We will remove firewalld and use iptables instead. However, we will not activate it now.

yum install iptables-services
systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service

Now save iptables state, in case of :

mkdir /etc/iptables
chmod -R 700 /etc/iptables
iptables-save > /etc/iptables/iptables.default
ip6tables-save > /etc/iptables/ip6tables.default
chmod 400 /etc/iptables/iptables.default
chmod 400 /etc/iptables/ip6tables.default

We will block everything and open ssh port (22) on second interface. IPv6 will not be used, so we block everything on it. For repository server, we will open port 21 on first interface, and setup a passive mode for FTP.

Create file /etc/iptables/iptables.prod :

*filter

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Allow all loopback (lo0)
-A INPUT -i lo -j ACCEPT

# Allow inbound traffic from established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow SSH connections on second interface (admin ssh)
-A INPUT -p tcp -m state -i enp0s8 --state NEW --dport 22 -j ACCEPT

# Allow FTP passive connections on first interface (repositories and pxe)
-A INPUT -p tcp -m state -i enp0s3 --state NEW --dport 21 -j ACCEPT
-A INPUT -i enp0s3 -p tcp -m tcp --dport 1024:65535 -m helper --helper ftp -m conntrack --ctstate RELATED -j ACCEPT

# Log incoming requests (optional) and reject all inbound
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT

# Log forwarding requests (optional) and reject all forwarding
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A FORWARD -j REJECT

COMMIT

And /etc/iptables/ip6tables.prod :

*filter

# Reject all IPv6
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

We can now configure iptables to use these rules:

iptables-restore < /etc/iptables/iptables.prod 
ip6tables-restore < /etc/iptables/ip6tables.prod 
service iptables save
service ip6tables save

Firewall rules are saved to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.

More details can be found here: https://www.linode.com/docs/security/securing-your-server

Is is configured. But for now, let's deactivate it, you will be able to activate it later (optional).

systemctl disable iptables.service
systemctl disable ip6tables.service
systemctl stop iptables.service
systemctl stop ip6tables.service

Important: This part must be done after the Ipatbles part of this tutorial, I put it here just to organize the page by services.

Now, for the ftp rule to work, we need to load module nf_conntrack_ftp, using :

modprobe nf_conntrack_ftp

Lets make it permanent. cd to /etc/sysconfig/modules/ and create a new file nf_conntrack_ftp.modules :

#!/bin/sh
exec /sbin/modprobe nf_conntrack_ftp

You can check after a reboot the presence of the module using lsmod:

# lsmod 
[...]
nf_conntrack          105702  4 xt_helper,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[...]

You can now generate iptables, and do not forget to open the dhcp port in iptables, by adding this line under the ssh line :

# Allow DHCP connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 67:68 --sport 67:68 -j ACCEPT

Save the new rules into iptables and start the service.

You can now generate iptables, and do not forget to open the dns port in iptables, by adding this line under the ssh line :

# Allow DNS connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 53 --sport 53 -j ACCEPT

Save the new rules into iptables and start the service.

Do not forget to open the pxe port in iptables, by adding this line under the ssh line :

# Allow TFTP connections on first interface
-A INPUT -p udp -m state -i enp0s3 --state NEW --dport 69 -j ACCEPT

iptables -A INPUT -p udp –dport 123 -j ACCEPT iptables -A OUTPUT -p udp –sport 123 -j ACCEPT