However, one has to migrate at some point, because 8, like 7, has firewalld but no iptables backend. Therefore, one eventually must adopt the firewalld or the new backend, or whatever is available in 2024 when CentOS 7 expires.
The firewall emphasizes "zones" that decouple "who" and "what" somewhat.
Who:
"Packet arrived from xxx.xxx.xxx.0/25" -> Let zone X handle it
"Packet arrived from yyy.yyy.yyy.0/18 -> Let zone Y handle it
"Packet arrived from interface p1p1" -> Let zone Y handle it
"Packet arrived from interface em2" -> Let zone Z handle it
What:
Zone X: Allow (new) ssh and https connections
Zone Z: Allow all connections
The default in CentOS-7 firewalld is:
Code: Select all
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
By default, there is nothing in INPUT_direct and INPUT_ZONES_SOURCE.
The default
zone is
public. It adds just two rules.
The default input filter is thus:
Code: Select all
-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-i lo -j ACCEPT
-p icmp -j ACCEPT
-p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-m conntrack --ctstate INVALID -j DROP
-j REJECT --reject-with icmp-host-prohibited
That is quite close to
Jody's second ruleset. The zone public has service
ssh (and
dhcpv6-client in the IPv6 rules).
One could keep using the public and just remove the service from that zone or change to different zone.
Zone
block is probably what one wants.
For the specific ports to allow:
Define services:
Code: Select all
firewall-cmd --permanent --new-service=myt
firewall-cmd --permanent --service=myt --add-port=22222/tcp
firewall-cmd --permanent --service=myt --add-port=22223/tcp
firewall-cmd --permanent --new-service=myu
firewall-cmd --permanent --service=myu --add-port=22222/udp
firewall-cmd --permanent --service=myu --add-port=22223/udp
Define zones:
Code: Select all
firewall-cmd --permanent --new-zone=mono
firewall-cmd --permanent --zone=mono --add-service=myt
firewall-cmd --permanent --zone=mono --add-source=xxx.xxx.xxx.0/25
firewall-cmd --permanent --new-zone=dual
firewall-cmd --permanent --zone=dual --add-service=myt
firewall-cmd --permanent --zone=dual --add-service=myu
firewall-cmd --permanent --zone=dual --add-source=yyy.yyy.yyy.0/18
One most likely has to reload service/zone definitions from permanent (files) into active (memory) in order to complete all steps:
If one has to change the zone of an interface, then use nmcli:
Code: Select all
nmcli con mod "System em1" connnection.zone block
Disclaimer: I have used bits and pieces of firewall-cmd, but never the specific combination above.
Check
man firewall-cmd and Red Hat's documentation about firewalld.
EDIT: typo fix