Set Up a Firewall on CentOS 7

Managing Firewalld

Firewalld is the default method in RHEL/CentOS 7 for managing host-level

firewall (Linux kernel netfilter subsystem).

First start firewalld service and enable to boot on runtime.

#systemctl enable firewalld.service

Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.

Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

# systemctl is-enabled firewalld.service

enabled

# systemctl start firewalld.service

# systemctl is-active firewalld.service

active
Disable completely old iptables services

#systemctl mask iptables.service

Created symlink from /etc/systemd/system/iptables.service to /dev/null.

#systemctl mask ip6tables.service

Created symlink from /etc/systemd/system/ip6tables.service to /dev/null.

# systemctl mask ebtables

Created symlink from /etc/systemd/system/ebtables.service to /dev/null.

Let’s configure on our server these firewall rules

Source Network PERMIT RULES
All internet ALLOW http  (TCP 80 ), https ( TCP 443)
62.162.118.0/24 ALLOW MYSQL Administration ( TCP 3306)
62.162.118.25 ALLOW SSH (TCP 22)
195.26.0.0/16 ALLOW JAVA APP on TOMCAT (TCP 8080)

Firewalld separates all incoming traffic into zones, with each zone having its own set of rules.

To check which zone to use for an incoming connection, firewalld uses this logic, where the
first rule that matches wins:
1. If the source address of an incoming packet matches a source rule setup for a zone, that
packet will be routed through that zone.
2. If the incoming interface for a packet matches a filter setup for a zone, that zone will be
used.
3. Otherwise, the default zone is used. The default zone is not a sepa rate zone; instead, it
points to one of the other zones defined on the system.

By default in every connection configuration that apply to interface there is no config for connection.zone parameter. By default all incoming traffic always route to default public firewall zone.

For all configuration commands we use firewall-cmd command, Let list all firewall zones:

# firewall-cmd –list-all-zones

block

dmz

drop

external

home

internal

public (default, active)

trusted

work

All internet public traffic for first rule we will map to public zone.

Traffic from 62.162.118.0/24 will be map to internal zone.

Traffic from 195.26.0.0/16 will be map to work zone.

First delete all existing rules that apply to public zone.

# firewall-cmd –zone=public –list-all

public (default, active)

  interfaces: ens160

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

Delete services rules from public zone:

#firewall-cmd –permanent –zone=public –remove-service=dhcpv6-client

success

#firewall-cmd –permanent –zone=public –remove-service=ssh

success

#firewall-cmd –reload

success

#firewall-cmd –zone=public –list-all

public (default, active)

  interfaces: ens160 ens192

  sources:

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

First we view all rules , than delete rule for dhcpv6-client and ssh , we add permanent switch to persist configuration after reload. After adding/removing  rules we reload firewalld configuration with reload switch.

Now permit http and https services

#firewall-cmd –permanent –zone=public –add-service=http

success

#firewall-cmd –permanent –zone=public –add-service=https

success

#firewall-cmd –reload;

success

#firewall-cmd –zone=public –list-all

public (default, active)

  interfaces: ens160 ens192

  sources:

  services: http https

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

Delete existing rules in internal zone and map incoming traffic from 62.162.118.0/24 and configure mysql rule.

#firewall-cmd –zone=internal –list-all

internal

  interfaces:

  sources:

  services: dhcpv6-client ipp-client mdns samba-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

#firewall-cmd –permanent –zone=internal –remove-service=dhcpv6-client;

success

#firewall-cmd –permanent –zone=internal –remove-service=ipp-client;

success

#firewall-cmd –permanent –zone=internal –remove-service=mdns;

success

#firewall-cmd –permanent –zone=internal –remove-service=samba-client;

success

#firewall-cmd –permanent –zone=internal –remove-service=ssh;

success

#firewall-cmd –reload ;

success

#firewall-cmd –zone=internal –list-all

internal

  interfaces:

  sources:

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

#firewall-cmd –permanent –zone=internal –add-source=62.162.118.0/24

success

#firewall-cmd –permanent –zone=internal –add-service=mysql

success

For mysql server rule you can also configure with port and protocol

#firewall-cmd –permanent –zone=internal –add-port=3306/tcp

success

#firewall-cmd –zone=internal –list-all

internal

  interfaces:

  sources: 62.162.118.0/24

  services: mysql

  ports: 3306/tcp

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

#firewall-cmd –reload

success

SSH service only need to be permitted from host with ip  62.162.118.25 . When we need to configure connection to a service from a single ip address instead of all ip addresses routed through a zone we use firewalld  Rich rules.

#firewall-cmd –permanent –zone=internal –add-rich-rule ‘rule family=ipv4 source address=62.162.118.25 service name=ssh accept’

success

#firewall-cmd –reload

success

#firewall-cmd –zone=internal –list-all

internal

interfaces:

sources: 62.162.118.0/24

services: mysql

ports: 3306/tcp

masquerade: no

forward-ports:

icmp-blocks:

rich rules:

rule family=”ipv4″ source address=”62.162.118.25″ service name=”ssh” accept

Finally configure access to tomcat port 8080 and map traffic incoming from 195.26.0.0/16 to work zone.

#firewall-cmd –permanent –zone=work –list-all

work

interfaces:

sources:

services: dhcpv6-client ipp-client ssh

ports:

masquerade: no

forward-ports:

icmp-blocks:

rich rules:

#firewall-cmd –permanent –zone=work –remove-service=dhcpv6-client

success

#firewall-cmd –permanent –zone=work –remove-service=ipp-client

success

#firewall-cmd –permanent –zone=work –remove-service=ssh

success

#firewall-cmd –permanent –zone=work –add-source=195.26.0.0/16

success

#firewall-cmd –permanent –zone=work –add-port=8080/tcp

success

#firewall-cmd –reload

success

#firewall-cmd –zone=work –list-all

work

interfaces:

sources: 195.26.0.0/16

services:

ports: 8080/tcp

masquerade: no

forward-ports:

icmp-blocks:

rich rules:

Setting IP static address on Red Hat/CentOS 7

First view if Network Manager is started :

systemctl is-enabled NetworkManager

enabled

systemctl is-active NetworkManager

active

Second list network adapters :

nmcli device show

GENERAL.DEVICE:                         ens192

GENERAL.TYPE:                           ethernet

GENERAL.HWADDR:                         00:50:56:86:0A:DD

GENERAL.MTU:                            1500

GENERAL.STATE:                          30 (disconnected)

GENERAL.CONNECTION:                     —

GENERAL.CON-PATH:                       —

WIRED-PROPERTIES.CARRIER:               on

 

GENERAL.DEVICE:                         lo

GENERAL.TYPE:                           loopback

GENERAL.HWADDR:                         00:00:00:00:00:00

GENERAL.MTU:                            65536

GENERAL.STATE:                          10 (unmanaged)

GENERAL.CONNECTION:                     —

GENERAL.CON-PATH:                       —

IP4.ADDRESS[1]:                         127.0.0.1/8

IP4.GATEWAY:

IP6.ADDRESS[1]:                         ::1/128

IP6.GATEWAY:

 

Next let configure static ip address on device ens192 :

nmcli connection add con-name local ifname ens192 type Ethernet ip4 192.168.0.10/24 gw4 192.168.0.1

Connection ‘local’ (3f710950-a986-4823-aa54-78af58864733) successfully added.

nmcli connection modify local ipv4.method manual

nmcli connection modify local ipv4.dns 192.168.0.1

nmcli connection modify local +ipv4.dns 192.168.0.2

nmcli connection modify local connection.autoconnect yes

nmcli connection reload

nmcli connection up local

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2553)

  • method manual or boot mode manual need to be configure after ip address and gateway

Review configuration on network manager and view is setting ip was successfully configured

nmcli connection show

 

NAME    UUID                                  TYPE            DEVICE

local   3f710950-a986-4823-aa54-78af58864733  802-3-ethernet  ens192

mgmt    c688ceea-965a-47c3-9092-f671dddbb98c  802-3-ethernet  ens160

public  d89cceb5-5695-4985-aa35-83a763bc186a  802-3-ethernet  —

local   c5f4b6df-9d47-48ae-9b03-6cb108d8cfd3  802-3-ethernet  —

nmcli device show ens192

 

GENERAL.DEVICE:                         ens192

GENERAL.TYPE:                           ethernet

GENERAL.HWADDR:                         00:50:56:86:0A:DD

GENERAL.MTU:                            1500

GENERAL.STATE:                          100 (connected)

GENERAL.CONNECTION:                     local

GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/2553

WIRED-PROPERTIES.CARRIER:               on

IP4.ADDRESS[1]:                         192.168.0.10/24

IP4.GATEWAY:                            192.168.0.1

IP4.DNS[1]:                             192.168.0.1

IP4.DNS[2]:                             192.168.0.2

IP6.ADDRESS[1]:                         fe80::250:56ff:fe86:add/64

IP6.GATEWAY:

Rest root password on Red Hat /CentOS 7.x

When  server boot and see GRUB menus press e

pic1

Then locate line that start with linux16 , this is the line where you enter kernel parameters

pic2

At the end of line you enter text  rd.break and then press CRL+X to boot linux.

System will boot to single user mode where root file system is read only mounted.

If you execute mount command you see at the bottom line then root is mounted under /sysroot.

First remount root to rw mode , chroot to /sysroot and  change root password. Finally if selinux was running before force selinux relabel.

mount –o rw,remount /sysroot

chroot /sysroot

passwd root

touch /.autorelabel

exit

exit

pic3