firewalld and nmcli – how to open a port on a specific interface on CentOS 7

For admins used to using iptables, the changes in RHEL 7.x made life a lot harder: the default config is a mess of zones, rules sending the traffic through different chains and what not. I had to spend hours tracking down how to add a single port to a single zone and switch one interface from one zone to another, I might as well document the whole experience for the sake of fellow admins out there:

First thing first, let’s see how our interfaces are configured:

# firewall-cmd --get-active-zones
public
  interfaces: ens160 ens192 ens224 ens256

In my particular case I want to switch ens224 (my management interface) from the “public” to the “work” zone, so I check what services are enabled in both zones:

# firewall-cmd --zone=public --list-services
dhcpv6-client http ssh
# firewall-cmd --zone=work --list-services
dhcpv6-client ipp-client ssh

And then I make sure I have http enabled in the “work” zone as well:

# firewall-cmd --permanent --zone=work --add-service http

Then I went to switch the ens224 interface from “public” to “work”… but it didn’t work:

# firewall-cmd --permanent --zone=public --remove-interface=ens224
# firewall-cmd --permanent --zone=work --add-interface=ens224
# firewall-cmd --reload
success
# firewall-cmd --get-active-zones
public
  interfaces: ens160 ens192 ens224 ens256

You also need to change the zone in the configuration setting, either by editing the configuration file in /etc/sysconfig/network-scripts/ or, as it was in my case, by fiddling with NetworkManager:

# nmcli c
NAME    UUID                                  TYPE            DEVICE 
nas     xxxxxxxx-yyyy-zzzz-tttt-wwwwwwwwwwww  802-3-ethernet  ens256 
cda-be  xxxxxxxx-yyyy-zzzz-tttt-wwwwwwwwwwww  802-3-ethernet  ens224 
bal     xxxxxxxx-yyyy-zzzz-tttt-wwwwwwwwwwww  802-3-ethernet  ens160 
cda-fe  xxxxxxxx-yyyy-zzzz-tttt-wwwwwwwwwwww  802-3-ethernet  ens192
# nmcli -p con show cda-be|grep connection.zone
connection.zone:                        --
# nmcli con modify cda-be connection.zone work
# nmcli -p con show cda-be|grep connection.zone
connection.zone:                        work

I reloaded the firewall configuration again and verified with iptables that the rules were now pointing to the “work” zone and that the zone did allow for http traffic:

# firewall-cmd --reload
# iptables -nvL
[...]
Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_public  all  --  ens256 *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  ens192 *       0.0.0.0/0            0.0.0.0/0           [goto] 
    1    44 IN_public  all  --  ens160 *       0.0.0.0/0            0.0.0.0/0           [goto] 
    1    60 IN_work    all  --  ens224 *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 
[...]
Chain IN_work_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW

I hope this will be useful for someone out there :)
More info, as usual, in the official documentation: firewall-cmd, nmcli.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s