The Linux kernel includes a powerful network filtering subsystem called netfilter. The netfilter subsystem allows kernel modules to inspect every packet which are travelling to the system. Any incoming, outgoing and forwarded network packets can be inspected, modified ,dropped or rejected in a programmatic way ,before reaching to the user space. But these programs needs to be defined and injected to netfilter. This can be done in two ways prior to the RHEL 7.
- Write the custom kernel modules to interact with netfilter.
- Use the iptables command to define the rules.
In the practical world, we will be using iptables command to define the firewall rules. But iptables is very low level program and very difficult to write the rules. Also iptables doesn’t support ipv6. That’s why Redhat has come up with the new utility called “firewalld” which used to interact with netfilter to define the rules.
In this article ,we will see the basic operations of firewalld using firewall-config. (GUI based)
By default firewalld is installed with base RHEL7 installation , but it is not available if you go with the minimal installation.
1. To install the firewalld, use the below command.
[root@server1-UA ~]#yum install firewalld Loaded plugins: langpacks rhel_dvd | 4.1 kB 00:00:00 (1/2): rhel_dvd/group_gz | 134 kB 00:00:00 (2/2): rhel_dvd/primary_db | 3.4 MB 00:00:00 Package firewalld-0.3.9-7.el7.noarch already installed and latest version Nothing to do [root@server1-UA ~]#
2.There are three ways to interact with firewalld. (To configure firewalld)
- Directly editing configuration files in /etc/firewalld.
- Using the graphical firewall-config tool.
- Using firewall-cmd from command line
If you couldn’t find “firewall-config” command, you can use the below command to install the package.
[root@server1-UA ~]#yum install firewall-config Loaded plugins: langpacks Package firewall-config-0.3.9-7.el7.noarch already installed and latest version Nothing to do [root@server1-UA ~]#
Let’s see how the firewall-config’s graphical window works.
Server – Redhat Enterprise Linux 7 .
1. Login to the server and execute command “firewall-config” from the graphical terminal. You will get the window like below.
# firewall-config
By default, firewalld will be installed with pre-defined zones. Here public the default zone and & currently loaded.
You can check the currently loaded zone using below options as well .
2. Install httpd package for testing purpose.
[root@server1-UA firewalld]#yum install httpd Loaded plugins: langpacks Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.6-17.el7 will be installed --> Processing Dependency: httpd-tools = 2.4.6-17.el7 for package: httpd-2.4.6-17.el7.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-17.el7.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-17.el7.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-3.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed ---> Package httpd-tools.x86_64 0:2.4.6-17.el7 will be installed ---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================== Package Arch Version Repository Size ====================================================== Installing: httpd x86_64 2.4.6-17.el7 rhel_dvd 1.2 M Installing for dependencies: apr x86_64 1.4.8-3.el7 rhel_dvd 103 k apr-util x86_64 1.5.2-6.el7 rhel_dvd 92 k httpd-tools x86_64 2.4.6-17.el7 rhel_dvd 77 k mailcap noarch 2.1.41-2.el7 rhel_dvd 31 k Transaction Summary ====================================================== Install 1 Package (+4 Dependent packages) Total download size: 1.5 M Installed size: 4.3 M Is this ok [y/d/N]: y Downloading packages: (1/5): apr-1.4.8-3.el7.x86_64.rpm | 103 kB 00:00:00 (2/5): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00 (3/5): httpd-tools-2.4.6-17.el7.x86_64.rpm | 77 kB 00:00:00 (4/5): httpd-2.4.6-17.el7.x86_64.rpm | 1.2 MB 00:00:00 (5/5): mailcap-2.1.41-2.el7.noarch.rpm | 31 kB 00:00:00 ----------------------------------------------------------------------------- Total 2.4 MB/s | 1.5 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-3.el7.x86_64 1/5 Installing : apr-util-1.5.2-6.el7.x86_64 2/5 Installing : httpd-tools-2.4.6-17.el7.x86_64 3/5 Installing : mailcap-2.1.41-2.el7.noarch 4/5 Installing : httpd-2.4.6-17.el7.x86_64 5/5 Verifying : mailcap-2.1.41-2.el7.noarch 1/5 Verifying : httpd-tools-2.4.6-17.el7.x86_64 2/5 Verifying : apr-1.4.8-3.el7.x86_64 3/5 Verifying : apr-util-1.5.2-6.el7.x86_64 4/5 Verifying : httpd-2.4.6-17.el7.x86_64 5/5 Installed: httpd.x86_64 0:2.4.6-17.el7 Dependency Installed: apr.x86_64 0:1.4.8-3.el7 apr-util.x86_64 0:1.5.2-6.el7 httpd-tools.x86_64 0:2.4.6-17.el7 mailcap.noarch 0:2.1.41-2.el7 Complete! [root@server1-UA firewalld]#
3.Start the httpd service using systemctl command.
[root@server1-UA firewalld]#systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server1-UA firewalld]#systemctl start httpd
[root@server1-UA firewalld]#systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Thu 2015-04-23 17:32:42 EDT; 1s ago
Main PID: 7783 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
├─7783 /usr/sbin/httpd -DFOREGROUND
├─7784 /usr/sbin/httpd -DFOREGROUND
├─7785 /usr/sbin/httpd -DFOREGROUND
├─7786 /usr/sbin/httpd -DFOREGROUND
├─7787 /usr/sbin/httpd -DFOREGROUND
└─7788 /usr/sbin/httpd -DFOREGROUND
Apr 23 17:32:42 server1.example.com systemd[1]: Started The Apache HTTP Server.
[root@server1-UA firewalld]#
4.Make sure that you have already disabled the iptables service and verify that firewalld is online.
[root@server1-UA firewalld]#systemctl mask iptables.service
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
[root@server1-UA firewalld]#systemctl mask ip6tables.service
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
[root@server1-UA firewalld]#systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Wed 2015-04-22 22:59:42 EDT; 18h ago
Main PID: 463 (firewalld)
CGroup: /system.slice/firewalld.service
└─463 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Apr 22 22:59:42 server1.example.com systemd[1]: Started firewalld - dynamic firewall daemon.
[root@server1-UA firewalld]#
5.Create the index.html file under /var/www/html directory.
[root@server1-UA /]#cd /var/www/html/ [root@server1-UA html]#ls -lrt total 0 [root@server1-UA html]#touch index.html [root@server1-UA html]# echo "welcome to UnixArena" > index.html total 12 -rw-r--r--. 1 root root 0 Apr 23 17:51 index.html [root@server1-UA html]#
6. Open the browser & enter the server IP. You will get the webpage like below.
7. Try to access the server from other host’s browser. Webpage will not be loaded by default. Because system firewall has blocked the external IP.
8. Let me try to open a port to the external network in the firewall-config. Select “runtime” in the configuration and select “http” to open the port in runtime.
9.From the options , reload the firewalld.
At this point , you should be able to access the webpage from external network.
If you would like to make the changes permanently(To open the port for service http), select the “permanent” from configuration tab and select http in the service tab.
Hope this article helps.
Share it ! Comment it !! Be Sociable !!!
Leave a Reply