Difference between revisions of "Additional Firewall-Cmd Commands"

Revision as of 08:22, 31 January 2021

# Basic firewall-cmd setups

sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
sudo firewall-cmd --reload

# Query Firewall Settings

firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-services

# Add Permanently to Public Zone

sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https sudo firewall-cmd --reload

# Add Temporarily to Internal Zone

firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=154.160.26.149/16
firewall-cmd --zone=internal --add-source=102.176.65.133/16
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-port=22/tcp

# Commit Temporary Changes Permanently

firewall-cmd --runtime-to-permanent

# Remove an IP from Allowed IPs

firewall-cmd --zone=internal --remove-source=102.176.65.133/16

# DOCKER FIREWALLD

# Masquerading allows for docker ingress and egress (this is the juicy bit)

firewall-cmd --zone=public --add-masquerade --permanent

# Specifically allow incoming traffic on port 80/443 (nothing new here)

firewall-cmd --zone=public --add-port=80/tcp

firewall-cmd --zone=public --add-port=443/tcp

# Reload firewall to apply permanent rules

firewall-cmd --reload

# docker firewalld 2

# Check what interface docker is using, e.g. 'docker0'

ip link show

# Check available firewalld zones, e.g. 'public'

sudo firewall-cmd --get-active-zones

# Check what zone the docker interface it bound to, most likely 'no zone' yet

sudo firewall-cmd --get-zone-of-interface=docker0

# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload

sudo nmcli connection modify docker0 connection.zone public

# Masquerading allows for docker ingress and egress (this is the juicy bit)

sudo firewall-cmd --zone=public --add-masquerade --permanent

# Optional open required incomming ports (wasn't required in my tests)

sudo firewall-cmd --zone=public --add-port=443/tcp

# Reload firewalld

sudo firewall-cmd --reload

# Reload dockerd

sudo systemctl restart docker

@@ Line 19: / Line 19: @@
 <code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https
 sudo firewall-cmd --reload</code>
+''# Add Temporarily to Internal Zone''<syntaxhighlight lang="shell">
-''# Add Temporarily to Internal Zone''
+firewall-cmd --zone=internal --add-service=ssh
+firewall-cmd --zone=internal --add-source=154.160.26.149/16
-firewall-cmd --zone=internal --add-service=ssh
+firewall-cmd --zone=internal --add-source=102.176.65.133/16
+firewall-cmd --zone=public --remove-service=ssh
-firewall-cmd --zone=internal --add-source=154.160.26.149/16
+firewall-cmd --zone=public --remove-port=22/tcp
+</syntaxhighlight>''# Commit Temporary Changes Permanently''
-firewall-cmd --zone=internal --add-source=102.176.65.133/16
+<code>firewall-cmd --runtime-to-permanent</code>
-firewall-cmd --zone=public --remove-service=ssh
-firewall-cmd --zone=public --remove-port=22/tcp
-''# Commit Temporary Changes Permanently''
-firewall-cmd --runtime-to-permanent
 ''# Remove an IP from Allowed IPs''
-firewall-cmd --zone=internal --remove-source=102.176.65.133/16
+<code>firewall-cmd --zone=internal --remove-source=102.176.65.133/16</code>
 ''# DOCKER FIREWALLD''
 ''# Masquerading allows for docker ingress and egress (this is the juicy bit)''
-firewall-cmd --zone=public --add-masquerade --permanent
+<code>firewall-cmd --zone=public --add-masquerade --permanent</code>
 ''# Specifically allow incoming traffic on port 80/443 (nothing new here)''
-firewall-cmd --zone=public --add-port=80/tcp
+<code>firewall-cmd --zone=public --add-port=80/tcp</code>
-firewall-cmd --zone=public --add-port=443/tcp
+<code>firewall-cmd --zone=public --add-port=443/tcp</code>
 ''# Reload firewall to apply permanent rules''
-firewall-cmd --reload
+<code>firewall-cmd --reload</code>
 ''# docker firewalld 2''
@@ Line 60: / Line 52: @@
 ''# Check what interface docker is using, e.g. 'docker0'''
-ip link show
+<code>ip link show</code>
 ''# Check available firewalld zones, e.g. 'public'''
-sudo firewall-cmd --get-active-zones
+<code>sudo firewall-cmd --get-active-zones</code>
 ''# Check what zone the docker interface it bound to, most likely 'no zone' yet''
-sudo firewall-cmd --get-zone-of-interface=docker0
+<code>sudo firewall-cmd --get-zone-of-interface=docker0</code>
 ''# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload''
-sudo nmcli connection modify docker0 connection.zone public
+<code>sudo nmcli connection modify docker0 connection.zone public</code>
 ''# Masquerading allows for docker ingress and egress (this is the juicy bit)''
-sudo firewall-cmd --zone=public --add-masquerade --permanent
+<code>sudo firewall-cmd --zone=public --add-masquerade --permanent</code>
 ''# Optional open required incomming ports (wasn't required in my tests)''
-sudo firewall-cmd --zone=public --add-port=443/tcp
+<code>sudo firewall-cmd --zone=public --add-port=443/tcp</code>
 ''# Reload firewalld''
-sudo firewall-cmd --reload
+<code>sudo firewall-cmd --reload</code>
 ''# Reload dockerd''
-sudo systemctl restart docker
+<code>sudo systemctl restart docker</code>

Difference between revisions of "Additional Firewall-Cmd Commands"

Revision as of 08:22, 31 January 2021

Navigation menu

Search