Firewalld
Firewald - a dynamically managed firewall
# Install and enable firewalld
# If the iptables, ip6tables, ebtables and ipset services are in use:
systemctl disable --now iptables.service
systemctl disable --now ip6tables.service
systemctl disable --now etables.service
systemctl disable --now ipset.service
dnf install firewalld firewall-config firewall-applet
systemctl unmask --now firewalld.service
systemctl enable --now firewalld.service
# If firewalld is enabled and you want to enable the iptables, ip6tables, ebtables and ipset services instead:
dnf install iptables-services ebtables ipset-service
systemctl mask --now firewalld.service
systemctl enable --now iptables.service
systemctl enable --now ip6tables.service
systemctl enable --now etables.service
systemctl enable --now ipset.service
config files:
/etc/firewalld
/etc/firewalld/zones
/etc/firewalld/servies
/etc/firewalld/policies
...
# query status
systemctl status firewalld
# check state
firewall-cmd --state
# start firewalld
systemctl start firewalld
systemctl enable firewalld
# view default zone
firewall-cmd --get-default-zone
# To check what zones are used by your network interface(s)
firewall-cmd --get-active-zones
# print the zone configuration settings
firewall-cmd --zone=public --list-all
# check the configurations of all available zones
firewall-cmd --list-all-zones
# Changing the Zone of an Interface
firewall-cmd --zone=work --change-interface=eth1
# Changing the Default Zone
firewall-cmd --set-default-zone=external
# add service to a zone
firewall-cmd --zone=public --add-service=http
# quer yservices of zone
firewall-cmd --zone=public --list-services
Forwarding Port with Firewalld
# enable masquerading for external zone
firewall-cmd --zone=external --add-masquerade
# Forward traffic from one port to another on the same server
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
# Forward traffic to another server
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=10.10.10.2
# Forward traffic to another server on a different port
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.10.10.2
# Change the default zone to dmz
firewall-cmd --set-default-zone=dmz
firewall-cmd --zone=dmz --add-interface=eth0
# Open HTTP and HTTPS ports
firewall-cmd --permanent --zone=dmz --add-service=http
firewall-cmd --permanent --zone=dmz --add-service=https
# disable 'AllowZoneDrifting' in
# /etc/firewalld/firewalld.conf
AllowZoneDrifting=no
# zones
# query active zones
firewall-cmd --get-active-zones
firewall-cmd --get-default-zone
# set default zone
firewall-cmd --set-default-zone=public
firewall-cmd --runtime-to-permanent
# or
firewall-cmd --set-default-zone=public --permanent
create a new service for Oracle Darabse Express Edition
# create a new service
firewall-cmd --permanent --new-service=oracle
firewall-cmd --permanent --service=oracle --set-description="Oracle Databasse Express Edition"
firewall-cmd --permanent --service=oracle --set-short="Oracle XE"
firewall-cmd --permanent --service=oracle --add-port=1521/tcp
firewall-cmd --permanent --zone=public --add-service=oracle
firewall-cmd --reload
NAT and Masquerading with two network interfaces
# masquerading: for external DHCP
# SNAT: for external fixed IP
Configuring NAT and Masquerading using firewalld (RHEL)
# SUSE / openSUSE
# Configure the firewall to masquerade traffic with NAT from the LAN into the WAN
# and to block inbound traffic on the WAN interface:
firewall-cmd --permanent --zone=external --change-interface=WAN_INTERFACE
firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --permanent --zone=internal --change-interface=LAN_INTERFACE
firewall-cmd --set-default-zone=internal
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
see: Configure the firewall to masquerade traffic with NAT from the LAN into the WAN
changing the firewalld backend back to the older iptables
systemctl stop firewalld
sed -i s/FirewallBackend\=nftables/FirewallBackend\=iptables/ /etc/firewalld/firewalld.conf
systemctl start firewalld
why changing backend from iptables to nftables (firewalld.org)