Setting Firewalld on CentOS 7

Setting firewalld pada CentOS 7

  • Cek status Service Firewalld, pastikan running
[root@centos ~]# systemctl status firewalld
  • Cek Firewall Zone
[root@centos ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
  • Cek Default Firewall Zone
[root@centos ~]# firewall-cmd --get-default-zone
public
  • Cek Active Firewall Zone dan interface yang digunakan
[root@centos ~]# firewall-cmd --get-active-zones
public
  interfaces: ens33
  • Cek List Service/Port pada Firewall Zone Public
[root@centos ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

  • Menambahkan Custom Firewall Zone
[root@centos ~]# firewall-cmd --permanent --new-zone=monitoring
success
  • Apply konfigurasi Firewall
[root@centos ~]# sudo firewall-cmd --reload
success
  • Cek kembali Firewall Zone (zone monitoring sudah ada dalam list)
[root@centos ~]# firewall-cmd --get-zones
block dmz drop external home internal monitoring public trusted work

  • Konfigurasi Firewall Zone Service & Port
[root@centos ~]# firewall-cmd --zone=monitoring --permanent --add-service=ssh
success
[root@centos ~]# firewall-cmd --zone=monitoring --permanent --add-service=http
success
[root@centos ~]# firewall-cmd --zone=monitoring --permanent --add-service=https
success
[root@centos ~]# firewall-cmd --zone=monitoring --permanent --add-port=9090/tcp
success
[root@centos ~]# firewall-cmd --zone=monitoring --permanent --add-port=9100/tcp
success
[root@centos ~]# firewall-cmd --zone=monitoring --permanent --add-port=3000/tcp
success
  • Reload Firewall
[root@centos ~]# sudo firewall-cmd --reload
success

  • Set Firewall Zone Interface (untuk zone monitoring)
[root@centos ~]# firewall-cmd --zone=monitoring --change-interface=ens33
success
  • Set Default Firewall Zone (zone: monitoring)
[root@centos admin]# firewall-cmd --set-default-zone monitoring
success
  • Reload Firewall
[root@centos ~]# sudo firewall-cmd --reload
success
  • Restart Service Firewalld
[root@centos ~]# systemctl restart firewalld

  • Cek List Service/Port pada Firewall Zone monitoring
[root@centos ~]# firewall-cmd --zone=monitoring --list-all
monitoring (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: http https ssh
  ports: 9090/tcp 9100/tcp 3000/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
  • Cek Active Firewall Zone
[root@centos ~]# firewall-cmd --get-active-zones
monitoring
  interfaces: ens33
  • Cek open port dengan nmap
[root@centos ~]# nmap 192.168.31.34
Starting Nmap 6.40 ( http://nmap.org ) at 2021-11-29 18:00 WIB
Nmap scan report for 192.168.31.34
Host is up (0.000041s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
9090/tcp open  zeus-admin
9100/tcp open  jetdirect
Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

  • Delete Rule Service port pada firewall Zone Public
[root@db03 admin]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 192.168.88.106/32 192.168.88.105/32 192.168.88.104/32 192.168.88.103/32
  services: dhcpv6-client ssh
  ports: 3306/tcp 4567/tcp 4568/tcp 4444/tcp 4567/udp 5492/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@db03 admin]# firewall-cmd --zone=public --remove-port=5492/tcp
success
[root@db03 admin]# firewall-cmd --runtime-to-permanent
success
[root@db03 admin]# firewall-cmd --reload
success
[root@db03 admin]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 192.168.88.106/32 192.168.88.105/32 192.168.88.104/32 192.168.88.103/32
  services: dhcpv6-client ssh
  ports: 3306/tcp 4567/tcp 4568/tcp 4444/tcp 4567/udp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
  • Allow Source IP address pada Zone Public
firewall-cmd --permanent --zone=public --add-source=192.168.88.105/32
firewall-cmd --reload

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.