7/10/2015

Firewalld and iptables

Firewalld and Iptables

The Problem

The iptables command line interface to control the Netfilter functions in the kernel is being superseded by Firewalld's firewall-cmd.  Firewalld provides not only a command line interface, but also a very powerful graphic one. 

The problem is that once you enable the Firewalld service, then you should only use firewall-cmd from the command line for configuration.  Attempts to modify the firewall configuration with iptables commands directly will fail.  However, iptables commands can still be used to query the rules that are created by the Firewalld GUI, or by firewall-cmd commands.  For example, after using firewall-cmd to create rules, you could execute the following iptables command to view the actual Netfilter rules:

iptables -nvL 

HOT TIP: Take advantage of the command completion feature while working with firewall-cmd.  If forget an option, just press TAB and TAB and wait for a second for the list of available options!  Executing "firewall-cmd --help" also provides a good summary of the available options before you have to start reading the man page.

Service Rules

There are many services that have rules which are predefined by Firewalld.  It can make it much easier to enable access to a service by using these preset rules. To find out which services can be enabled access through the default zone, use the following command:

firewall-cmd --get-services

To enable access to the service through the firewall persistently, you can execute:

firewall-cmd --add-service=dns --zone public --permanent

The above command does not affect the state of the current firewall.  To add the service immediately, you can execute the above command without the --permanent option, or else use:

firewall-cmd --reload

Alternatively, you could add all the services and other rules that you wanted until you got the runtime configuration to reflect what you want by not using the --permanent option and then execute:

firewall-cmd --runtime-to-permanent

Adding a New firewalld Service Definition

If a service that you want to enable through firewalld is not defined, then you can define it in:
/etc/firedwalld/services in an xml file.  Here is an example of /etc/firewalld/services/quake.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Quake</short>
  <description>Quake is an on-line game</description>
  <port port="26000" protocol="tcp"/>
  <port port="26000" protocol="udp"/>
</service>

Here is an another example of /etc/firewalld/services/iscsi.xml:
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>iSCSI</short>
  <description>iSCSI default target portal port</description>
  <port port="3260" protocol="tcp"/>mv 
</service>

After creating xml files like these in /etc/firewalld/, you need to reload the firewalld service with:

firewall-cmd --reload

Then, you would be able to see the new services by executing:

firewall-cmd --get-services

which outputs:

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec iscsi kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp quake radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

Next, you could add the new services to a zone like public, for example:

firewall-cmd --add-service={iscsi,quake} --zone public --permanent
firewall-cmd --reload

To see the set of all rules in the current (runtime) configuration, you can use:

firewall-cmd --list-all

Direct Rules

Direct rules are similar to rules that used to be added with the iptables command.  Instead of starting with an iptables -I INPUT, you start with "firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0".  Like adding services, a permanent rule is not immediately active, but you can make it so by using reloading the firewall rules.  For example to open port tcp/8200, you could use:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 \
-s 192.168.1.0/24 -p tcp --dport 8200 -j ACCEPT


firewall-cmd --reload


I discovered that you have to "get" the rules instead of querying for a "list" of them:

firewall-cmd --direct --get-all-rules

Rich Rules

Rich rules are designed to accept a more natural language than Direct rules.  Both require more knowledge of the workings of the firewall than Service rules.

firewall-cmd --list-rich-rules
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port \ port="2049" protocol="tcp" accept'
firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port \ port="2049" protocol="tcp" accept'

No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.