Securing Your Linux Server with firewall-cmd A Comprehensive Guide

Securing Your Linux Server with firewall-cmd A Comprehensive Guide

Demystifying Firewall-cmd A Deep Dive into Linux Server Security and Network Configuration

In Linux server management, one crucial aspect is securing your system against unauthorized access and potential threats. Firewalls play a pivotal role in controlling network traffic and safeguarding your server. In this article, we'll delve into the usage of firewall-cmd, a powerful command-line tool for configuring the firewalld daemon on Linux systems.

Understanding firewalld and firewall-cmd

firewalld is a dynamic firewall management solution that simplifies the configuration of network filtering rules. firewall-cmd is the corresponding command-line interface for interacting with the firewalld daemon. It offers a user-friendly approach to configuring firewall settings and provides a wide range of options for securing your server.

Checking and Managing Firewall Status

firewall-cmd --state

verifies whether the firewall is currently running or not.

Reload the Firewall

firewall-cmd --reload

Enable/Disable Firewall

firewall-cmd --enable
firewall-cmd --disable

Enable or disable the firewall as needed, exercising caution when disabling to avoid potential security risks.

Get Zones

firewall-cmd --get-zones

View available firewall zones to understand your network configuration.

List All Zones and Their Settings

firewall-cmd --list-all-zones

Lists all zones along with their configurations, services, and ports.

List Services

firewall-cmd --list-services

List Ports

firewall-cmd --list-ports

Add/Remove a Service or Port

firewall-cmd --add-service=<service>
firewall-cmd --add-port=<port>/tcp
firewall-cmd --remove-service=<service>
firewall-cmd --remove-port=<port>/tcp

Advanced Configurations

Reload Zones

firewall-cmd --complete-reload

Change Zone of an Interface

firewall-cmd --zone=public --change-interface=eth0

Configuring Masquerading (NAT)

firewall-cmd --zone=public --add-masquerade

Configuring Port Forwarding

ADD Port Forwarding

firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80

Remove Port Forwarding

Assuming you have previously added a port forwarding rule, such as forwarding external port 8080 to internal port 80

firewall-cmd --zone=public --remove-forward-port=port=8080:proto=tcp:toport=80

List Rich Rules

firewall-cmd --list-rich-rules

Add/Remove a Rich Rule

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'

Bonus Concept

Network Interface Overview

  • Definition: A network interface is a point of interaction between a device and a network. It can be physical (e.g., Ethernet) or virtual (e.g., loopback).

  • Example: enp0s25 (Ethernet) and wlp3s0 (Wireless) are examples of network interfaces.

Zone in Firewall

  • Definition: A zone is a predefined set of rules in a firewall configuration that dictates the level of trust for a specific network connection. Different zones have different security settings.

  • Example: The "public" zone might be used for external, less trusted networks, while the "internal" zone is for more secure, trusted networks.

Interface in Networking

  • Definition: An interface is a point of interaction between a device and a network. It can be a physical connection (like Ethernet) or a virtual connection (like a VPN).

  • Example: enp0s25 represents a physical Ethernet interface, and tun0 might represent a virtual interface for a VPN connection.

Loopback Interface (lo):

  • Purpose: A virtual interface allowing a device to communicate with itself without external connections.

  • Example: Accessing localhost or 127.0.0.1 uses the loopback interface.

Masquerading (NAT - Network Address Translation)

  • Purpose: A technique that allows multiple devices on a local network (192.168.X.X or 10.0.x.x Most of the time) to share a single public IP address for internet access.

  • Example: Your home router uses NAT to assign private IP addresses to devices within your home network.

MAC Address

  • Purpose: A unique identifier is assigned to each network interface for communication on the physical network.

  • Example: Used to ensure data is sent to the correct destination on a local network.

Gateway

  • Definition: A gateway is a node in a computer network that serves as an entry/exit point to another network. It often connects a local network to the internet.

  • Example: Your router at home is a gateway that connects your local devices to the internet.

DNS (Domain Name System)

  • Definition: DNS translates human-readable domain names into IP addresses. It's crucial for resolving web addresses to their corresponding servers.

  • Example: Translating "www.example.com" to its IP address using DNS.

DHCP

  • Definition: DHCP is a network protocol that automatically assigns IP addresses and other network configuration information to devices in a network.

  • Example: When your device connects to a network, DHCP assigns it an IP address dynamically you can also set it statically.

Subnet

  • Definition: A subnet is a logically divided section of an IP network. It helps in organizing and managing IP addresses efficiently.

  • Example: A network might be divided into subnets like 192.168.1.0/24 and 192.168.2.0/24.

Routing

  • Definition: Routing is the process of forwarding data between different networks. Routers make decisions about where to send data packets.

  • Example: A router determines the best path for data to travel from your local network to the internet.

Port

  • Definition: In networking, a port is a communication endpoint for processes on a computer. It allows different services on the same server to use different ports.It works on the Application Layer (TCP / IP )

  • Example: Web servers often use port 80 for HTTP and port 443 for HTTPS.

Did you find this article valuable?

Support Muhammad Usama by becoming a sponsor. Any amount is appreciated!