Difference between revisions of "Additional Firewall-Cmd Commands"

From Rhomicom Wiki
Jump to navigation Jump to search
Line 1: Line 1:
''# Basic firewall-cmd setups''
+
''# Basic firewall-cmd setups''<syntaxhighlight lang="shell">
 
+
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
<code>sudo firewall-cmd --zone=public --add-port=22/tcp --permanent</code>
+
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
 
+
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
<code>sudo firewall-cmd --zone=public --add-port=80/tcp --permanent</code>
+
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
 
+
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
<code>sudo firewall-cmd --zone=public --add-port=443/tcp --permanent</code>
+
sudo firewall-cmd --reload
 
+
</syntaxhighlight>''<nowiki>#</nowiki> Query Firewall Settings''<syntaxhighlight lang="shell">
<code>sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent</code>
+
firewall-cmd --list-all
 
+
firewall-cmd --list-all-zones
<code>sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent</code>
+
firewall-cmd --get-default-zone
 
+
firewall-cmd --get-active-zones
<code>sudo firewall-cmd --reload</code>
+
firewall-cmd --list-services
 
+
firewall-cmd --list-ports
<nowiki>#</nowiki> Query Firewall Settings
+
firewall-cmd --zone=public --list-services
 
+
firewall-cmd --zone=internal --list-services
<code>firewall-cmd --list-all</code>
+
</syntaxhighlight><nowiki>#</nowiki> Add Permanently to Public Zone
 
 
<code>firewall-cmd --list-all-zones</code>
 
 
 
<code>firewall-cmd --get-default-zone</code>
 
 
 
<code>firewall-cmd --get-active-zones</code>
 
 
 
<code>firewall-cmd --list-services</code>
 
 
 
<code>firewall-cmd --list-ports</code>
 
 
 
<code>firewall-cmd --zone=public --list-services</code>
 
 
 
<code>firewall-cmd --zone=internal --list-services</code>
 
 
 
<nowiki>#</nowiki> Add Permanently to Public Zone
 
 
 
 
<code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https
 
<code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https
 
sudo firewall-cmd --reload</code>
 
sudo firewall-cmd --reload</code>

Revision as of 08:14, 31 January 2021

# Basic firewall-cmd setups

sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
sudo firewall-cmd --reload

# Query Firewall Settings

firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-services

# Add Permanently to Public Zone

sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https sudo firewall-cmd --reload

  1. Add Temporarily to Internal Zone

firewall-cmd --zone=internal --add-service=ssh firewall-cmd --zone=internal --add-source=154.160.26.149/16 firewall-cmd --zone=internal --add-source=102.176.65.133/16 firewall-cmd --zone=public --remove-service=ssh firewall-cmd --zone=public --remove-port=22/tcp

  1. Commit Temporary Changes Permanently

firewall-cmd --runtime-to-permanent

  1. Remove an IP from Allowed IPs

firewall-cmd --zone=internal --remove-source=102.176.65.133/16

  1. DOCKER FIREWALLD
  2. Masquerading allows for docker ingress and egress (this is the juicy bit)

firewall-cmd --zone=public --add-masquerade --permanent

  1. Specifically allow incoming traffic on port 80/443 (nothing new here)

firewall-cmd --zone=public --add-port=80/tcp firewall-cmd --zone=public --add-port=443/tcp


  1. Reload firewall to apply permanent rules

firewall-cmd --reload

  1. docker firewalld 2
  2. Check what interface docker is using, e.g. 'docker0'

ip link show

  1. Check available firewalld zones, e.g. 'public'

sudo firewall-cmd --get-active-zones

  1. Check what zone the docker interface it bound to, most likely 'no zone' yet

sudo firewall-cmd --get-zone-of-interface=docker0

  1. So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload

sudo nmcli connection modify docker0 connection.zone public

  1. Masquerading allows for docker ingress and egress (this is the juicy bit)

sudo firewall-cmd --zone=public --add-masquerade --permanent

  1. Optional open required incomming ports (wasn't required in my tests)
  2. sudo firewall-cmd --zone=public --add-port=443/tcp
  3. Reload firewalld

sudo firewall-cmd --reload

  1. Reload dockerd

sudo systemctl restart docker