Home / RHEL7 / Playing with firewalld on RHEL 7

Playing with firewalld on RHEL 7

The Linux kernel includes a powerful network filtering subsystem called netfilter.  The netfilter subsystem allows kernel modules to inspect every packet which are travelling to the system. Any incoming, outgoing and forwarded network packets cab e be inspected, modified ,dropped or rejected in a programmatic way ,before reaching to the user space. But these programs needs to be defined and injected to netfilter. This can be done in two ways prior to the RHEL 7.

  1. Write the custom kernel modules to interact with netfilter.
  2. Use the iptables command to define the rules.

In the practical  world,  we will be using iptables command to define the firewall rules. But iptables is very low level program and very difficult to write the rules. Also iptables doesn’t support ipv6. That’s why Redhat has come up with the new utility called “firewalld” which used to interact with netfilter to define the rules.

In this article ,we will see the basic operations of firewalld using firewall-config. (GUI based)

By default firewalld is installed with base RHEL7 installation , but it is not available if you go with the minimal installation.

1. To install the firewalld, use the below command.

[root@server1-UA ~]#yum install firewalld
Loaded plugins: langpacks
rhel_dvd                                                                                                                                         | 4.1 kB  00:00:00
(1/2): rhel_dvd/group_gz                                                                                                                         | 134 kB  00:00:00
(2/2): rhel_dvd/primary_db                                                                                                                       | 3.4 MB  00:00:00
Package firewalld-0.3.9-7.el7.noarch already installed and latest version
Nothing to do
[root@server1-UA ~]#

2.There are three ways to interact with firewalld. (To configure firewalld)

  • Directly editing configuration files in /etc/firewalld.
  • Using the graphical firewall-config tool.
  • Using firewall-cmd from command line

If you couldn’t find “firewall-config” command, you can use the below command to install the package.

[root@server1-UA ~]#yum install firewall-config
Loaded plugins: langpacks
Package firewall-config-0.3.9-7.el7.noarch already installed and latest version
Nothing to do
[root@server1-UA ~]#

Let’s see how the firewall-config’s graphical window works.

Server – Redhat Enterprise Linux  7 .

1. Login to the server and execute command “firewall-config” from the graphical terminal. You will get the window like below.

# firewall-config

Firewall-config RHEL7
Firewall-config RHEL7

By default, firewalld will be installed with pre-defined zones. Here public the default zone and & currently loaded.

You can check the currently loaded zone  using below options as well .

Currently loaded zone
Currently loaded zone

2. Install httpd package for testing purpose.

[root@server1-UA firewalld]#yum install httpd
Loaded plugins: langpacks
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.4.6-17.el7 will be installed
--> Processing Dependency: httpd-tools = 2.4.6-17.el7 for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
---> Package httpd-tools.x86_64 0:2.4.6-17.el7 will be installed
---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package      Arch    Version       Repository Size
 httpd        x86_64  2.4.6-17.el7  rhel_dvd  1.2 M
Installing for dependencies:
 apr          x86_64  1.4.8-3.el7   rhel_dvd  103 k
 apr-util     x86_64  1.5.2-6.el7   rhel_dvd   92 k
 httpd-tools  x86_64  2.4.6-17.el7  rhel_dvd   77 k
 mailcap      noarch  2.1.41-2.el7  rhel_dvd   31 k

Transaction Summary
Install  1 Package (+4 Dependent packages)

Total download size: 1.5 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
Downloading packages:
(1/5): apr-1.4.8-3.el7.x86_64.rpm                         | 103 kB  00:00:00
(2/5): apr-util-1.5.2-6.el7.x86_64.rpm                    |  92 kB  00:00:00
(3/5): httpd-tools-2.4.6-17.el7.x86_64.rpm                |  77 kB  00:00:00
(4/5): httpd-2.4.6-17.el7.x86_64.rpm                      | 1.2 MB  00:00:00
(5/5): mailcap-2.1.41-2.el7.noarch.rpm                    |  31 kB  00:00:00
Total               2.4 MB/s | 1.5 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : apr-1.4.8-3.el7.x86_64           1/5
  Installing : apr-util-1.5.2-6.el7.x86_64      2/5
  Installing : httpd-tools-2.4.6-17.el7.x86_64  3/5
  Installing : mailcap-2.1.41-2.el7.noarch      4/5
  Installing : httpd-2.4.6-17.el7.x86_64        5/5
  Verifying  : mailcap-2.1.41-2.el7.noarch      1/5
  Verifying  : httpd-tools-2.4.6-17.el7.x86_64  2/5
  Verifying  : apr-1.4.8-3.el7.x86_64           3/5
  Verifying  : apr-util-1.5.2-6.el7.x86_64      4/5
  Verifying  : httpd-2.4.6-17.el7.x86_64        5/5

  httpd.x86_64 0:2.4.6-17.el7

Dependency Installed:
apr.x86_64 0:1.4.8-3.el7             apr-util.x86_64 0:1.5.2-6.el7             
httpd-tools.x86_64 0:2.4.6-17.el7       mailcap.noarch 0:2.1.41-2.el7

[root@server1-UA firewalld]#

3.Start the httpd service using systemctl command.

[root@server1-UA firewalld]#systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server1-UA firewalld]#systemctl start httpd
[root@server1-UA firewalld]#systemctl status httpd
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Thu 2015-04-23 17:32:42 EDT; 1s ago
 Main PID: 7783 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─7783 /usr/sbin/httpd -DFOREGROUND
           ├─7784 /usr/sbin/httpd -DFOREGROUND
           ├─7785 /usr/sbin/httpd -DFOREGROUND
           ├─7786 /usr/sbin/httpd -DFOREGROUND
           ├─7787 /usr/sbin/httpd -DFOREGROUND
           └─7788 /usr/sbin/httpd -DFOREGROUND

Apr 23 17:32:42 server1.example.com systemd[1]: Started The Apache HTTP Server.
[root@server1-UA firewalld]#

4.Make sure that you have already  disabled the iptables service and verify that firewalld is online.

[root@server1-UA firewalld]#systemctl mask iptables.service
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@server1-UA firewalld]#systemctl mask ip6tables.service
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
[root@server1-UA firewalld]#systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Wed 2015-04-22 22:59:42 EDT; 18h ago
 Main PID: 463 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─463 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 22 22:59:42 server1.example.com systemd[1]: Started firewalld - dynamic firewall daemon.
[root@server1-UA firewalld]#

5.Create the index.html file under /var/www/html directory.

[root@server1-UA /]#cd /var/www/html/
[root@server1-UA html]#ls -lrt
total 0
[root@server1-UA html]#touch index.html
[root@server1-UA html]# echo "welcome to UnixArena" > index.html 
total 12
-rw-r--r--. 1 root root 0 Apr 23 17:51 index.html
[root@server1-UA html]#

6. Open the browser & enter the server IP. You will get the webpage like below.

Try to access webpage
Try to access webpage

7. Try to access the server from other host’s browser. Webpage will not be loaded by default. Because system firewall has blocked  the  external IP.

8. Let me try to open a port to the external network in the firewall-config. Select “runtime” in the configuration and select “http” to open the port in runtime.

Check the "http"
Check the “http”

9.From the options , reload the firewalld.

Reload the firewalld
Reload the firewalld

At this point , you should be able to access the webpage from external network.

If you would like to make the changes permanently(To open the port for service http), select the “permanent” from configuration tab and select http in the service tab.

Opening port permanently
Opening port permanently

Hope this article helps.

Share it ! Comment it !! Be Sociable !!!