iptables to firewall-cmd.

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

iptables to firewall-cmd.

Post by hack3rcon » 2019/01/01 06:42:49

Hello.
Happy new year.
I'm using CentOS 7.6 x86_64 and I want to block all incoming connections except some ports. I found iptables version:

Code: Select all

# allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
# allow SSH 
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow localhost 
iptables -A INPUT -i lo -j ACCEPT
# block everything else 
iptables -A INPUT -j DROP
How can I convert it to firewall-cmd?

Thank you.

hunter86_bg
Posts: 1927
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: iptables to firewall-cmd.

Post by hunter86_bg » 2019/01/01 21:11:22

Happy New Year!
allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This is the default behavior.
Before going on, you should decide which zone you want to use.The default one is the public zone.
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT

Code: Select all

firewall-cmd  --add-port=42605/tcp && firewall-cmd --reload
# allow SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
This is allowed in the public zone.If you make your own:

Code: Select all

firewall-cmd --zone=myzone --permanent --add-service=ssh && firewall-cmd --reload
The rest are not needed as ICMP echo requests are allowed.

Firewalld has runtime and permanent settings , where runtime has a timeout option. You can use it to unlock yourself automatically.
Don't forget to run a --reload at the end and run a nmap scan from the outside to verify that you have secured yourself properly.

hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Re: iptables to firewall-cmd.

Post by hack3rcon » 2019/01/02 10:10:58

hunter86_bg wrote:
2019/01/01 21:11:22
Happy New Year!
allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This is the default behavior.
Before going on, you should decide which zone you want to use.The default one is the public zone.
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT

Code: Select all

firewall-cmd  --add-port=42605/tcp && firewall-cmd --reload
# allow SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
This is allowed in the public zone.If you make your own:

Code: Select all

firewall-cmd --zone=myzone --permanent --add-service=ssh && firewall-cmd --reload
The rest are not needed as ICMP echo requests are allowed.

Firewalld has runtime and permanent settings , where runtime has a timeout option. You can use it to unlock yourself automatically.
Don't forget to run a --reload at the end and run a nmap scan from the outside to verify that you have secured yourself properly.
Thank you so much.
Thus, the end line that blocked other attempts not needed? firewall-cmd by default blocked other attempts and just open the ports that I specified?

hunter86_bg
Posts: 1927
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: iptables to firewall-cmd.

Post by hunter86_bg » 2019/01/02 21:00:24

Yes, it blocks everything not defined.
You can check the current (not persistent) state via '--list-all'

hack3rcon
Posts: 458
Joined: 2014/11/24 11:04:37

Re: iptables to firewall-cmd.

Post by hack3rcon » 2019/01/03 04:02:23

hunter86_bg wrote:
2019/01/02 21:00:24
Yes, it blocks everything not defined.
You can check the current (not persistent) state via '--list-all'
Thank you so much.

User avatar
jlehtone
Posts: 2379
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables to firewall-cmd.

Post by jlehtone » 2019/01/03 12:12:52


Post Reply

Return to “CentOS 7 - Security Support”