How to Configure Additional Firewall Rules on Rocky Linux VPS

This article provides a guide for how to configure additional firewall rules on Rocky Linux VPS for improved security of your system.

How to Configure Additional Firewall Rules on Rocky Linux VPS

This tutorial will guide you through the process of configuring additional firewall rules on a Rocky Linux VPS using firewalld. Firewalld is the default firewall management tool on many RHEL-based distributions like Rocky Linux.

Prerequisites

• You need access to your Rocky Linux VPS with root privileges.
• A basic understanding of Linux command line.
• A basic understanding of firewall rules and network ports.

Getting Started: Firewalld Installation on Rocky Linux

To install and configure firewalld on Rocky Linux, follow these steps:

1. Update your system

   sudo dnf update -y

2. Install firewalld

   sudo dnf install firewalld -y

3. Enable firewalld to start on boot

   sudo systemctl enable firewalld

4. Start firewalld

   sudo systemctl start firewalld

5. Check firewalld status

   sudo systemctl status firewalld

   You should see that the service is active (running).

6. Basic firewalld commands

   • Check default zone:

     sudo firewall-cmd --get-default-zone

   • List all active rules:

     sudo firewall-cmd --list-all

   • Open a port (e.g., 80/tcp):

     sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --reload

   • Allow a service (e.g., SSH):

     sudo firewall-cmd --permanent --add-service=ssh sudo firewall-cmd --reload

   • List all zones:

     sudo firewall-cmd --get-zones

7. Make sure firewalld starts after reboot

   sudo systemctl is-enabled firewalld

   It should return: enabled.

Configure Additional Firewall Rules on Rocky Linux VPS

Now that Firewalld is installed and we have understanding of its basic functions, it’s time to configure additional firewall rules on Rocky Linux VPS. Follow the steps below:

1. Connect to Your VPS

   First, you need to connect to your VPS via SSH. Open your terminal and use the following command:

   ssh root@your_vps_ip_address

   Replace your_vps_ip_address with the actual IP address of your VPS.

2. Check the Status of firewalld

   Once logged in, check the status of firewalld to ensure it is running:

   systemctl status firewalld

   If firewalld is not running, you can start it with:

   systemctl start firewalld

   To ensure it starts automatically on boot, enable it with:

   systemctl enable firewalld

3. List Existing Firewall Rules

   Before adding new rules, it’s a good practice to check the current firewall rules:

   firewall-cmd --list-all

   This command shows all the rules for the active zone, typically public.

4. Adding a New Firewall Rule

   1. Allowing a Specific Port

      To allow traffic on a specific port (e.g., HTTP on port 80), use:

      firewall-cmd --zone=public --add-port=80/tcp --permanent
      

      Here’s a breakdown:

      • --zone=public: Specifies the zone you want to add the rule to. public is the default zone.
      • --add-port=80/tcp: Opens port 80 for TCP traffic.
      • --permanent: Ensures the rule persists after a reboot. Without this, the rule is only temporary.

   2. Allowing a Service

      You can also allow services by name, which automatically opens the necessary ports. For example, to allow SSH:

      firewall-cmd --zone=public --add-service=ssh --permanent

   3. Allowing IP Address

      To allow traffic from a specific IP address, use:

      firewall-cmd --zone=public --add-source=192.168.1.100 --permanent

      Replace 192.168.1.100 with the IP address you want to allow.

5. Reload the Firewall

   After adding your rules, reload firewalld to apply the changes:

   firewall-cmd --reload

6. Verify the New Rules

   To confirm that your new rules have been applied, list the active rules again:

   firewall-cmd --list-all

7. Removing a Firewall Rule

   If you need to remove a firewall rule, the process is similar to adding one but with the --remove option.

   1. Removing a Port

      To remove a rule that opens a port:

      firewall-cmd --zone=public --remove-port=80/tcp --permanent

   2. Removing a Service

      To remove a service:

      firewall-cmd --zone=public --remove-service=ssh --permanent

   3. Removing an IP Address

      To remove an IP address:

      firewall-cmd --zone=public --remove-source=192.168.1.100 --permanent

      After removing the rules, don’t forget to reload the firewall:

      firewall-cmd --reload

8. Advanced Firewall Rules (Optional)

   1. Rich Rules

      For more granular control, you can use rich rules. For example, to allow SSH from a specific IP:

      firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent

   2. Blocking an IP Address

      To block an IP address:

      firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop' --permanent

9. Backup and Restore Firewall Rules (Recommended)

   To back up your firewall rules:

   firewall-cmd --runtime-to-permanent firewall-cmd --permanent --list-all > /etc/firewalld/rules.backup

   To restore from a backup:

   firewall-cmd --permanent --new-config=rules.backup firewall-cmd --reload

Conclusion

You now know how to configure additional firewall rules on Rocky Linux VPS. Regularly review and update your firewall rules to ensure your server remains secure.

This process can be repeated for any additional ports, services, or IP addresses you need to manage on your VPS. Remember that improper firewall rules can lock you out of your server, so always double-check your rules before applying them, especially when working with SSH.

Further Reading:

• Order Rocky Linux VPS
• Firewalld Documentation
• Firewalld on Github