# systemctl start firewalld # systemctl enable firewalld # ip addr # firewall-cmd --get-active-zones # firewall-cmd --zone=public --change-interface=eth0 # firewall-cmd --zone=internal --change-interface=eth1 # firewall-cmd --get-active-zones # vim /etc/sysconfig/network-scripts/ifcfg-eth0 ... ZONE=public # vim /etc/sysconfig/network-scripts/ifcfg-eth1 ... ZONE=internal # systemctl restart network # systemctl restart firewalld # firewall-cmd --zone=public --permanent --add-service=ssh # firewall-cmd --zone=public --permanent --add-service=dns # firewall-cmd --zone=public --permanent --add-service=http # firewall-cmd --zone=public --permanent --add-service=https # firewall-cmd --zone=internal --permanent --add-service=ssh # firewall-cmd --zone=internal --permanent --add-service=mysql # firewall-cmd --zone=internal --add-port=5666/tcp --permanent # firewall-cmd --reload # firewall-cmd --zone=public --list-all # firewall-cmd --zone=internal --list-all
Note: 5666 port is nagios nrpe protocol
List of Cloudflare IP addresses is here: https://www.cloudflare.com/ips/
# cd # firewall-cmd --permanent --new-zone=cloudflare # echo '#\!/bin/bash' > ./cloudflare_init.sh # for i in $(curl "https://www.cloudflare.com/ips-v4"); do echo "firewall-cmd --zone=cloudflare --add-source=$i --permanent" >> ./cloudflare_init.sh; done # for i in $(curl "https://www.cloudflare.com/ips-v6"); do echo "firewall-cmd --zone=cloudflare --add-source=$i --permanent" >> ./cloudflare_init.sh; done # vim ./cloudflare_init.sh check if correct # chmod +x ./cloudflare_init.sh # ./cloudflare_init.sh # firewall-cmd --zone=cloudflare --permanent --add-service=http # firewall-cmd --zone=cloudflare --permanent --add-service=https # firewall-cmd --zone=public --permanent --remove-service=http # firewall-cmd --zone=public --permanent --remove-service=https # firewall-cmd --reload # firewall-cmd --zone=public --list-all # firewall-cmd --zone=cloudflare --list-all
# firewall-cmd --permanent --zone=trusted --list-sources # firewall-cmd --permanent --zone=trusted --add-source=69.172.201.153 or # firewall-cmd --permanent --zone=trusted --add-source=192.168.100.0/24 # firewall-cmd --reload
# firewall-cmd --zone=trusted --change-interface=tun3 --permanent # firewall-cmd --reload # firewall-cmd --get-active-zones # firewall-cmd --zone=trusted --add-port=3000/tcp --permanent # firewall-cmd --reload # firewall-cmd --zone=trusted --list-all
Change backend to iptables (necessary for docker)
# firewall-cmd --list-all # firewall-cmd --zone=<ActiveZoneNameFromAbove> --remove-masquerade --permanent # systemctl stop firewalld # vim /etc/firewalld/firewalld.conf Change FirewallBackend=nftables to FirewallBackend=iptables. # systemctl start firewalld # firewall-cmd --reload