Using firewalld for Routing and Firewall

One of the teams at work replaced a group of old, end of life Dell hardware and contacted me (among others) to see if I wanted it. Sure!

System: Dell R710 (Rack Mounted server). Was used as the DMZ Virtualization system.

2 10,000 RPM 146 Gig Drives RAID 1 mirrored.
4 7,200 RPM 750 Gig Drives RAID 5 mirrored

2 8 Core 2.67 GHz CPUs

192 Gigabytes of RAM

Four on board Ethernet ports. Four on a PCI card. Two 10 Gig ports on a PCI card. Two HBA (Fiber) PCI cards.

iDRAC (remote console access).

I determined to use it as a replacement for my existing ancient system running Ubuntu. I’ll be installing CentOS 7 which will let me play with some of the newer tools, important in my line of work.

I installed CentOS 7 and also upgraded the firmware of the system and drives. After a week or so of research, I got my firewall and router configuration working.

In the examples below, I run the command twice. The second time with the –permanent option. That’s because –permanent doesn’t activate the command but it does make it available on reboot or when reloading the firewall (firewall-cmd –reload). I ran them twice when I was working on the system in order to test my work. You can just run the –permanent commands and at the end, run the firewall-cmd –reload command to configure your firewall.

I have 3 Interfaces on my system:

em1 – Zone: external – Need to Enable Masquerading
em2 – Zone: internal
em3 – Zone: dmz – This is for wireless access

To enable routing, set the ipv4 forwarding in the kernel. Normally in /etc/sysctl.conf, in CentOS 7 it’s in a slightly different location:


Set Masquerading:

firewall-cmd –zone=external –masquerade
firewall-cmd –zone=external –masquerade –permanent

The default zone is public. I changed it to be internal.

firewall-cmd –set-default-zone=internal
firewall-cmd –set-default-zone=internal –permanent

Then change the interface zones. All interfaces are in the internal zone by default.

firewall-cmd –change-interface=em1 –zone=external
firewall-cmd –change-interface=em1 –zone=external –permanent
firewall-cmd –change-interface=em3 –zone=dmz
firewall-cmd –change-interface=em3 –zone=dmz –permanent

One of the problems discovered is the permanent setting doesn’t actually save the interface/zone info across network up/down. So a reboot will put all three interfaces into the default zone. There are two solutions:

Set the desired ZONE=[external|internal|dmz] variable in the /etc/sysconfig/network-scripts/ifcfg-em[123] files.

Use the Network Manager to set it:

nmcli conn modify em1 external
nmcli conn modify em3 dmz

Both the external and dmz zones have the ssh service enabled by default. I removed ssh from both zones.

firewall-cmd –remove-service=ssh –zone=external
firewall-cmd –remove-service=ssh –zone=external –permanent
firewall-cmd –remove-service=ssh –zone=dmz
firewall-cmd –remove-service=ssh –zone=dmz –permanent

I rebooted the system after I was done of course (standard sysadmin stuff 🙂 ) and that’s how I discovered the interfaces weren’t being saved. Note that I didn’t add masquerade to the wireless interface. That’s because the wireless one is simply running through my wifi hotspot to the server and out to the ‘net. Same as this laptop right now 🙂

I ran a test through (Gibson Research’s Shield’s Up tool). The system isn’t quite the same with the above rules. You can ping the system which I had disabled on the old box and it’s answering to a few queries but no services are running. So there’s some tweaking to get done. But the server is up and everything works.

This entry was posted in Computers and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *