Tag: centos firewall

Firewalld – RHEL 7 & CentOS 7

ImelaLeave a comment

There are a couple of excellent articles on Firewall D and I’ll attribute them as follows. Remember to check out the comments sections where available since there are some insightful contributions:

Resources

How To Set Up a Firewall Using FirewallD on CentOS 7

A few ways to configure Linux firewalld

RHEL7: How to get started with Firewalld.

What Is FirewallD and How It Works (firewall-cmd)

Firewalld configuration and usage

centos 7 – open firewall port

How to open a port in the firewall on CentOS or RHEL

Snippets

Below are some of the neat things I gleaned from the above resources:

Firewalld is the default firewall on CentOS minimal install and its managed by the firewall-cmd administrative tool.

Firewalld daemon encapsulates  groups of rules into what are termed as Zones. These rules dictate what traffic should be allowed depending on the level of “Trust” in the network your computer is connected to.

Zones are activated by adding Network Interfaces to them. The default zone after a CentOS mimimal install is the public zone. Here you’ll find a nice description of the different zones. Remember, check the zones that are active then add rules, e.g enabling ports, on them instead of blindly opening ports in all the zones.

To allow traffic between network interfaces remember to enable ip_forwading.

Interfaces will always revert to the default zone if they do not have an alternative zone defined within their configuration. On CentOS, these configurations are defined within the /etc/sysconfig/network-scripts directory with files of the format ifcfg-interface. To define a zone for the interface, open up the file associated with the interface you’d like to modify.

Incase you’d rather switch back to Ip-tables, follow the instructions here.

NOTE: Firewalld relies on NetworkManager. This means that if you plan to stop NetworkManager for any reason (for example when building a KVM host), you will have to stop Firewalld and use Iptables instead!

MasqueradingIf your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

Services: There are a few basic building blocks in the zones — services are the most important. Firewalld uses its own set of services that are configured using XML files in the directories /usr/lib/firewalld/services (for the system default services) and /etc/firewalld/services for services that you, the administrator, create. If the same service is found in both locations then the services defined in /etc/firewalld/services takes precedence.

The firewall-cmd command is one of many methods to configure firewalld. Alternatively, you can edit the zone configuration file directly. This doesn’t give you any feedback on wrong syntax, but it’s a clean and straightforward configuration file that is easy to modify and distribute across multiple servers.

Virtual Box Connect to HTTP Server on Guest OS

Imela1 Comment

Problem

I have a Guest OS on Virtual Box, running on Ubuntu based Host OS. I can ping and ssh into my CentOS 7 Guest OS from the host after using the Host Only Networking option on Virtual Box.

The problem came in when I tried reaching the Guest OS’s IP on the Host OS web browser. I’d get this error:

Host OS Web Browser
Host OS Web Browser

Telnet from the host to the Guest IP gave the following error:

telnet 192.168.56.102 80 telnet: Unable to connect to remote host: No route to host
Telnet Result of Host-to-Guest

Troubleshooting

  • Check if port is Open and if firewall is running on Guest OS
check-port-firewall-on-guest-OS
check if-port is open-firewall-running-on-guest-OS
  • Tried to telnet port from Guest OS
telnet-from-guestOS
telnet-from-guestOS successful
  • Tried to ping Guest IP from the Host IP and this was successful:
ping-host-to-guest
ping-host-to-guest

Solution

After some doodling, found this pointer.

Starting with CentOS and RHEL 7, firewall rule settings are managed by firewalld service daemon. A command-line client called firewall-cmd can talk to this deamon to update firewall rules permanently.

service firewalld status
centos firewalld was running

So after stopping firewalld, I was able to telnet to port 80 and also get a response on the web browser:

service firewalld stop
stop-firewalld
telnet-host-to-guest successful
telnet-host-to-guest successful
host-web-browser
host-web-browser

NB:// Another alternative to stopping the firewall, is open up the http service/port on the firewall. This can be achieved as explained here.

Resources

Virtualbox: How to access web server on guest OS from the host OS?

A few ways to configure Linux firewalld

RHEL 7 / CentOS 7: How to get started with Firewalld

RHEL7: How to get started with Firewalld.

How to open a port in the firewall on CentOS or RHEL