Difference between revisions of "Additional Firewall-Cmd Commands"
| Line 15: | Line 15: | ||
firewall-cmd --zone=public --list-services | firewall-cmd --zone=public --list-services | ||
firewall-cmd --zone=internal --list-services | firewall-cmd --zone=internal --list-services | ||
| − | </syntaxhighlight><nowiki>#</nowiki> Add Permanently to Public Zone | + | </syntaxhighlight>''<nowiki>#</nowiki> Add Permanently to Public Zone'' |
| + | |||
<code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https | <code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https | ||
sudo firewall-cmd --reload</code> | sudo firewall-cmd --reload</code> | ||
| − | # Add Temporarily to Internal Zone | + | |
| − | firewall-cmd --zone=internal --add-service=ssh | + | ''# Add Temporarily to Internal Zone'' |
| − | firewall-cmd --zone=internal --add-source=154.160.26.149/16 | + | |
| − | firewall-cmd --zone=internal --add-source=102.176.65.133/16 | + | firewall-cmd --zone=internal --add-service=ssh |
| − | firewall-cmd --zone=public --remove-service=ssh | + | |
| + | firewall-cmd --zone=internal --add-source=154.160.26.149/16 | ||
| + | |||
| + | firewall-cmd --zone=internal --add-source=102.176.65.133/16 | ||
| + | |||
| + | firewall-cmd --zone=public --remove-service=ssh | ||
| + | |||
firewall-cmd --zone=public --remove-port=22/tcp | firewall-cmd --zone=public --remove-port=22/tcp | ||
| − | # Commit Temporary Changes Permanently | + | |
| + | ''# Commit Temporary Changes Permanently'' | ||
| + | |||
firewall-cmd --runtime-to-permanent | firewall-cmd --runtime-to-permanent | ||
| − | # Remove an IP from Allowed IPs | + | |
| + | ''# Remove an IP from Allowed IPs'' | ||
| + | |||
firewall-cmd --zone=internal --remove-source=102.176.65.133/16 | firewall-cmd --zone=internal --remove-source=102.176.65.133/16 | ||
| − | #DOCKER FIREWALLD | + | |
| − | # Masquerading allows for docker ingress and egress (this is the juicy bit) | + | ''# DOCKER FIREWALLD'' |
| + | |||
| + | ''# Masquerading allows for docker ingress and egress (this is the juicy bit)'' | ||
| + | |||
firewall-cmd --zone=public --add-masquerade --permanent | firewall-cmd --zone=public --add-masquerade --permanent | ||
| − | # Specifically allow incoming traffic on port 80/443 (nothing new here) | + | |
| + | ''# Specifically allow incoming traffic on port 80/443 (nothing new here)'' | ||
| + | |||
firewall-cmd --zone=public --add-port=80/tcp | firewall-cmd --zone=public --add-port=80/tcp | ||
| + | |||
firewall-cmd --zone=public --add-port=443/tcp | firewall-cmd --zone=public --add-port=443/tcp | ||
| + | ''# Reload firewall to apply permanent rules'' | ||
| − | |||
firewall-cmd --reload | firewall-cmd --reload | ||
| − | # docker firewalld 2 | + | |
| − | # Check what interface docker is using, e.g. 'docker0' | + | ''# docker firewalld 2'' |
| + | |||
| + | ''# Check what interface docker is using, e.g. 'docker0''' | ||
| + | |||
ip link show | ip link show | ||
| − | # Check available firewalld zones, e.g. 'public' | + | |
| + | ''# Check available firewalld zones, e.g. 'public''' | ||
| + | |||
sudo firewall-cmd --get-active-zones | sudo firewall-cmd --get-active-zones | ||
| − | # Check what zone the docker interface it bound to, most likely 'no zone' yet | + | |
| + | ''# Check what zone the docker interface it bound to, most likely 'no zone' yet'' | ||
| + | |||
sudo firewall-cmd --get-zone-of-interface=docker0 | sudo firewall-cmd --get-zone-of-interface=docker0 | ||
| − | # So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload | + | |
| + | ''# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload'' | ||
| + | |||
sudo nmcli connection modify docker0 connection.zone public | sudo nmcli connection modify docker0 connection.zone public | ||
| − | # Masquerading allows for docker ingress and egress (this is the juicy bit) | + | |
| + | ''# Masquerading allows for docker ingress and egress (this is the juicy bit)'' | ||
| + | |||
sudo firewall-cmd --zone=public --add-masquerade --permanent | sudo firewall-cmd --zone=public --add-masquerade --permanent | ||
| − | # Optional open required incomming ports (wasn't required in my tests) | + | |
| − | + | ''# Optional open required incomming ports (wasn't required in my tests)'' | |
| − | # Reload firewalld | + | |
| + | sudo firewall-cmd --zone=public --add-port=443/tcp | ||
| + | |||
| + | ''# Reload firewalld'' | ||
| + | |||
sudo firewall-cmd --reload | sudo firewall-cmd --reload | ||
| − | # Reload dockerd | + | |
| + | ''# Reload dockerd'' | ||
| + | |||
sudo systemctl restart docker | sudo systemctl restart docker | ||
Revision as of 08:19, 31 January 2021
# Basic firewall-cmd setups
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
sudo firewall-cmd --reload# Query Firewall Settings
firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-services# Add Permanently to Public Zone
sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https
sudo firewall-cmd --reload
# Add Temporarily to Internal Zone
firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=154.160.26.149/16
firewall-cmd --zone=internal --add-source=102.176.65.133/16
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-port=22/tcp
# Commit Temporary Changes Permanently
firewall-cmd --runtime-to-permanent
# Remove an IP from Allowed IPs
firewall-cmd --zone=internal --remove-source=102.176.65.133/16
# DOCKER FIREWALLD
# Masquerading allows for docker ingress and egress (this is the juicy bit)
firewall-cmd --zone=public --add-masquerade --permanent
# Specifically allow incoming traffic on port 80/443 (nothing new here)
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp
# Reload firewall to apply permanent rules
firewall-cmd --reload
# docker firewalld 2
# Check what interface docker is using, e.g. 'docker0'
ip link show
# Check available firewalld zones, e.g. 'public'
sudo firewall-cmd --get-active-zones
# Check what zone the docker interface it bound to, most likely 'no zone' yet
sudo firewall-cmd --get-zone-of-interface=docker0
# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload
sudo nmcli connection modify docker0 connection.zone public
# Masquerading allows for docker ingress and egress (this is the juicy bit)
sudo firewall-cmd --zone=public --add-masquerade --permanent
# Optional open required incomming ports (wasn't required in my tests)
sudo firewall-cmd --zone=public --add-port=443/tcp
# Reload firewalld
sudo firewall-cmd --reload
# Reload dockerd
sudo systemctl restart docker