Beyond DevOps

Securing Your Linux Server with firewall-cmd A Comprehensive Guide

Securing Your Linux Server with firewall-cmd A Comprehensive Guide

Demystifying Firewall-cmd A Deep Dive into Linux Server Security and Network Configuration

Muhammad Usama's photo
Muhammad Usama

In Linux server management, one crucial aspect is securing your system against unauthorized access and potential threats. Firewalls play a pivotal role in controlling network traffic and safeguarding your server. In this article, we'll delve into the usage of firewall-cmd, a powerful command-line tool for configuring the firewalld daemon on Linux systems.

Understanding firewalld and firewall-cmd

firewalld is a dynamic firewall management solution that simplifies the configuration of network filtering rules. firewall-cmd is the corresponding command-line interface for interacting with the firewalld daemon. It offers a user-friendly approach to configuring firewall settings and provides a wide range of options for securing your server.

Checking and Managing Firewall Status

firewall-cmd --state

verifies whether the firewall is currently running or not.

Reload the Firewall

firewall-cmd --reload

Enable/Disable Firewall

firewall-cmd --enable
firewall-cmd --disable

Enable or disable the firewall as needed, exercising caution when disabling to avoid potential security risks.

Get Zones

firewall-cmd --get-zones

View available firewall zones to understand your network configuration.

List All Zones and Their Settings

firewall-cmd --list-all-zones

Lists all zones along with their configurations, services, and ports.

List Services

firewall-cmd --list-services

List Ports

firewall-cmd --list-ports

Add/Remove a Service or Port

firewall-cmd --add-service=<service>
firewall-cmd --add-port=<port>/tcp
firewall-cmd --remove-service=<service>
firewall-cmd --remove-port=<port>/tcp

Advanced Configurations

Reload Zones

firewall-cmd --complete-reload

Change Zone of an Interface

firewall-cmd --zone=public --change-interface=eth0

Configuring Masquerading (NAT)

firewall-cmd --zone=public --add-masquerade

Configuring Port Forwarding

ADD Port Forwarding

firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toport=80

Remove Port Forwarding

Assuming you have previously added a port forwarding rule, such as forwarding external port 8080 to internal port 80

firewall-cmd --zone=public --remove-forward-port=port=8080:proto=tcp:toport=80

List Rich Rules

firewall-cmd --list-rich-rules

Add/Remove a Rich Rule

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'

Bonus Concept

Network Interface Overview

  • Definition: A network interface is a point of interaction between a device and a network. It can be physical (e.g., Ethernet) or virtual (e.g., loopback).

  • Example: enp0s25 (Ethernet) and wlp3s0 (Wireless) are examples of network interfaces.

Zone in Firewall

  • Definition: A zone is a predefined set of rules in a firewall configuration that dictates the level of trust for a specific network connection. Different zones have different security settings.

  • Example: The "public" zone might be used for external, less trusted networks, while the "internal" zone is for more secure, trusted networks.

Interface in Networking

  • Definition: An interface is a point of interaction between a device and a network. It can be a physical connection (like Ethernet) or a virtual connection (like a VPN).

  • Example: enp0s25 represents a physical Ethernet interface, and tun0 might represent a virtual interface for a VPN connection.

Loopback Interface (lo):

  • Purpose: A virtual interface allowing a device to communicate with itself without external connections.

  • Example: Accessing localhost or 127.0.0.1 uses the loopback interface.

Masquerading (NAT - Network Address Translation)

  • Purpose: A technique that allows multiple devices on a local network (192.168.X.X or 10.0.x.x Most of the time) to share a single public IP address for internet access.

  • Example: Your home router uses NAT to assign private IP addresses to devices within your home network.

MAC Address

  • Purpose: A unique identifier is assigned to each network interface for communication on the physical network.

  • Example: Used to ensure data is sent to the correct destination on a local network.

Gateway

  • Definition: A gateway is a node in a computer network that serves as an entry/exit point to another network. It often connects a local network to the internet.

  • Example: Your router at home is a gateway that connects your local devices to the internet.

DNS (Domain Name System)

  • Definition: DNS translates human-readable domain names into IP addresses. It's crucial for resolving web addresses to their corresponding servers.

  • Example: Translating "www.example.com" to its IP address using DNS.

DHCP

  • Definition: DHCP is a network protocol that automatically assigns IP addresses and other network configuration information to devices in a network.

  • Example: When your device connects to a network, DHCP assigns it an IP address dynamically you can also set it statically.

Subnet

  • Definition: A subnet is a logically divided section of an IP network. It helps in organizing and managing IP addresses efficiently.

  • Example: A network might be divided into subnets like 192.168.1.0/24 and 192.168.2.0/24.

Routing

  • Definition: Routing is the process of forwarding data between different networks. Routers make decisions about where to send data packets.

  • Example: A router determines the best path for data to travel from your local network to the internet.

Port

  • Definition: In networking, a port is a communication endpoint for processes on a computer. It allows different services on the same server to use different ports.It works on the Application Layer (TCP / IP )

  • Example: Web servers often use port 80 for HTTP and port 443 for HTTPS.

SecurityLinux