Firewall in linux rhel 7 issue
after I turned on the firewall in rhel 7, I can not access to webmin 10000 in internal network, any idea where I can setup in firewall in order to access internal webmin 10000 port ? also for external access to webmin 10000 as well
ASKER
If i'm going to do it in GUI i do need to add the 10000 port in "public" & "internal" under configuration "Permanent" ? how do i reload in GUI ? since after i added in the screenshot above, i still cant access to webmin 10000 port internally, thanks for your reply, any idea ?
Well, the Terminal way is faster, but ok ... Let's try it via GUI.
Can you check a few things:
1- Does the FW show as "connected" (lower left corner) -- It doesn't show in the screenshot.
2- Check which zone is the default zone (lower right corner)
3- Does your active network connection (eg eth0) show up under "Interfaces"?
Depending on your answers you'll need to set the default zone, add the correct interface and so on ...
To reload the FW use the feature under "Options" menu.
You'll need to add the ports under "public" and "internal" yes, or you can user the "work" zone as well for internal use.
Then set one of these zones as the default zone, which is also under the "Options" menu.
After all the changes don't forget to reload.
Can you check a few things:
1- Does the FW show as "connected" (lower left corner) -- It doesn't show in the screenshot.
2- Check which zone is the default zone (lower right corner)
3- Does your active network connection (eg eth0) show up under "Interfaces"?
Depending on your answers you'll need to set the default zone, add the correct interface and so on ...
To reload the FW use the feature under "Options" menu.
You'll need to add the ports under "public" and "internal" yes, or you can user the "work" zone as well for internal use.
Then set one of these zones as the default zone, which is also under the "Options" menu.
After all the changes don't forget to reload.
ASKER
since my linux is acting a router also, have 2 networks card, if i want to do a port forward to the other pc with ip 192.168.1.100 to open port 3389, may i have the command in terminal as well ?
For port forwarding you need to first enable masquerade:
Port forwarding should be something like this:
firewall-cmd --zone=external --add-masqueradePort forwarding should be something like this:
firewall-cmd --zone=external --add-forward-port=port=3389:proto=tcp:toaddr=192.168.1.100 --permanentASKER
if I removed the port 10000 from public, then I click on reload firewalld. the 10000 port appeared back in the public services, any idea why ?
Maybe it's been configured there by the application?
Or the port is still in use, normally not but anyway... Can you remove it from services? Or can you provide a screenshot from the services...
Or the port is still in use, normally not but anyway... Can you remove it from services? Or can you provide a screenshot from the services...
ASKER
it looks normal after I use the terminal to add other ports number, I think I will start using the terminal rather than the GUI, I have another question, what Ports is for samba ? I have opened 136, 137 & 138, it didn't allow me to access to the samba map drive, after I disabled the firewalld it could access, any idea ?
For Samba ports 137, 138, 139 and 445 ... I think that would be it ...
ASKER
One more question how do I use terminal to remove the port And remove the port forward for example to remove 192.168.1.100 for port 3389, thanks !
Sure,
- To remove a service from a certain zone:
So in your case it would be something like this:
- To remove a service from a certain zone:
firewall-cmd --zone=work --remove-service=smtp firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>firewall-cmd --zone=external --remove-masqueradefirewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }So in your case it would be something like this:
firewall-cmd --zone=external --remove-forward-port=port=3389:proto=tcp:toaddr=192.168.1.100ASKER
I typed below command for public zone, I don't want someone can access the webmin from public network, after I typed below, also internal can not access to 10000 , any idea ?
firewall-cmd --zone=public --remove-port=10000/tcp
firewall-cmd --zone=public --remove-port=10000/tcp
Can you first show result of following commands:
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
# firewall-cmd --get-zones
It's possible you still have the public zone as default, you need to set a default zone that you want to use, not all zones are active, you set the one active that is most representative for your server use.
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
# firewall-cmd --get-zones
It's possible you still have the public zone as default, you need to set a default zone that you want to use, not all zones are active, you set the one active that is most representative for your server use.
ASKER
[root@061093012227 ~]# firewall-cmd --get-default-zone
public
[root@061093012227 ~]# firewall-cmd --get-active-zones
public
interfaces: ens160 ens192
[root@061093012227 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@061093012227 ~]#
public
[root@061093012227 ~]# firewall-cmd --get-active-zones
public
interfaces: ens160 ens192
[root@061093012227 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@061093012227 ~]#
ASKER
i figure it out already , for the external interface I assigned to public, for internal lan I assigned to internal !
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes thanks a lots for your help !
Open in new window
Did you reload the firewall after adding the port for internal?
If you execute this in Terminal you might need to add sudo before each command, also, the first rule might fail if it already exists like it shows in your screenshot.