Skip to main content

Advanced Firewalld

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:30:00

Difficulty

Advanced

In this hands-on lab, you will need to use firewalld to create a new service, add that new service to permitted connections for the default zone, drop all traffic from an IPSet, and add a rich rule for traffic from a specific subnet.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Advanced Firewalld

Introduction

In this hands-on lab, you will need to use firewalld to create a new service, add that new service to permitted connections for the default zone, drop all traffic from an IPSet, and add a rich rule for traffic from a specific subnet.

Solution

  1. Begin by logging in to the lab servers using the credentials provided on the hands-on lab page:

    ssh cloud_user@PUBLIC_IP_ADDRESS

  2. Become the root user:

    sudo su -

Create a new service in firewalld

  1. The service name should be: jobsub.

    firewall-cmd --permanent --new-service=jobsub

    Set the description for the service:

    firewall-cmd --permanent --service=jobsub --set-description="Job Submission"
  2. The service's ports are: TCP 5671-5677.

    firewall-cmd --permanent --service=jobsub --add-port=5671-5677/tcp
  3. This service should be enabled for the default zone (public).

    First, reload the firewall:

    firewall-cmd --reload

    Then add the service to the default zone:

    firewall-cmd --permanent --add-service=jobsub

Create an IPSet in firewalld

  1. You will need to create an IPSet for the following IPs and name it kiosk:

    • 10.0.1.12
    • 192.168.1.0/24

    Create a new IPSet:

    firewall-cmd --permanent --new-ipset=kiosk --type=hash:ip

    Add the specified IP addresses to the IPSet:

    firewall-cmd --permanent --ipset=kiosk --add-entry=10.0.1.12
    firewall-cmd --permanent --ipset=kiosk --add-entry=192.168.1.0/24

    Reload the firewall:

    firewall-cmd --reload
  2. Send all traffic from the kiosk IPSet to the drop zone.

    firewall-cmd --permanent --zone=drop --add-source=ipset:kiosk

Add a rich rule for TCP 8080 traffic

  1. Add a rich rule to accept traffic from 10.0.1.0/24 to port 8080:

    firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.1.0/24 port port=8080 protocol=tcp accept'

Conclusion

Congratulations — you've completed this hands-on lab!