See all of the guides.

Part 6 Firewall


netfilter runs at the kernel level

  • iptables
    Complete configurations
  • firewall-cmd
    Easy command line that writes to iptables


A zone is an indication of the level of security you want on different interfaces. Interfaces are assigned to zones

  • If source matches a zone, packet is routed to that zone.
  • If incoming interface matches, the zone is used
  • if neither apply, the default zone is used


Service is not a systemd service, but a firewalld service. It lists the ports and other elements  need to be opened for a specific service.

Commands to know


iptables -L to view current configuration

iptables -P INPUT DROP # Drops all traffic in.

iptables -P OUTPUT DROP # Drops all outbound traffic

iptables -A INPUT -p tcp --dport=80 -j ACCEPT # Allow port 80 in.

iptables -A OUTPUT -m state --state= ESTABLISHED,RELATED -j ACCEPT # Allow related traffic out.

iptables-save > /etc/sysconfig/iptables # Save configuration for startup


firewalld writes to either running or persistent environments. The default is running environment.

firewalld-cmd --list-all # current configuration

firewall-cmd --get-services # To list services

firewall-cmd --add-service=http # Add Service to allow

firewall-cmd --permanent --add-service=http # Add Service and make permanent

firewall-cmd --reload # reload service

Firewalld Configuration

Configuration directories

/usr/lib/firewalld - System files

/etc/firewalld - User created  files

Copy existing service file to

cp /usr/lib/firewalld/services/samba.xml \ /etc/firewalld/services/sample.xml

Edit new file as needed.

firewall-cmd --reload to read new service file.

Rich rules

  • Direct rules
    Allow insert hand coded iptables into filewalld
  • Rich rules
    expressive language to create rules
    Port forwarding
    Logging rules
    deny rules
    allow rules

Man pages for firewalld.richlanguage

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address= reject'

firewall-cmd --permanent --add-rich-rule='rule service name=http log limit value "3/m" accept


Configuring NAT

Setup Zones

firewall-cmd -get-active-zones

firewall-cmd --list-all --zone=<zone name>

Create new zone and added interface

firewall-cmd --permanent --zone=internal --change-interface eth1

Add masquerade to Public Zone

firewall-cmd --permanent --zone=public --add-masquerade

Reload after each configuration change. firewall-cmd --reload

Port Forwarding

Verify /proc/sys/net/ip_forward 0 = off | 1 = on

View current configuration

firewall-cmd --list-forward-ports

Add masquerade to Public zone.

firewall-cmd --permanent --zone=public --add-masquerade

Create a new port forward

firewall-cmd -zone=public --add-forward-port=port=2222:proto=tcp:toport22: toaddr=