Linux Firewalld Setup - firewall-cmd --list-all

KodeKloud Engineer
#1

Hi @Inderpreet and everyone,

I have a quick question with regards to the Linux Firewalld Setup task after having spent some time working on it yesterday. I’m pretty sure that the steps that I have taken are correct and that I arrived at the correct end result…but…I did not hit submit because I’m not clear on a couple of things after having run - firewall-cmd --list-all. Here is a screenshot of the results:

list-all
list-all1247×648 121 KB

Even though the task does not explicitly mention to add http & https to the services section, I have done so anyway. Will I end up with a failed status because of this?

Also, I was wondering if the overall output is correct &/or missing anything. This is my first time configuring Firewalld for a reverse proxy server for Apache.

Thanks in advance to anyone who can help:-)

1 Like
#2

restart firewall service
sudo systemctl restart firewalld

Verify opened ports
sudo firewall-cmd --zone=public --list-ports

Verify rules listed in the active public zone
firewall-cmd --zone=public --list-all

1 Like
#3

@juliettet I think you should have more rules. The tasks asks for rules for apache port and nginx port.

1 Like
#4

Thank you for responding @amuthan1983 and thank you for the tips. I did run these commands after installing, starting, and enabling Firewalld:

firewall-cmd --zone=public --add-port=6816/tcp --permanent

# Is this ok..ie., even though this wan't mentioned in the task?
firewall-cmd --permanent --zone=public --add-service=https

# Is this ok..ie., even though this wan't mentioned in the task?
firewall-cmd --permanent --zone=public --add-service=http

# add the rich rule
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.16.238.14" port protocol=tcp port=3004 accept'

# add the interface
firewall-cmd --permanent --zone=public --change-interface=eth0

firewall-cmd --reload; firewall-cmd --list-all

firewall-cmd --get-active-zones

firewall-cmd --zone=public --list-all

I kind of assumed that firewall-cmd --reload; achieved the same result as running systemctl restart firewalld (note the absence of sudo because I am running these commands as the root user), but maybe I am wrong and I need to run both…or one or the other.

I do see that I missed running this command: sudo firewall-cmd --zone=public --list-ports.

Thanks again!

#5

Hi @francilio,

Thank you for responding. I’m a bit confused now because I can see the nginx port 6816 in the output, along with the apache port 3004 in the rich rule. Maybe I missed a step from the ones that I have posted above in my response to @amuthan1983 ?

Thanks again :slight_smile:

#6

Try
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd –reload

1 Like
#7

Thank you @amuthan1983. I initially had --zone=public (without sudo) appended to the commands above, like so:

firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --permanent --zone=public --add-service=http

Will the commands (as opposed to the ones that you have posted) throw an error?

PS. I did run firewall-cmd –reload before running firewall-cmd --list-all + firewall-cmd --get-active-zones + firewall-cmd --zone=public --list-all.

#8

@amuthan1983 , @francilio & @Inderpreet

Here is an update:

I think that I initially forgot to run/add the apache port:

firewall-cmd --zone=public --add-port=6300/tcp --permanent

This is the final output that I have from my most recent attempt to complete the task:

get-zones
get-zones1247×105 33.8 KB

list-ports
list-ports1247×68 23.2 KB

list-all-2ports
list-all-2ports1247×674 214 KB

Is the output that I’m seeing correct?

Can/should I submit/finish the task at this point?

Thanks!

#9

@juliettet, yes, you’re right. I didn’t see the ports part

#10

Thanks @francilio :grinning: . I’m still feeling a bit reluctant to hit that finish button/tab.

Have you completed and passed this task already?

#11

Yes, I already done this task. you can check if the port is accessible with telnet. you run telnet {host} {port}, and it will report Connected to {host} if the port is accesible or will stuck on Trying {host} if it’s not. Run this on jump host (the three app servers nginx should be accessible but the apache should not) and on lb host (the two services should be accessible). As long this requirements are attended I don’t think another modifications will fail the task

2 Likes
#12

Thank you @francilio!

I have just run (from the Jump Server & from the LB Server:

telnet stapp01:6880
telnet stapp02:6880 
telnet stapp02:6880

…and I am getting:

Unknown host

I’m not sure what is missing.

Am I supposed to install & configure Firewalld on the App Servers only? That’s what I have done.

#13

@juliettet , the host and port should be separated by space, so the right command is telnet stapp01 6880 (without the colon)

2 Likes
#14

@francilio,

Ohhhhh…Thanks!

Now I’m getting connection refused when trying to connect to nginx from Jump Host:

telnet stapp01 6768

& this error when trying to connect to Apache:

Trying 172.16.238.10...
telnet: connect to address 172.16.238.10: No route to host

Thank you for your patience:-)

Update:

…after running iptables -F in all 3 app servers I am able to connect to Apache:

 telnet stapp01 5001
Trying 172.16.238.10...
Connected to stapp01.
Escape character is '^]'.

…but not to nginx from Jump Server

…let me check my configuration again…getting closer…I think…

2 Likes
#15

Update #2:

I am now able to connect to Apache AND to nginx from the Jump Server AND from the LB Server when running:

telnet stapp01 8093 //nginx

telnet stapp02 8093 //nginx

telnet stapp03 8093 //nginx

telnet stapp01 8084 //apache

telnet stapp02 8084 //apache

telnet stapp03 8084 //apache

Should I have created more than one rich rule?

1 Like
#16

Update #3;

Something is still wrong as I am able to connect via telnet to nginx and to Apache (as mentioned above) from both the Jump Server + the LB Server.

Here are some screenshots of my latest configuration:

jump-host
jump-host1197×688 150 KB
config
config1247×657 141 KB
lb-server
lb-server1237×688 157 KB

Could anyone help me understand what I’m missing?

I could post all of the steps that I have taken here…if that’s OK…not sure if it is. I’ve spent a LOT of time stuck on this one and I would love to actually understand what I am missing.

:grinning: :grinning: :grinning:

Also one more thing:

Does it matter that I am running all of these commands (on all App servers) as root user? I was unable to install/start/enable firewalld without first switching to root user.

1 Like
#17

Does it matter that I am running all of these commands (on all App servers) as root user? I was unable to install/start/enable firewalld without first switching to root user.

No, it doesn’t matter.

1 Like
#18

Thanks @Tej-Singh-Rana!

On another note, I just realized (via this article => https://www.ryadel.com/en/install-nginx-centos-freebsd-reverse-proxy-cache/) that the commands used to open up Firewalld depend on which network interface you’re using: either WAN OR eth0. Iptables are needed only if using eth0.

Does the network interface that I choose affect the overall outcome of this task? For my last attempt I went with WAN.

Also, it appears that I am getting closer to the finish line (thank you @francilio & @amuthan1983), but I am getting an access forbidden error when trying to curl nginx. I’m not sure why this is happening. The telnet commands appear to be working as expected now, as in Jump host is connecting to nginx , but not to Apache & the LB Server is connecting to NGINX and to Apache.

…feels like I’m really close, but not sure.

Apologies for all of the questions, but for some reason this task is really tripping me up.

Cheers:-)

1 Like
#20

Hi @juliettet, thanks for posting this question and also for the great discussion! Just wondering if the issue was resolved?

#21

Hi @Chance,

I was able to pass the task after much trial and error(s). I ended up using the WAN network interface with Firewalld. :grinning: