Don’t use “iptables”, now, the firewall for fedora is “FirewallD”.

Is your firewall working ?

[root@fedora22 named]# systemctl status firewalld.service | grep Active
  Active: inactive (dead) since Wed 2015-10-07 16:44:55 CEST; 15s ago
 

No ? Just start it !

[root@fedora22 named]# systemctl start firewalld.service
[root@fedora22 named]# systemctl status firewalld.service | grep Active
 Active: active (running) since Wed 2015-10-07 16:51:47 CEST; 3s ago

In this example, for this fedora server, we’ll use the command line utility “firewall-cmd” (at may advanced age, I prefer command line interfaces …).

Here are all defined firewall zones :

[root@fedora22 named]# firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work

the default zone :

[root@fedora22 named]# firewall-cmd --get-default-zone
FedoraServer

Which is active :

[root@fedora22 named]# firewall-cmd --get-active-zones
FedoraServer
 interfaces: ens32

Display this interface I.P. address :

[root@fedora22 named]# ip addr show dev ens32
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
 link/ether 00:0c:29:b3:83:17 brd ff:ff:ff:ff:ff:ff
 inet 192.168.1.203/24 brd 192.168.1.255 scope global ens32
 valid_lft forever preferred_lft forever
 inet6 fe80::20c:29ff:feb3:8317/64 scope link
 valid_lft forever preferred_lft forever

Create your own zone (“argonay” in this example, why ? Because I live in Argonay, France …) :

[root@fedora22 named]# firewall-cmd --permanent --new-zone=argonay
 success

Reload the firewall :

[root@fedora22 named]# firewall-cmd --reload
 success

Set this new zone as default :

[root@fedora22 ~]# firewall-cmd --set-default-zone=argonay
success
[root@fedora22 ~]# firewall-cmd --get-default-zone
argonay

From now, you are not able to open an other ssh session, so from the console, enable ssh for this new default zone (we don’t need to specify the zone name because we are working on the default zone) :

firewalld

Reload :

firewalld1

 

 

ssh is now allowed :

[root@fedora22 ~]# firewall-cmd --list-all
argonay (default, active)
 interfaces: ens32
 sources:
 services: ssh
 ports:
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

“ssh” is the service defined in “/etc/services” :

[root@fedora22 ~]# egrep "^ssh " /etc/services
ssh 22/tcp # The Secure Shell (SSH) Protocol
ssh 22/udp # The Secure Shell (SSH) Protocol
ssh 22/sctp # SSH

That means both “tcp” and “udp” protocols (“sctp” as well) are open on port #22

To authorize webmin

[root@fedora22 ~]# firewall-cmd --permanent --add-port=10000/tcp
success
[root@fedora22 ~]# firewall-cmd --permanent --add-port=10000/udp
success
[root@fedora22 ~]# firewall-cmd --permanent --add-service=https
success

And reload :

[root@fedora22 ~]# firewall-cmd --reload
success

It works !

firewalld2

 

 

 

 

 

 

 

 

 

To reduce the range of authorized I.P. addresses

Currently, everyone from everywhere can logon to my fedora virtual machine using ssh or ¬†launch webmin, that is not acceptable…

[root@fedora22 ~]# firewall-cmd --list-all
argonay (default, active)
 interfaces: ens32
 sources:
 services: https ssh
 ports: 10000/udp 10000/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

We would like to reduce the I.P. range to 192.168.1.0/24 :

[root@fedora22 ~]# firewall-cmd --permanent --add-source=192.168.1.0/24
success

Don’t forget to reload :

[root@fedora22 ~]# firewall-cmd --reload
success

I’m able to open a new ssh session from my Windows PC :

firewalld3

 

 

 

 

 

 

 

 

 

 

webmin works fine as well from the same PC …

To resume my zone configuration :

[root@fedora22 ~]# firewall-cmd --list-all
argonay (default, active)
 interfaces: ens32
 sources: 192.168.1.0/24
 services: https ssh
 ports: 10000/udp 10000/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

 

en.pdf24.org    Send article as PDF   

Leave a Reply

Your email address will not be published. Required fields are marked *


*