Additional Firewall-Cmd Commands

From Rhomicom Wiki
Revision as of 08:09, 31 January 2021 by Admin (talk | contribs) (Created page with "#Basic firewall-cmd setups sudo firewall-cmd --zone=public --add-port=22/tcp --permanent sudo firewall-cmd --zone=public --add-port=80/tcp --permanent sudo firewall-cmd --zone...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  1. Basic firewall-cmd setups

sudo firewall-cmd --zone=public --add-port=22/tcp --permanent sudo firewall-cmd --zone=public --add-port=80/tcp --permanent sudo firewall-cmd --zone=public --add-port=443/tcp --permanent

  1. sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
  2. sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent

sudo firewall-cmd --reload

  1. Query Firewall Settings

firewall-cmd --list-all firewall-cmd --list-all-zones firewall-cmd --get-default-zone firewall-cmd --get-active-zones firewall-cmd --list-services firewall-cmd --list-ports firewall-cmd --zone=public --list-services firewall-cmd --zone=internal --list-services

  1. Add Permanently to Public Zone

sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https sudo firewall-cmd --reload

  1. Add Temporarily to Internal Zone

firewall-cmd --zone=internal --add-service=ssh firewall-cmd --zone=internal --add-source=154.160.26.149/16 firewall-cmd --zone=internal --add-source=102.176.65.133/16 firewall-cmd --zone=public --remove-service=ssh firewall-cmd --zone=public --remove-port=22/tcp

  1. Commit Temporary Changes Permanently

firewall-cmd --runtime-to-permanent

  1. Remove an IP from Allowed IPs

firewall-cmd --zone=internal --remove-source=102.176.65.133/16

  1. DOCKER FIREWALLD
  2. Masquerading allows for docker ingress and egress (this is the juicy bit)

firewall-cmd --zone=public --add-masquerade --permanent

  1. Specifically allow incoming traffic on port 80/443 (nothing new here)

firewall-cmd --zone=public --add-port=80/tcp firewall-cmd --zone=public --add-port=443/tcp


  1. Reload firewall to apply permanent rules

firewall-cmd --reload

  1. docker firewalld 2
  2. Check what interface docker is using, e.g. 'docker0'

ip link show

  1. Check available firewalld zones, e.g. 'public'

sudo firewall-cmd --get-active-zones

  1. Check what zone the docker interface it bound to, most likely 'no zone' yet

sudo firewall-cmd --get-zone-of-interface=docker0

  1. So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload

sudo nmcli connection modify docker0 connection.zone public

  1. Masquerading allows for docker ingress and egress (this is the juicy bit)

sudo firewall-cmd --zone=public --add-masquerade --permanent

  1. Optional open required incomming ports (wasn't required in my tests)
  2. sudo firewall-cmd --zone=public --add-port=443/tcp
  3. Reload firewalld

sudo firewall-cmd --reload

  1. Reload dockerd

sudo systemctl restart docker