How to Configure a Linux Server Firewall?
During the maintenance of a Linux server, firewall configuration is a critical step in ensuring system security. Proper configuration of the firewall can not only prevent unauthorized access but also effectively manage ports and services. This article aims to provide a comprehensive guide to Linux firewall configuration, helping you understand how to open and close ports, as well as how to manage them through security group rules.
Why Configure the Linux Firewall
The firewall is the first line of defense for a server, responsible for monitoring and controlling the network traffic entering and leaving the system. By setting rules, the firewall can allow or deny specific network packets, thereby protecting the server from malicious software and attackers.
Basic Commands for Linux System Firewalls
In CentOS 7, the default firewall management tool is firewalld, which has replaced the older iptables. Here are some basic firewalld command guides:
systemctl status firewalld.service: Check the status of the firewall.
systemctl start firewalld.service: Start the firewall.
systemctl stop firewalld.service: Stop the firewall.
systemctl disable firewalld.service: Disable the firewall.
firewall-cmd --list-all: List all open ports and rules.
These firewalld command guides are the foundation for server administrators to manage the firewall.
How to Check Port Status
Before configuring the firewall, it is first necessary to determine which ports are open. You can use the telnet command to test if a server port can be accessed remotely:
telnet <Server Public IP Address> <Port Number>
If it returns a message like “Unable to open a connection to the host” or “Connection failed,” it means the port is not open.
Configuring firewalld Rules
When you confirm that a specific port needs to be allowed, you can use the following firewalld command to add a rule:
firewall-cmd --permanent --add-port=<Port Number>/tcp firewall-cmd --reload
This will permanently add the rule, and it will take effect after reloading the firewall. To verify if the rule has been added, you can use the
firewall-cmd --list-all command again.
How to Close Ports
If you need to close a port, you can execute the following command:
firewall-cmd --permanent --remove-port=<Port Number>/tcp firewall-cmd --reload
By doing so, the specified port will be closed, and the rule will take effect immediately after the firewall is reloaded.
Best Practices for Firewall Policy
When configuring a server firewall, there are several key points to remember:
- Minimize open ports: Only open necessary ports, which can greatly reduce security risks.
- Regularly review rules: Over time, it’s necessary to regularly review firewall rules and close ports that are no longer needed.
- Use security groups: If using cloud servers, make full use of security groups to manage data traffic.
- Log changes: Any changes to the firewall should be well-documented for future audits and problem tracking.
- Apply updates promptly: Updates to the operating system and the firewall itself may contain security fixes, so ensure these are applied in a timely manner.
- Test configurations: After making changes, perform tests to ensure new rules work as expected and do not affect normal services.