\nfirewalld.service masked
\niptables.service disabled
\n
![\"\"](\"http:\/\/www.linuxauthority.com\/wordpress\/wp-content\/uploads\/2018\/07\/Screen-Shot-2018-07-10-at-9.43.10-PM.png\")
<\/a><\/p>\n<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
This shows iptables as disabled but a lot of scripts have been adding entries none the less<\/p>\n
<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n Most of these firewall rules relate to blocking spam smtp\/mail servers. I kind f like to screw with those foks.<\/p>\n Lets clean out these entries:<\/p>\n iptables -F;iptables -L -n<\/p>\n Now we need to stop cron from running any scripts and causing trouble.<\/p>\n 1014 systemctl disable crond We will get a jump start with system-config-firewall<\/p>\n We will need to nkow which ports must remain open to service a databse cluster and the servers secondary DNS worload.<\/p>\n [root@instance-5 ~]# netstat -an |grep LISTEN [root@instance-5 ~]# systemctl start firewalld.service running<\/p>\n [root@instance-5 ~]# firewall-cmd –get-default-zone <\/p>\n <\/p>\n This is taking the IP address list from my proprietary anti-spam software and creating firewall commands.<\/p>\n The command:firewall-cmd it’s not as easy to be direct with the script as is IP tables.<\/p>\n Yet I managed to get this code working with difficulty.<\/p>\n <\/p>\n ffile is set to \/tmp\/fffile stands for firewall file.<\/p>\n \/bin\/cat mail.iplist | while read -r ip<\/p>\n do<\/p>\n \u00a0 <\/span>echo “${iswlist} ${iswl} … ”<\/p>\n \u00a0 <\/span>iswlist=$(\/bin\/grep ${ip} whitelist.ip.perm | wc -l );<\/p>\n \u00a0 <\/span>iswl=$(\/bin\/grep ${ip} whitelist.ip | wc -l );<\/p>\n \u00a0 <\/span>if [ $iswl -eq 0 ] && [ $iswlist -eq 0 ]<\/p>\n \u00a0 <\/span>then<\/p>\n \u00a0 \u00a0 <\/span>echo “ip: $(ip)”<\/p>\n \u00a0 \u00a0 <\/span>echo firewall-cmd –permanent –zone=public –add-rich-rule=\\’rule family=”ipv4″ source address=”$ip” port protocol=”tcp” port=”25″ reject\\’ >> ${ffile}<\/p>\n \u00a0 <\/span>fi<\/p>\n done<\/p>\n cat ${ffile} | while read -r CMD<\/p>\n do<\/p>\n \u00a0<\/span>echo $CMD<\/p>\n \u00a0<\/span>ksh “${CMD}”<\/p>\n \u00a0<\/span>rc=$?<\/p>\n \u00a0<\/span>echo “$rc $CMD ..”<\/p>\n done<\/p>\n firewall-cmd –complete-reload<\/p>\n sleep 50<\/p>\n firewall-cmd –zone=public –list-all<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Converting a fairly elaborate iptables based firewall with proprietary anti-spam scripts to the modern firewall-command architecture without revealing any IP. First lets take a look where we started: [root@instance-5 ~]# systemctl list-unit-files | egrep “iptables|firewall” firewalld.service masked iptables.service disabled This shows iptables as disabled but a […]<\/p>\nRead More →<\/a>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,21],"tags":[32,30,34,36],"class_list":["post-150","post","type-post","status-publish","format-standard","hentry","category-networking","category-systems-administration","tag-direweall","tag-firewall","tag-firewall-cmd","tag-iptables"],"_links":{"self":[{"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/150"}],"collection":[{"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=150"}],"version-history":[{"count":4,"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/150\/revisions"}],"predecessor-version":[{"id":166,"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/150\/revisions\/166"}],"wp:attachment":[{"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxauthority.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\n<\/a><\/p>\n
\n1015 systemctl stop crond<\/p>\n
\ntcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
\ntcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
\ntcp 0 0 172.17.0.1:53 0.0.0.0:* LISTEN
\ntcp 0 0 10.240.0.3:53 0.0.0.0:* LISTEN
\ntcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:4567 0.0.0.0:* LISTEN
\ntcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
\ntcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
\ntcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN
\ntcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
\ntcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
\ntcp6 0 0 ::1:10026 :::* LISTEN
\ntcp6 0 0 :::110 :::* LISTEN
\ntcp6 0 0 ::1:783 :::* LISTEN
\ntcp6 0 0 :::143 :::* LISTEN
\ntcp6 0 0 :::111 :::* LISTEN
\ntcp6 0 0 :::8080 :::* LISTEN
\ntcp6 0 0 :::80 :::* LISTEN
\ntcp6 0 0 :::8081 :::* LISTEN
\ntcp6 0 0 :::53 :::* LISTEN
\ntcp6 0 0 :::21 :::* LISTEN
\ntcp6 0 0 :::22 :::* LISTEN
\ntcp6 0 0 ::1:953 :::* LISTEN
\ntcp6 0 0 :::25 :::* LISTEN
\ntcp6 0 0 :::443 :::* LISTEN
\ntcp6 0 0 :::993 :::* LISTEN
\ntcp6 0 0 :::995 :::* LISTEN
\ntcp6 0 0 ::1:10024 :::* LISTEN<\/p>\n
\nFailed to start firewalld.service: Unit is masked.
\n[root@instance-5 ~]# systemctl unmask firewalld
\nRemoved symlink \/etc\/systemd\/system\/firewalld.service.
\n[root@instance-5 ~]# systemctl enable firewalld
\nCreated symlink from \/etc\/systemd\/system\/dbus-org.fedoraproject.FirewallD1.service to \/usr\/lib\/systemd\/system\/firewalld.service.
\nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/firewalld.service to \/usr\/lib\/systemd\/system\/firewalld.service.
\n[root@instance-5 ~]# systemctl start firewall
\n[root@instance-5 ~]# firewall-cmd –state<\/p>\n
\ntrusted
\n[root@instance-5 ~]# firewall-cmd –get-active-zones
\ntrusted
\ninterfaces: eth0
\n[root@instance-5 ~]# firewall-cmd –get-services
\nRH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
\n[root@instance-5 ~]#
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=https
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=smtp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=dns
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=wbem-https
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=smtps
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=smtps –permanent
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=smtp –permanent
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=dns –permanent
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=https –permanent
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –add-service=http –permanent
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –list-services
\nsmtps smtp dns https http
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=4567\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=10024\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=10025\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=10026\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=53\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=53\/udp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=111\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=143\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –add-port=993\/tcp
\nsuccess
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –list-services
\nsmtps smtp dns https http
\n[root@instance-5 ~]# firewall-cmd –zone=trusted –permanent –list-ports
\n4567\/tcp 10024\/tcp 10025\/tcp 10026\/tcp 53\/tcp 53\/udp 111\/tcp 143\/tcp 993\/tcp<\/p>\n