Saturday, July 11, 2015

CentOS 7 | Disable and enable the firewall

"Hey Tom, I am just doing this tutorial article about setting up my Apache server but damn I did everything twice and I still can't access my server from outside but the service is working?!"

Every now and then I get these questions from people who just installed their CentOS 7 server and now they are trying to setup their whatever network service.

The pain my friends is the firewall on the CentOS 7 machine that comes installed by default.

There are two solutions for this, both with advantages and disadvantages.

If your server is at home or at work behind a corporate firewall then I would assume that it is already protected by whatever firewall solution your company might be using so the native firewall on it will probably cause you more pain than benefit,

The new and fancy systemctl interface of the new systemd init daemon is one tool that you must master in order to troubleshoot and overcome many pains that you may stumble upon.

So let's troubleshoot first and see if the firewall is actually running:

[root@centos7~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2015-12-19 16:13:52 CET; 17min ago
 Main PID: 575 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─575 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

From here we can see that the firewall is actually running. Keep in mind that even the Centos7 Minimal Install still has the firewalld service up and running by default and only SSH is permitted.

The quick and dirty solution: Disable the firewall

!!! I highly advise against this if you are running VPS.

To just temporarly disable the firewall and see if that is the cause than the bellow command will do just that:

[root@centos7 ~]# systemctl stop firewalld

However on the next reboot the server will bring up the service again. To solve this, use the same command with the disable parameter. That way the firewalld service will stay disabled.

[root@centos7 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

If you've changed your mind and like to see the right solution then start and enable the firewall again:

[root@centos7 ~]# systemctl start firewalld
[root@centos7 ~]# systemctl enable firewalld

The right solution: Permit just the appropriate services

This would be appropriate if you use a hosted VPS or a system directly hooked up on the public WAN.

First lets examine which ports do we want open?
If you are running Apache only, than TCP 80 is the port that we want to permit. If you are running some other software/service, than you have to consult the software documentation or the vendor from witch you bought the application.

In this example, I am assuming that you have installed Apache, and you want to permit TCP ports 80 for HTTP and 443 for the HTTPS services.

Note: Configuring firewalld service is out of the scope of this tutorial. If you want to learn more about that daemon and its commands than you should consult the RedHat manual about the firewalld. For now, we will just determine the zones and enable the http and https services for those zones.

By default and at the time of writing this article CentOS7 after installation has only one zone defined:

[root@centos7 ~]# firewall-cmd --get-active-zones
  interfaces: ens160

The firewall has also some servicess predefined by default, since those are most commonly used:

[root@centos7 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

We can see that HTTP and HTTPS services are in the list. Now we can permit those services for the public zone:

[root@centos7 ~]# firewall-cmd --permanent --zone=public --add-service=http
[root@centos7 ~]# firewall-cmd --permanent --zone=public --add-service=https

To add specific ports to a zone you can also use the command:

[root@agios ~]# firewall-cmd --permanent --zone=public --add-port=8080/tcp

Or even add range of ports:

[root@agios ~]# firewall-cmd --permanent --zone=public --add-port=1024-2000/tcp

Finally reload the daemon:

[root@agios ~]# firewall-cmd --reload

This are just a few examples on how you can use the mighty syscemctl and firewall-cmd commands to control the access of your systems's services from the network.

For more information consult the RedHat documentation about the firewalld and the systemd services:

No comments:

Post a Comment