Securing Your Linux Server with firewall-cmd A Comprehensive Guide
Demystifying Firewall-cmd A Deep Dive into Linux Server Security and Network Configuration
In Linux server management, one crucial aspect is securing your system against unauthorized access and potential threats. Firewalls play a pivotal role in controlling network traffic and safeguarding your server. In this article, we'll delve into the usage of firewall-cmd
, a powerful command-line tool for configuring the firewalld
daemon on Linux systems.
Understanding firewalld and firewall-cmd
firewalld
is a dynamic firewall management solution that simplifies the configuration of network filtering rules. firewall-cmd
is the corresponding command-line interface for interacting with the firewalld
daemon. It offers a user-friendly approach to configuring firewall settings and provides a wide range of options for securing your server.
Checking and Managing Firewall Status
firewall-cmd --state
verifies whether the firewall is currently running or not.
Reload the Firewall
firewall-cmd --reload
Enable/Disable Firewall
firewall-cmd --enable
firewall-cmd --disable
Enable or disable the firewall as needed, exercising caution when disabling to avoid potential security risks.
Get Zones
firewall-cmd --get-zones
View available firewall zones to understand your network configuration.
List All Zones and Their Settings
firewall-cmd --list-all-zones
Lists all zones along with their configurations, services, and ports.
List Services
firewall-cmd --list-services
List Ports
firewall-cmd --list-ports
Add/Remove a Service or Port
firewall-cmd --add-service=<service>
firewall-cmd --add-port=<port>/tcp
firewall-cmd --remove-service=<service>
firewall-cmd --remove-port=<port>/tcp
Advanced Configurations
Reload Zones
firewall-cmd --complete-reload
Change Zone of an Interface
firewall-cmd --zone=public --change-interface=eth0
Configuring Masquerading (NAT)
firewall-cmd --zone=public --add-masquerade
Configuring Port Forwarding
ADD Port Forwarding
firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80
Remove Port Forwarding
Assuming you have previously added a port forwarding rule, such as forwarding external port 8080 to internal port 80
firewall-cmd --zone=public --remove-forward-port=port=8080:proto=tcp:toport=80
List Rich Rules
firewall-cmd --list-rich-rules
Add/Remove a Rich Rule
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
Bonus Concept
Network Interface Overview
Definition: A network interface is a point of interaction between a device and a network. It can be physical (e.g., Ethernet) or virtual (e.g., loopback).
Example:
enp0s25
(Ethernet) andwlp3s0
(Wireless) are examples of network interfaces.
Zone in Firewall
Definition: A zone is a predefined set of rules in a firewall configuration that dictates the level of trust for a specific network connection. Different zones have different security settings.
Example: The "public" zone might be used for external, less trusted networks, while the "internal" zone is for more secure, trusted networks.
Interface in Networking
Definition: An interface is a point of interaction between a device and a network. It can be a physical connection (like Ethernet) or a virtual connection (like a VPN).
Example:
enp0s25
represents a physical Ethernet interface, andtun0
might represent a virtual interface for a VPN connection.
Loopback Interface (lo
):
Purpose: A virtual interface allowing a device to communicate with itself without external connections.
Example: Accessing
localhost
or127.0.0.1
uses the loopback interface.
Masquerading (NAT - Network Address Translation)
Purpose: A technique that allows multiple devices on a local network (192.168.X.X or 10.0.x.x Most of the time) to share a single public IP address for internet access.
Example: Your home router uses NAT to assign private IP addresses to devices within your home network.
MAC Address
Purpose: A unique identifier is assigned to each network interface for communication on the physical network.
Example: Used to ensure data is sent to the correct destination on a local network.
Gateway
Definition: A gateway is a node in a computer network that serves as an entry/exit point to another network. It often connects a local network to the internet.
Example: Your router at home is a gateway that connects your local devices to the internet.
DNS (Domain Name System)
Definition: DNS translates human-readable domain names into IP addresses. It's crucial for resolving web addresses to their corresponding servers.
Example: Translating "www.example.com" to its IP address using DNS.
DHCP
Definition: DHCP is a network protocol that automatically assigns IP addresses and other network configuration information to devices in a network.
Example: When your device connects to a network, DHCP assigns it an IP address dynamically you can also set it statically.
Subnet
Definition: A subnet is a logically divided section of an IP network. It helps in organizing and managing IP addresses efficiently.
Example: A network might be divided into subnets like 192.168.1.0/24 and 192.168.2.0/24.
Routing
Definition: Routing is the process of forwarding data between different networks. Routers make decisions about where to send data packets.
Example: A router determines the best path for data to travel from your local network to the internet.
Port
Definition: In networking, a port is a communication endpoint for processes on a computer. It allows different services on the same server to use different ports.It works on the Application Layer (TCP / IP )
Example: Web servers often use port 80 for HTTP and port 443 for HTTPS.