This is a quick and dirty cheatsheet covering both IP Tables and Firewalld which are used in RHEL 6-8.
iptables is a tool for managing firewall rules on a Linux machine
| start, stop and status | service iptables [start|stop|status] # RHEL 6 systemctl [start|stop|status|reload] iptables # RHEL 7 |
| iptables locations | /var/lib/iptables # RHEL 6 /etc/sysconfig/iptables # RHEL 7 |
| Backup and Restore | iptables-save > /backup/iptables/iptables- |
There are a number of default chains
Chains can have a number of rules and can also point to other chains
| iptables commands | iptables -L # list iptables -L --line-numbers # List with line numbers iptables -A # append to firewall rules iptables -I # append into selected chain at a specific position iptables -D # delete from firewall rules (can also a chain and a line number to remove a rule) iptables -R # replace an existing rule iptables -N # create a new chain iptables -X # delete a chain iptables -E # rename a chain iptables -F # delete all the rules in the chain |
IP tables offers state connection, after this 3 way handshake is complete, the traffic is now ESTABLISHED
| iptables Examples | # BAD GUYS (Block Source IP Address): iptables -A INPUT -s 172.34.5.8 -j DROP # NO SPAMMERS (notice the use of FQDN): iptables -A INPUT -s mail.spammer.org -d 10.1.15.1 -p tcp --dport 25 -j REJECT # MYSQL (Allow Remote Access To Particular IP): iptables -A INPUT -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT iptables -I INPUT 5 -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT # slot rule into position 5 (iptables -L --line-numbers) # SSH iptables -A INPUT -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT iptables -I INPUT 3 -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT # slot rule into position 3 (iptables -L --line-numbers) # Sendmail/Postfix iptables -A INPUT -d 10.1.15.1 -p tcp --dport 25 -j ACCEPT # FTP: (Notice how you can specify a range of ports 20-21) iptables -A INPUT -d 10.1.15.1 -p tcp --dport 20:21 -j ACCEPT # HTTP/Apache iptables -A INPUT -d 10.1.15.1 -p tcp --dport 80 -j ACCEPT # SSL/Apache iptables -A INPUT -d 10.1.15.1 -p tcp --dport 443 -j ACCEPT # IMAP iptables -A INPUT -d 10.1.15.1 -p tcp --dport 143 -j ACCEPT # IMAPS iptables -A INPUT -d 10.1.15.1 -p tcp --dport 993 -j ACCEPT # POP3 iptables -A INPUT -d 10.1.15.1 -p tcp --dport 110 -j ACCEPT # POP3S iptables -A INPUT -d 10.1.15.1 -p tcp --dport 995 -j ACCEPT # Any Traffic From Localhost iptables -A INPUT -d 10.1.15.1 -s 127.0.0.1 -j ACCEPT # ICMP/Ping iptables -A INPUT -d 10.1.15.1 -p icmp -j ACCEPT |
The default logging for iptables is /var/log/messages, you can also change the syslog
| syslog | kern.warning /var/log/iptables.log |
| Increase logging | iptables -A INPUT -j LOG --log-level 4 iptables -A INPUT -j DROP |
| Log ICMP requests | iptables -I INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix "Rejected: " iptables -A INPUT -p icmp --icmp-type echo-request -j DROP |
firewalld is also a tool for managing firewall rules on a Linux machine
| start, stop and status | firewall-cmd --state systemctl reload firewalld firewall-cmd --reload |
There are a number of zones
| Zones | |
|---|---|
| drop | The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible. |
| block | Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message. |
| public | Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis. |
| external | External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable. |
| internal | The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available. |
| dmz | Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed. |
| work | Used for work machines. Trust most of the computers in the network. A few more services might be allowed. |
| home | A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted. |
| trusted | Trust all of the machines in the network. The most open of the available options and should be used sparingly. |
firewalld commands
| zone information | firewall-cmd --state firewall-cmd --reload firewall-cmd --get-zones firewall-cmd --list-all-zones firewall-cmd --get-services firewall-cmd --get-icmptypes firewall-cmd --list-all # get default zone information firewall-cmd --get-active-zones firewall-cmd --zone=home --list-all # get specific zone information firewall-cmd --get-default-zone firewall-cmd --set-default-zone=home firewall-cmd --zone=home --change-interface=eth0 firewall-cmd --permanent --new-zone=myouwnzone # create new zone |
| Interface information | firewall-cmd [--zone= |
| services information | firewall-cmd --get-services firewall-cmd --zone=public [--permanent] --list-services # list all services on a specific zone firewall-cmd --zone=public [--permanent] --add-service=http # add a service to a specific zone (--permanent = permanent across reboots) firewall-cmd --zone=public ]--permanent] --remove-service=http # remove a service to a specific zone (--permanet = permanent across reboots) |
| ports | firewall-cmd --zone=public [--permanent] --list-ports firewall-cmd --zone=public [--permanent] --add-port=5901/tcp firewall-cmd --zone=public [--permanent] --remove-port=5901/tcp |
| ICMP | firewall-cmd [--zone= |
| source | firewall-cmd --permanent --zone=trusted --add-source=192.168.2.0/24 firewall-cmd --permanent --zone=trusted --add-source=00:11:22:33:44:55 # MAC address firewall-cmd --permanent --zone=trusted --add-remove=00:11:22:33:44:55 firewall-cmd --permanent --zone=trusted --query-source=00:11:22:33:44:55 |
| ipset | firewall-cmd --permanent --new-ipset=iplist --type=hash:ip firewall-cmd --ipset=iplist --add-entry=192.168.1.11 firewall-cmd --ipset=iplist --add-entry=192.168.1.12 firewall-cmd --permanent--zone=trusted --add-source=ipset:iplist |
| service | firewall-cmd --zone=internal --add-service=ssh --permanent firewall-cmd --zone=internal --add-service=http --permanent |
| port forwarding or port mapping | firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[<port>] | :toaddr=<address> | :toport=<port>[<port>]:toaddr=<address> }
firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[<port>] | :toaddr=<address> | :toport=<port>[<port>]:toaddr=<address> }
firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[<port>] | :toaddr=<address> | :toport=<port>[<port>]:toaddr=<address> }
|
| panic mode | firewall-cmd [--zone= |
| use a XML file | # /usr/lib/firewalld/services # cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/vnc1.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>VNC1</short> <description>VNC is a protocol for logging into and executing commands on remote machines this covers Port 5901.</description> <port protocol="tcp" port="5901"/> </service> |