Zum Inhalt

Chapter 4: firewall setup

Throughout this chapter you will need to be root or able to sudo to become root.

As with any server, you need to ensure that it is secure from the outside world and on your LAN. Your example server only has a LAN interface, but it is totally possible to have two interfaces, one each facing your LAN and WAN networks.

A note regarding Rocky Linux 9.x and iptables

Starting with Rocky Linux 9.0, iptables and all of the associated utilities are officially deprecated. This means that in future versions of the operating system, they will disappear altogether. A previous version of this document contained instructions for iptables set up, but it has now been removed.

For all current versions of Rocky Linux, using firewalld is recommended.

Firewall set up - firewalld

For firewalld rules, you need to use this basic procedure or be familiar with those concepts. Our assumptions are: LAN network of 192.168.1.0/24 and a bridge named lxdbr0. To be clear, you might have many interfaces on your LXD server, with one perhaps facing your WAN. You are also going to create a zone for the bridged and local networks. This is just for zone clarity's sake. The other zone names do not really apply. This procedure assumes that you already know the basics of firewalld.

firewall-cmd --new-zone=bridge --permanent

You need to reload the firewall after adding a zone:

firewall-cmd --reload

You want to allow all traffic from the bridge. Just add the interface, and change the target from "default" to "ACCEPT":

Warning

Changing the target of a firewalld zone must be done with the --permanent option, so we might as well just enter that flag in our other commands as well and forgo the --runtime-to-permanent option.

Note

If you need to create a zone that you want to allow all access to the interface or source, but do not want to have to specify any protocols or services, then you must change the target from "default" to "ACCEPT". The same is true of "DROP" and "REJECT" for a particular IP block that you have custom zones for. To be clear, the "drop" zone will take care of that for you as long as you are not using a custom zone.

firewall-cmd --zone=bridge --add-interface=lxdbr0 --permanent
firewall-cmd --zone=bridge --set-target=ACCEPT --permanent

Assuming no errors and everything is still working just do a reload:

firewall-cmd --reload

If you list out your rules now with firewall-cmd --zone=bridge --list-all you will see:

bridge (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lxdbr0
  sources:
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Note that you also want to allow your local interface. Again, the included zones are not appropriately named for this. Create a zone and use the source IP range for the local interface to ensure you have access:

firewall-cmd --new-zone=local --permanent
firewall-cmd --reload

Add the source IPs for the local interface, and change the target to "ACCEPT":

firewall-cmd --zone=local --add-source=127.0.0.1/8 --permanent
firewall-cmd --zone=local --set-target=ACCEPT --permanent
firewall-cmd --reload

Go ahead and list out the "local" zone to ensure your rules are there with firewall-cmd --zone=local --list all which will show:

local (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources: 127.0.0.1/8
  services:
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

You want to allow SSH from our trusted network. We will use the source IPs here, and the built-in "trusted" zone. The target for this zone is already "ACCEPT" by default.

firewall-cmd --zone=trusted --add-source=192.168.1.0/24

Add the service to the zone:

firewall-cmd --zone=trusted --add-service=ssh

If everything is working, move your rules to permanent and reload the rules:

firewall-cmd --runtime-to-permanent
firewall-cmd --reload

Listing out your "trusted" zone will show:

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources: 192.168.1.0/24
  services: ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

By default, the "public" zone is in the enabled state and has SSH allowed. For security, you do not want SSH allowed on the "public" zone. Ensure that your zones are correct and that the access you are getting to the server is by one of the LAN IPs (in the case of our example). You might lock yourself out of the server if you do not verify this before continuing. When you are sure you have access from the correct interface, remove SSH from the "public" zone:

firewall-cmd --zone=public --remove-service=ssh

Test access and ensure you are not locked out. If not, move your rules to permanent, reload, and list out zone "public" to ensure the removal of SSH:

firewall-cmd --runtime-to-permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-all

There may be other interfaces on your server to consider. You can use built-in zones where appropriate, but if the names do not appear logical, you can definitely add zones. Just remember that if you have no services or protocols that you need to allow or reject specifically, you will need to change the zone target. If it works to use interfaces, as with the bridge, you can do that. If you need more granular access to services, uses source IPs instead.

Author: Steven Spencer

Contributors: Ezequiel Bruni, Ganna Zhyrnova