This article provides a guide for how to configure additional firewall rules on Rocky Linux VPS for improved security of your system.
How to Configure Additional Firewall Rules on Rocky Linux VPS
This tutorial will guide you through the process of configuring additional firewall rules on a Rocky Linux VPS using firewalld. Firewalld is the default firewall management tool on many RHEL-based distributions like Rocky Linux.
Prerequisites
- You need access to your Rocky Linux VPS with root privileges.
- A basic understanding of Linux command line.
- A basic understanding of firewall rules and network ports.
-
Connect to Your VPS
First, you need to connect to your VPS via SSH. Open your terminal and use the following command:
ssh root@your_vps_ip_addressReplace
your_vps_ip_addresswith the actual IP address of your VPS. -
Check the Status of firewalld
Once logged in, check the status of
firewalldto ensure it is running:systemctl status firewalldIf
firewalldis not running, you can start it with:systemctl start firewalldTo ensure it starts automatically on boot, enable it with:
systemctl enable firewalld -
List Existing Firewall Rules
Before adding new rules, it’s a good practice to check the current firewall rules:
firewall-cmd --list-allThis command shows all the rules for the active zone, typically
public. -
Adding a New Firewall Rule
-
Allowing a Specific Port
To allow traffic on a specific port (e.g., HTTP on port 80), use:
firewall-cmd --zone=public --add-port=80/tcp --permanentHere’s a breakdown:
--zone=public: Specifies the zone you want to add the rule to.publicis the default zone.--add-port=80/tcp: Opens port 80 for TCP traffic.--permanent: Ensures the rule persists after a reboot. Without this, the rule is only temporary.
-
Allowing a Service
You can also allow services by name, which automatically opens the necessary ports. For example, to allow SSH:
firewall-cmd --zone=public --add-service=ssh --permanent -
Allowing IP Address
To allow traffic from a specific IP address, use:
firewall-cmd --zone=public --add-source=192.168.1.100 --permanentReplace
192.168.1.100with the IP address you want to allow.
-
-
Reload the Firewall
After adding your rules, reload
firewalldto apply the changes:firewall-cmd --reload -
Verify the New Rules
To confirm that your new rules have been applied, list the active rules again:
firewall-cmd --list-all -
Removing a Firewall Rule
If you need to remove a firewall rule, the process is similar to adding one but with the
--removeoption.-
Removing a Port
To remove a rule that opens a port:
firewall-cmd --zone=public --remove-port=80/tcp --permanent -
Removing a Service
To remove a service:
firewall-cmd --zone=public --remove-service=ssh --permanent -
Removing an IP Address
To remove an IP address:
firewall-cmd --zone=public --remove-source=192.168.1.100 --permanentAfter removing the rules, don’t forget to reload the firewall:
firewall-cmd --reload
-
-
Advanced Firewall Rules (Optional)
-
Rich Rules
For more granular control, you can use rich rules. For example, to allow SSH from a specific IP:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent -
Blocking an IP Address
To block an IP address:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop' --permanent
-
-
Backup and Restore Firewall Rules (Recommended)
To back up your firewall rules:
firewall-cmd --runtime-to-permanent firewall-cmd --permanent --list-all > /etc/firewalld/rules.backupTo restore from a backup:
firewall-cmd --permanent --new-config=rules.backup firewall-cmd --reload
Conclusion
You now know how to configure additional firewall rules on Rocky Linux VPS. Regularly review and update your firewall rules to ensure your server remains secure.
This process can be repeated for any additional ports, services, or IP addresses you need to manage on your VPS. Remember that improper firewall rules can lock you out of your server, so always double-check your rules before applying them, especially when working with SSH.
