Firewall in linux rhel 7 issue

after I turned on the firewall in rhel 7, I can not access to webmin 10000 in internal network, any idea where I can setup in firewall in order to access internal webmin 10000 port ? also for external access to webmin 10000 as well

firewall
piaakitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
Via Terminal:
firewall-cmd --permanent --zone=internal --add-port=10000/tcp
firewall-cmd --permanent --zone=public --add-port=10000/tcp
firewall-cmd --reload

Open in new window


Did you reload the firewall after adding the port for internal?

If you execute this in Terminal you might need to add sudo before each command, also, the first rule might fail if it already exists like it shows in your screenshot.
0
piaakitAuthor Commented:
If i'm going to do it in GUI i do need to add the 10000 port in "public" & "internal" under configuration "Permanent" ?  how do i reload in GUI ? since after i added in the screenshot above, i still cant access to webmin 10000 port internally, thanks for your reply, any idea ?
0
Zephyr ICTCloud ArchitectCommented:
Well, the Terminal way is faster, but ok ... Let's try it via GUI.

Can you check a few things:

1- Does the FW show as "connected" (lower left corner) -- It doesn't show in the screenshot.
2- Check which zone is the default zone (lower right corner)
3- Does your active network connection (eg eth0) show up under "Interfaces"?

Depending on your answers you'll need to set the default zone, add the correct interface and so on ...
To reload the FW use the feature under "Options" menu.

You'll need to add the ports under "public" and "internal" yes, or you can user the "work" zone as well for internal use.
Then set one of these zones as the default zone, which is also under the "Options" menu.

After all the changes don't forget to reload.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

piaakitAuthor Commented:
since my linux is acting a router also, have 2 networks card, if i want to do a port forward to the other pc with ip 192.168.1.100 to open port 3389, may i have the command in terminal as well ?
0
Zephyr ICTCloud ArchitectCommented:
For port forwarding you need to first enable masquerade:

firewall-cmd --zone=external --add-masquerade

Open in new window


Port forwarding should be something like this:

firewall-cmd --zone=external --add-forward-port=port=3389:proto=tcp:toaddr=192.168.1.100 --permanent

Open in new window

0
piaakitAuthor Commented:
if I removed the port 10000 from public, then I click on reload firewalld. the 10000 port appeared back in the public services, any idea why ?


10000
0
Zephyr ICTCloud ArchitectCommented:
Maybe it's been configured there by the application?
Or the port is still in use, normally not but anyway... Can you remove it from services? Or can you provide a screenshot from the services...
0
piaakitAuthor Commented:
it looks normal after I use the terminal to add other ports number, I think I will start using the terminal rather than the GUI, I have another question, what Ports is for samba ? I have opened 136, 137 & 138, it didn't allow me to access to the samba map drive, after I disabled the firewalld it could access, any idea ?
0
Zephyr ICTCloud ArchitectCommented:
For Samba ports 137, 138, 139 and 445 ... I think that would be it ...
0
piaakitAuthor Commented:
One more question how do I use terminal to remove the port And remove the port forward for example to remove 192.168.1.100 for port 3389, thanks !
0
Zephyr ICTCloud ArchitectCommented:
Sure,

- To remove a service from a certain zone:
firewall-cmd --zone=work --remove-service=smtp

Open in new window

- Remove ports from zones and such:
 firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>

Open in new window

- Remove Port-forwarding masquerade:
firewall-cmd --zone=external --remove-masquerade

Open in new window

- Remove the port-forward:
firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

Open in new window


So in your case it would be something like this:
firewall-cmd --zone=external --remove-forward-port=port=3389:proto=tcp:toaddr=192.168.1.100

Open in new window

0
piaakitAuthor Commented:
I typed below command for public zone, I don't want someone can access the webmin from public network, after I typed below, also internal can not access to 10000 , any idea ?

firewall-cmd --zone=public --remove-port=10000/tcp
0
Zephyr ICTCloud ArchitectCommented:
Can you first show result of following commands:

# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
# firewall-cmd --get-zones

It's possible you still have the public zone as default, you need to set a default zone that you want to use, not all zones are active, you set the one active that is most representative for your server use.
0
piaakitAuthor Commented:
[root@061093012227 ~]#  firewall-cmd --get-default-zone
public
[root@061093012227 ~]# firewall-cmd --get-active-zones
public
  interfaces: ens160 ens192
[root@061093012227 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@061093012227 ~]#
0
piaakitAuthor Commented:
i figure it out already , for the external interface I assigned to public, for internal lan I assigned to internal !
0
Zephyr ICTCloud ArchitectCommented:
Yes, that's correct ... So you're all set now?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
piaakitAuthor Commented:
yes thanks a lots for your help !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.