CentOS 7.3 Firewall Setup ========================= Install firewalld ~~~~~~~~~~~~~~~~~ GMN will require ports 80 and 443 to be opened. So after logging in to your server as a user with sudoer privileges, the first step is to get the firewall setup. We begin by ensuring that the firewall management package is installed on your server and started. **Update yum.**:: $ sudo yum -y update **Install firewalld**:: $ sudo yum install firewalld $ sudo systemctl unmask firewalld $ sudo systemctl start firewalld Configure Firewall with Network Interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Next we want to achieve the binding of network interfaces to firewalld zones. This example uses the default public zone. First we need to identify your network interfaces.:: $ ifconfig -a The interfaces described in response will look something like this:: eth0: flags=4163 mtu 1500 inet 138.197.100.216 netmask 255.255.240.0 broadcast 138.197.111.255 inet6 fe80::3c64:d3ff:fe95:187b prefixlen 64 scopeid 0x20 ether 3e:64:d3:95:18:7b txqueuelen 1000 (Ethernet) RX packets 467254 bytes 268127560 (255.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 335825 bytes 72203530 (68.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4098 mtu 1500 ether f2:ac:61:7b:73:10 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback) RX packets 81687 bytes 26998580 (25.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 81687 bytes 26998580 (25.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 There should be one or more network interfaces available, such as "eth0" or "eth1". Ignore an entry such as *“LOOPBACK,RUNNING”*.The firewall management system we are using binds these network interfaces to something called a “zone”. There is the potential for multiple zones which can have different configuration options, but we aren’t going to worry about that here. We just need t he simplest configuration using the default zone. The *public zone* will be the default. So at this point we will check whether or not the network interfaces we identified with “ifconfig -a” are bound to the public zone. We can check that with this command:: $ sudo firewall-cmd --zone=public --list-all Which return:: public (active) target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client http https ssh ports: 443/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: If the space next to the “interfaces” line contains the network interfaces, such as eth0 and eth1 in this example, then they are already bound to the public zone. However, if that line is empty, you will need to bind your network interfaces to the firewall zone as follows. **Bind Network Interfaces to Zone**:: $ sudo firewall-cmd --permanent --zone=public --change-interface=eth0 $ sudo firewall-cmd --permanent --zone=public --change-interface=eth1 $ sudo firewall-cmd --reload Substituting the names of your interfaces in ``--change-interface=``. Now, when you enter the command:: $ sudo firewall-cmd --zone=public --list-all The network interfaces should be listed:: public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: Another way to confirm that everything is as it should be is to use this command:: $ firewall-cmd --get-active-zones Which will return output similar to:: public interfaces: eth1 eth0 Open HTTP & HTTPS Ports ~~~~~~~~~~~~~~~~~~~~~~~ Now we can specify rules for handling specific ports and services, using the below commands.:: $ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https $ sudo firewall-cmd --permanent --add-port=80/tcp $ sudo firewall-cmd --permanent --add-port=443/tcp $ sudo firewall-cmd --reload $ sudo systemctl enable firewalld