cmd” will be used to monitor and manage firewall zones. This command set returns available zones that already defined to use. Zone names should indicate their purpose.

# firewall-cmd   --get-zones
Consul block dmz drop external home internal public trusted work

The predefined zone can be used to manage traffic but it should be a good point to define a specific zone. When adding a new zone, you must use the “permanent” option to add it to the firewall configuration. After defining all configuration you must reload firewall daemon.

At this post, we will perform a test scenario that will isolate Consul service. Create a black and white list to give access to consul-clients.

Create a new Zone

#This command set will create a new zone which named Consul.
firewall-cmd --new-zone=Consul –permanent

Define Network Interface to the Zone

firewall-cmd --permanent --zone=Consul --change-interface=ens192

Accept all request

Set-target has these options:  default, ACCEPT, DROP, REJECT

firewall-cmd --permanent --zone=Consul  --set-target=ACCEPT

Define the sources IP address

Add your source IP address that will always have access to service or any ports.

firewall-cmd --permanent --zone=Consul --add-source=192.168.1.87/32

Drop all request to a specific port

We defined a rich rule that drops all requests which comes to 8500 port. Only the  IP address that we added source will have access to port  8500.

firewall-cmd --permanent --zone=Consul --add-rich-rule=' rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="8500" drop'

Reload Firewall Service

firewall-cmd --permanent  --zone=Consul --list-all
firewall-cmd --reload
firewall-cmd --permanent  --zone=Consul --list-all

If you need to remove a rule

firewall-cmd --permanent --zone=Consul --remove-rich-rule=' rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="7500" drop'

 

Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me