Difference between revisions of "Additional Firewall-Cmd Commands"
(Created page with "#Basic firewall-cmd setups sudo firewall-cmd --zone=public --add-port=22/tcp --permanent sudo firewall-cmd --zone=public --add-port=80/tcp --permanent sudo firewall-cmd --zone...") |
|||
| Line 1: | Line 1: | ||
| − | #Basic firewall-cmd setups | + | ''# Basic firewall-cmd setups'' |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | <code>sudo firewall-cmd --zone=public --add-port=22/tcp --permanent</code> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | firewall-cmd --zone=public -- | ||
| − | |||
| − | # Add Permanently to Public Zone | + | <code>sudo firewall-cmd --zone=public --add-port=80/tcp --permanent</code> |
| − | sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https | + | |
| − | sudo firewall-cmd --reload | + | <code>sudo firewall-cmd --zone=public --add-port=443/tcp --permanent</code> |
| + | |||
| + | <code>sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent</code> | ||
| + | |||
| + | <code>sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent</code> | ||
| + | |||
| + | <code>sudo firewall-cmd --reload</code> | ||
| + | |||
| + | <nowiki>#</nowiki> Query Firewall Settings | ||
| + | |||
| + | <code>firewall-cmd --list-all</code> | ||
| + | |||
| + | <code>firewall-cmd --list-all-zones</code> | ||
| + | |||
| + | <code>firewall-cmd --get-default-zone</code> | ||
| + | |||
| + | <code>firewall-cmd --get-active-zones</code> | ||
| + | |||
| + | <code>firewall-cmd --list-services</code> | ||
| + | |||
| + | <code>firewall-cmd --list-ports</code> | ||
| + | |||
| + | <code>firewall-cmd --zone=public --list-services</code> | ||
| + | |||
| + | <code>firewall-cmd --zone=internal --list-services</code> | ||
| + | |||
| + | <nowiki>#</nowiki> Add Permanently to Public Zone | ||
| + | |||
| + | <code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https | ||
| + | sudo firewall-cmd --reload</code> | ||
# Add Temporarily to Internal Zone | # Add Temporarily to Internal Zone | ||
| − | firewall-cmd --zone=internal --add-service=ssh | + | firewall-cmd --zone=internal --add-service=ssh |
firewall-cmd --zone=internal --add-source=154.160.26.149/16 | firewall-cmd --zone=internal --add-source=154.160.26.149/16 | ||
| − | firewall-cmd --zone=internal --add-source=102.176.65.133/16 | + | firewall-cmd --zone=internal --add-source=102.176.65.133/16 |
| − | firewall-cmd --zone=public --remove-service=ssh | + | firewall-cmd --zone=public --remove-service=ssh |
firewall-cmd --zone=public --remove-port=22/tcp | firewall-cmd --zone=public --remove-port=22/tcp | ||
# Commit Temporary Changes Permanently | # Commit Temporary Changes Permanently | ||
| Line 30: | Line 45: | ||
# Remove an IP from Allowed IPs | # Remove an IP from Allowed IPs | ||
firewall-cmd --zone=internal --remove-source=102.176.65.133/16 | firewall-cmd --zone=internal --remove-source=102.176.65.133/16 | ||
| − | |||
#DOCKER FIREWALLD | #DOCKER FIREWALLD | ||
# Masquerading allows for docker ingress and egress (this is the juicy bit) | # Masquerading allows for docker ingress and egress (this is the juicy bit) | ||
firewall-cmd --zone=public --add-masquerade --permanent | firewall-cmd --zone=public --add-masquerade --permanent | ||
| − | |||
# Specifically allow incoming traffic on port 80/443 (nothing new here) | # Specifically allow incoming traffic on port 80/443 (nothing new here) | ||
firewall-cmd --zone=public --add-port=80/tcp | firewall-cmd --zone=public --add-port=80/tcp | ||
| Line 42: | Line 55: | ||
# Reload firewall to apply permanent rules | # Reload firewall to apply permanent rules | ||
firewall-cmd --reload | firewall-cmd --reload | ||
| − | |||
# docker firewalld 2 | # docker firewalld 2 | ||
# Check what interface docker is using, e.g. 'docker0' | # Check what interface docker is using, e.g. 'docker0' | ||
ip link show | ip link show | ||
| − | |||
# Check available firewalld zones, e.g. 'public' | # Check available firewalld zones, e.g. 'public' | ||
sudo firewall-cmd --get-active-zones | sudo firewall-cmd --get-active-zones | ||
| − | |||
# Check what zone the docker interface it bound to, most likely 'no zone' yet | # Check what zone the docker interface it bound to, most likely 'no zone' yet | ||
sudo firewall-cmd --get-zone-of-interface=docker0 | sudo firewall-cmd --get-zone-of-interface=docker0 | ||
| − | |||
# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload | # So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload | ||
sudo nmcli connection modify docker0 connection.zone public | sudo nmcli connection modify docker0 connection.zone public | ||
| − | |||
# Masquerading allows for docker ingress and egress (this is the juicy bit) | # Masquerading allows for docker ingress and egress (this is the juicy bit) | ||
sudo firewall-cmd --zone=public --add-masquerade --permanent | sudo firewall-cmd --zone=public --add-masquerade --permanent | ||
Revision as of 08:12, 31 January 2021
# Basic firewall-cmd setups
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
sudo firewall-cmd --reload
# Query Firewall Settings
firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-services
# Add Permanently to Public Zone
sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https
sudo firewall-cmd --reload
- Add Temporarily to Internal Zone
firewall-cmd --zone=internal --add-service=ssh firewall-cmd --zone=internal --add-source=154.160.26.149/16 firewall-cmd --zone=internal --add-source=102.176.65.133/16 firewall-cmd --zone=public --remove-service=ssh firewall-cmd --zone=public --remove-port=22/tcp
- Commit Temporary Changes Permanently
firewall-cmd --runtime-to-permanent
- Remove an IP from Allowed IPs
firewall-cmd --zone=internal --remove-source=102.176.65.133/16
- DOCKER FIREWALLD
- Masquerading allows for docker ingress and egress (this is the juicy bit)
firewall-cmd --zone=public --add-masquerade --permanent
- Specifically allow incoming traffic on port 80/443 (nothing new here)
firewall-cmd --zone=public --add-port=80/tcp firewall-cmd --zone=public --add-port=443/tcp
- Reload firewall to apply permanent rules
firewall-cmd --reload
- docker firewalld 2
- Check what interface docker is using, e.g. 'docker0'
ip link show
- Check available firewalld zones, e.g. 'public'
sudo firewall-cmd --get-active-zones
- Check what zone the docker interface it bound to, most likely 'no zone' yet
sudo firewall-cmd --get-zone-of-interface=docker0
- So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload
sudo nmcli connection modify docker0 connection.zone public
- Masquerading allows for docker ingress and egress (this is the juicy bit)
sudo firewall-cmd --zone=public --add-masquerade --permanent
- Optional open required incomming ports (wasn't required in my tests)
- sudo firewall-cmd --zone=public --add-port=443/tcp
- Reload firewalld
sudo firewall-cmd --reload
- Reload dockerd
sudo systemctl restart docker