How to Configure Firewalls Using Command Line in CentOS 8

What Do I Need?

• A Dedicated or VPS Linux Server
• CentOS
• Putty

What is Firewalld?

Firewalld is a mechanism by which your operating system handles firewall configuration. The current version of CentOS uses a version of Firewalld based on Nftables. Read on to find out how to configure firewalls using command line in CentOS 8.

1. Update System Software

1. Log into your server as a root user or user with superuser capability. It’s always a good start to fully update the system with the latest kernel, system security patches, software repositories, and packages.

dnf check-update
dnf update
dnf clean all

2. Enabling Firewalld

1. In order to enable Firewalld you must be logged in as a root user or a user with sudo privileges:

yum install firewalld

2. Next enable it with the following command:

systemctl  start firewalld

3. And, next check its working:

systemctl  enable firewalld

4. Run the following command to check the FirewallD service state:

firewall-cmd --state

3. Configure and Manage the Firewall

1. From the beginning, the public zone will be in use.

firewall-cmd --get-default-zone

2. To see the complete list of all the zones, use the following:

firewall-cmd --get-zones

3. To change to another zone, get the name of the zone you want from the previous command and use the following instructions:

firewall-cmd --set-default-zone=NAME OF NEW ZONE HERE

4. To check all the active zones and network interfaces that are assigned to them use the following:

firewall-cmd --get-active-zones

5. If you want to change the zone target, it’s the default behavior for incoming traffic. You can use one of the following default, ACCEPT, REJECT and DROP. For example:

firewall-cmd --zone=public --set-target=ACCEPT

6. You should assign interfaces to specific zones. First, specify the zone, in this case it’ll be ‘home’, then you use the modifier flags for changing the interface and specify the interface. For example:

firewall-cmd --zone=home --change-interface=eth1

7. To inspect all the rules and services for a specific zone use the following command:

firewall-cmd --set-default-zone=home
firewall-cmd --get-default-zone

8. You can also use the following command to inspect the services of the default zone:

firewall-cmd --get-services

9. To add HTTP services use:

firewall-cmd --zone=public --add-service=http

10. Opening port 80/tcp:

firewall-cmd --zone=public --add-port=80/tcp

11. If you want to make the changes permanent, you just need to add ‘-permanent’ and the ‘-cmd’.
    

4. Disable/Stop the Firewalld Service

1. At times there will be a need to stop or disable the Firewalld service in the webserver. Stop the Firewalld service:

systemctl stop firewalld

2. The disable the Firewalld service use the following command:

systemctl disable firewalld

Next Steps

Next, check your access and user logs. I can tell you this now from personal experience that it’s not unusual to see a lot of unauthorized attempts to access your server. I hate to say this but that’s normal and isn’t indicative of even a targeted attack. So, if you’re seeing lots of attempts, don’t take it personally. A lot of these attacks are the results of port-scanning and scatter-gun searches across entire IP address ranges looking for insecure web servers that can be turned into zombie machines for botnets. My own production servers receive a lot of hits. As you can see from the screenshot I wasn’t even away from my server for long. I think I was only previously logged out from its terminal for about an hour.

Don’t take it personally whatsoever, it’s essentially just the cost of doing business. The best thing to do is to keep an eye on your kernel and system resources in order to track and trace any irregular increases in consumption.

Conclusion

As always, keep an eye on those updates and upgrades. And as ever, always watch those logs.

• To know further about best VPS hosting, click here.