Linux Firewalld Setup

Linux Firewalld Setup

ยท

2 min read

Task Requirements :

To secure our infrastructure in the Datacenter we have decided to install and configure Firewalld on all app servers. We have Apache and Nginx services running on these apps. Nginx is running as a reverse proxy server for Apache. We might have more robust firewall settings in the future, but for now, we have decided to go with the given requirements listed below:

  • Allow all incoming connections on the Nginx port, i.e. 80.

  • Block all incoming connections on Apache port, i.e. 8080.

  • All rules must be permanent.

  • The zone should be public.

  • If Apache or Nginx services aren't running already, please make sure to start them.

Execution :

We need to check if the Apache & Nginx services are running, to know run these commands for Rhel and Cent-os Linux distribution.

sudo systemctl status httpd

sudo systemctl status nginx

As the case maybe if it's not running, kindly start them by running these commands, and make sure they are running.

sudo systemctl start httpd

sudo systemctl status httpd

sudo systemctl start nginx

sudo systemctl status nginx

Once that has been sorted, we install the Firewalld package and set the rules to;

  • Allow all incoming connections on Nginx port 80 and block all incoming connections on Apache port 8080.

  • Also making the rules permanent even after an app server restarts/reboots.

Since we are to execute this task across different app servers in the datacenter, a bash script can be created to execute the task required accordingly across all app servers, here is the sample of the script used.


#!/bin/bash

#Start Apache (assuming systemd)

sudo systemctl start httpd

sudo systemctl status httpd

#Start Nginx (assuming systemd)

sudo systemctl start nginx

sudo systemctl status nginx

#Install firewalld

sudo yum install firewalld -y

sleep 7s

#Initialize and start firewalld (assuming systemd)

sudo systemctl enable firewalld

sudo systemctl start firewalld

#Allow incoming connections on Nginx port (80)

sudo firewall-cmd --permanent --zone=public --add-service=http

#Block incoming connections on Apache port (8080)

sudo firewall-cmd --permanent --zone=public --remove-port=8080/tcp

#Reload firewall settings to apply changes

sudo firewall-cmd --reload

#Display active zones

sudo firewall-cmd --get-active-zones

#List services allowed in the public zone

sudo firewall-cmd --zone=public --list-services


ย