User and Group Management in Linux/Unix

User and Group Management in Linux/Unix

We are going to see User and Group Management in Linux/Unix in this post.

 /etc/passwd   ->  This file contains all the users details.

[root@server ~]# more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

/etc/passwd file has all the user details with some parameters.

Here i’m taking root user details to explain with details.

root:x:0:0:root:/root:/bin/bash

root – User name

x – Password

0 – User ID

0 – Group ID

Root – Comments/ User description

/root – Home directory

/bin/bash  – shell

Home directory and Group will be created with the same name of user, once we created a user.

Command to create user:

Useradd <username>

adduser <username>

Example:

[root@server ~]# useradd anand

[root@server ~]# adduser anand

Command to delete user account:

deluser <username>

[root@server ~]# userdel anand

The above command will delete a user but will not delete home directory of the user.

Command to delete a user account with home directory:

Use option -r to delete user with home directory.

[root@server ~]# userdel –r deepak

Use id command to know whether a user available in system and if the user exist, it will display User ID, Group ID and Primary group and Secondary group details.

[root@server ~]# id abu
uid=1000(abu) gid=1011(Technology) groups=1011(Technology),1012(DBcheck)

Command to add secondary group to a user:

[root@server ~]# usermod –G Technology abu

Command to change primary group:

[root@server ~]# usermod –g Technology abu

Customizing home directory:

by default home directory will be created under /home for all the users. We can set some other directory as home directory as well.

we have two options to change the home directory.

  1. we can edit /etc/passwd file using vi editor to change the home directory
  2. Using usermod command will change home directory

Changing home directory by editing /etc/passwd  file

[root@server ~]# vi /etc/passwd
testuser:x:1004:1004::/testuser:/bin/bash

Command to change home directory:

[root@server ~]# usermod -m -d /testuser testuser

-m:    option to move the home directory

-d:      option to mention the home directory

Assigning expiry date to user:

Command to check expiry details for a user

[root@server ~]# chage -l testuser
Last password change : May 27, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Command to set expiry date for a user:

[root@server ~]# usermod --expiredate=2017-07-20 testuser

Again will check whether the expire date has been set or not.

[root@server ~]# chage -l testuser
Last password change : May 27, 2017
Password expires : never
Password inactive : never
Account expires : Jul 20, 2017
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

We successfully set expire date for testuser.

Group Management:

Group is used to manage more than one users without touching the each and every user alone.

Group is created based on the Team on an organization.

All the group details available in /etc/group file, once we created a group.

[root@server ~]# more /etc/group

Using Groupadd command will create group

[root@server ~]# groupadd Technology

 

NFS Server Configuration RHEL 7 / Cent OS 7

Using NFS server will share the files/ Directories over the network.
Using this service will install operating system and access the remote server directory/file to read/write files and will share the file/directory to other machines.

Required Package:

libnfsidmap-0.25-15.el7.x86_64
nfs-utils-1.3.0-0.33.el7.x86_64

Installing NFS packages:

Use the below command to install all the required packages in one shot.

#yum install nfs*

 

Check whether the packages are installed by executing below command

[root@server ~]# rpm -qa | grep nfs
libnfsidmap-0.25-15.el7.x86_64
nfsometer-1.7-1.el7.noarch
nfs4-acl-tools-0.3.3-15.el7.x86_64
nfs-utils-1.3.0-0.33.el7.x86_64
nfstest-2.1.1-0.0.el7.noarch

Important configuration files:

/etc/exports :                This file contains which all are exported to remote                                                                 machines 
/etc/host.allow :           Daemon/ Client which matches the entry available in                                                        this file, will be granted access.
/etc/host.deny :           Access is denied for daemon/ client which matches in                                                     this file.
/etc/fstab :                      Will mount the shared directories/ filesystems                                                                   permanently using this file.
/etc/sysconfig/nfs:  Will manage the nfs port using this file.

Services which need to be enabled and started:

rpcbind  service
nfs-server  service

Command to enable the services:

#systemctl enable rpcbind
#systemctl enable nfs-server

[root@server ~]# systemctl enable rpcbind
[root@server ~]# systemctl enable nfs-server
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.

Command to start the services:

#systemctl start rpcbind
#systemctl start nfs-server

[root@server ~]# systemctl start nfs-server

[root@server ~]# systemctl start rpcbind

create directory for sharing:

[root@server ~]# mkdir /nfshare

set the all permission to all

#chmod 777 /nfshare

Now share the directory using NFS by mentioning the directory details in /etc/exports file

#vi /etc/exports

/nfsfileshare 192.168.12.7(rw,sync,no_root_squash)

save and exit from the file

Now use the below command to make it available in network as a shared directory

[root@server ~]# exportfs -r

Enable the services permanently in firewall in this session

[root@server ~]# firewall-cmd --permanent --zone public --add-service  mountd
success
[root@server ~]# firewall-cmd --permanent --zone public --add-service rpc-bind
success
[root@server ~]# firewall-cmd --permanent --zone public --add-service nfs
success

reload the firewall  changes and make effect in this session by executing below command

[root@server ~]# firewall-cmd --reload
success

 

Now all the configuration has been done in server side and have to check and mount the shared directory in client machine.

showmount command will help us to list the directory which is shared from remote machine.

[root@node1 ~]# showmount -e 192.168.43.226
Export list for 192.168.43.226:
/nfshare *

Now we need to mount the shared directory in client. Before that we should create a directory to use that as a mount point.

[root@node1 ~]# mkdir /nfsmount

Mount the directory temporarily

#mount 192.168.43.226:/nfshare  /nfsmount

Mount permanently by editing /etc/fstab file and make entry

#vi /etc/fstab
192.168.43.226:/nfshare/ /nfsmount nfs rw,sync 0 0

save and exit from the file.

unmount the directory because we mounted temporarily before restart and after restart issue mount to check whether the shared directory is listing or not. If its not listing then there is an issue with entry in /etc/fstab file.

#umount /nfsmount

Restart the client and check using mount command

[root@node1 ~]# mount | grep /nfsmount
192.168.43.226:/nfshare/ on /nfsmount type nfs (rw,sync,vers=4,addr=192.168.43.226,clientaddr=192.168.43.67)

What is Linux

What si Linux

What is Linux?

Linux is an operating system, which manages all resources associated with your Desktop, Laptop, and Server. Nowadays it’s used in maximum devices like smartphones. It’s secure and virus free operating systems.

Linux is used in most of the production environment.  We can manage the devices using scripting and can automate job as well. Even we can modify the operating system as per our requirement if you are genius in coding.

It’s easy to install, configure and manage the server in Linux. For all level, user can use the Linux operating system. It has a number of distribution and versions on that distribution.

Distribution list:

Redhat

Ubuntu

Fedora

Debian

Opensuse

 

We can use below methods to install Linux

  1. Automatic/Unattended/ Network
  2. Manual

Automatic/Unattended/network installation:

We can install Linux operating systems without our presence using below technologies.

  1. Kickstart
  2. NFS
  3. HTTPS/HTTP

In this method, we can define everything, like Packages, Network  IP, DNS, Keyboard language, etc…

Manual installation:

In the manual installation, we should use local installation media for Linux installation.

We are going to discuss Redhat Linux and will see others later on…..

Migration

In this post gonna explain what is migration, types and steps to be followed in migration.

What is Migration?

Migration is used to move the Data/Storage/Server/ from one to another (Server/Storage)

Pre-Requests:

  1. Hardware must be the same or updated one in Destination.
  2. Connectivity should be established between the source and destination.
  3. Tools for Operating System related migrations.

Migration types:

  1. DR Functionality
  2. Forklift

III. MSP Oracle

  1. Storage, Oracle (Storage/ggate)
  2. V2V (LPAR), V2V (VM), V2V (VPAR), V2V (Clone VM)
  3. P2V, P2V (VM), P2V (LPAR), P2V (NPAR) , P2P

VII. Seed-n-Swing (Physical), Seed-n-Swing (VM)

Steps involved in Migration:

  1. Data gathering
  2. Building a New server
  3. Post Provisioning
  4. Start Migration
  5. Decommissioning

Data gathering:

As per my knowledge, I have some details which we need to check from the old server. Details are below Server Name,Building Name,Source DC,Target DC,Migration Method,Environment,Server Status in Tool,HW Server Vendor,Operating System,OS Version,Model of Server,NFS,No of Physical CPUs,No of Cores per CPU,Memory (GB),Number of Physical NICs in Use,NIC Teamed,Data NIC IP address,Data NIC subnet mask,Data NIC gateway,Data NIC MAC Address,Other NIC Ips,DNS Servers in order,Boot From SAN?,VG Name,Free space in VG,LV,No of LUNs,Total External Storage in GB,SAN type seen by Powerpath,Connected HBA WWN,Disconnected HBA WWN,Is HP DDMI Agent Running?,Last reboot – uptime,Forsee any issue in the mig method, based on SAN/Network,Lun counts,Storage type,Array_id,Total Size,Internal Disk size.

Building a New server:

We have to create a new server for migration based on Migration types and keep in mind the date which we gathered from old server. Example: No need of new server like Forklift migrations

Post provisioning:

Once the server build has completed, have to perform below post build tasks

Be compliance in DNS entries and hosts file entries (/etc/hosts), NTP Server Configured or not, Backup is done if it’s necessary, etc… Based on the Data gathering.

We have to vulnerability scan and fix the security patch errors (FAIL’s and WARNING’s) which will be present in the new servers.

Migration:

  1. Create the file systems in new server based on old server with same VG, LV and PV name and size.
  2. Copy the boot file system from source to Destination Server. Need to do manual copy from source to destination server in Linux Server’s like Red hat. Will use tools to take image in AIX, etc…
  3. Have to do rsync the Data filesystem from source to Destination.
  4. Move the LUN’s to the target server if it’s applicable.
  5. Copy the applications from old to target server.
  6. Set the IP Address, DNS and other stuffs based on the Data gathering.
  7. Get the server in live once all these stuffs completed.

Decommissioning the old server:

  1. Check what are all the jobs and applications running and get the help from concern team to stop the running applications.
  2. Temporarily disable the backup, Mail, triggers, Disconnect the Database, Disable the NIC (Ethernet).
  3. Wait for some days without shutting down the server to confirm whether we are getting any call back from any team for any issue in new server.
  4. If we don’t hear any issues then will go ahead with disabling backup, mail, Triggers, Database, Network permanently.
  5. And then will turn of the server the Server and will remove the server from Rack.

Thanks for choosing the blog. Comments are welcome…

Multipathing in Linux

Multipathing is used for Load Balancing, path failover & Recover for block devices in Linux.

Load balancing:

The workload is distributed across the available hardware components.

Path failover & Recover:

Will use redundant I/O channels to redirect the read and write operations when one or more paths no longer available.

Prerequisites RPM’s:

  1. device-mapper-1.02.77-9.el6.x86_64
  2. device-mapper-multipath-libs-0.4.9-64.0.1.el6.x86_64
  3. device-mapper-multipath-0.4.9-64.0.1.el6.x86_64

Daemon: Multipathd

Configuration file: /etc/multipath.conf

The “multipath.conf” has five sections:

  1. System level defaults
  2. Blacklisted devices
  3. Blacklist exceptions
  4. Storage controller specific settings
  5. Device specific settings

Simple steps to configure multipath:

  1. For configuring the Multipath in Redhat Linux, device-mapper-multipath should be installed. You can verify It by using below command that it is installed or not:

#rpm -q device-mapper*

  1. If it is not installed, install it by using below command.

#yum install device-mapper

  1. After installation, start to configure multipath

#cd /etc

#mv multipath.conf multipath.conf.dist

#sed ‘/^#/d; /^$/d’ multipath.conf.dist > multipath.conf

#vi multipath.conf

Change to blacklist local hard drive only,

blacklist {
devnode “sda”
}

  1. Now start the Multipath service

#Service Multipathd start
#chkconfig Multipathd on

  1. Now Verify the disk paths

#fdisk -l
#sfdisk –s

Commands:


#service Multipathd start – to start the multipath service

#service Multipathd stop – to stop the multipath service

#service Multipathd reload – To update the modified configurations to replicate without restarting the service.

#multipath –ll – To list all the multipathed devices

#multipath –F – to stop the multipath

How to check listening ports in Linux

We should pay attention to listening ports, to validate and disable the unused ports in infra is a very important thing. In that the way, we can secure the server from the attack surface. So, Will see How to check listening ports in Linux

Known Ports:

993    – IMAPS
1194  – openVPN
1812  – RADIUS
995    – POP3s
2049  – NFS (nfsd, rpc.nfsd, rpc, portmap)
2401  – CVS server
3306  – MySql
3690  – SVN
6000-6063- X11
123    – NTP (Network time protocol used for time syncing uses UDP protocol)
137    – NetBIOS (nmbd)
139    – SMB-Samba (smbd)
143    – IMAP
161    – SNMP (For network monitoring)
389    – LDAP (For centralized administration)
443    – HTTPS (HTTP+SSL for secure web access)
514    – Syslogd (udp port)
636    – ldaps (both ctp and udp)
873    – rsync
989    – FTPS-data
990    – FTPS
20      – FTP Data (For transferring FTP data)
21      – FTP Control (For starting FTP connection)
22      – SSH (For secure remote administration which uses SSL to encrypt the transmission)
23      – Telnet (For insecure remote administration)
25      – SMTP (Mail Transfer Agent for e-mail server such as SEND mail)
53      – DNS (Special service which uses both TCP and UDP)
67      – Bootp
68      – DHCP
69      – TFTP (Trivial file transfer protocol uses udp protocol for connection less transmission of data)
80      –  HTTP/WWW(Apache)
88      – Kerberos
110    – POP3 (Mail delivery Agent)


Issue the below command as root user to check the listening ports.

Will use  netstat command to check open ports.

#netstat -tulpn

t – Will enables listing of tcp ports.
u – Will enables listing of udp ports
n – this will shows the port numbers
l – It will list only listening pockets

We should pay attention to listening ports, to validate and disable the unused ports in infra is a very important thing. In that the way, we can secure the server from the attack surface. So, Will see How to check listening ports in Linux


/etc/services – by reading this file we can read different types port/protocol combinations and applications.

#less /etc/services


lsof command:

Package for lsof:  lsof-4.87-4.el7.x86_64

To check the package avilability in linux use the below command.

#rpm -qa | grep -i lsof

To list open ports:

#lsof -i



To display all open files:

nmap command:

    Using nmap  command will check the open ports for remote server.

Using below command will check open ports in local machine.

      #nmap -sT  -O localhost



Command to check remote machine open ports:

#nmap -sT -O 192.168.0.105


Configuring SAMBA Server in RHEL7/ Cent OS 7

We are going to learn how to configure SAMBA Server in RHEL7 / Cent OS  7. Its used to share file and printer sharing over the network.

Now a days its used as Domain controller like Windows Active Directory.

Will integrate SAMBA Server with Windows Domain as a Primary domain controller or as a domain member.

Operating System:  RHEL7
Host Name:   server
IP Address:  192.168.43.226 / 255.255.255.0

Port numbers for Samba server :
137/tcp
137/udp
138/tcp
138/udp
139/tcp
139/udp
445/tcp
445/udp
Daemons:
  1. smbd: This is for file and printer sharing services
  2. nmbd:  This is for NetBIOS to IP Address service and Mapping NetBIOS Compluter Name to the TCP/IP IP Addresses.
Installing SAMBA Server:
 
#yum install y samba sambacommons cupslibs policycoreutilspython sambaclient
Below command will install all the packages which is required for samba server configuration.
 [root@server ~]# yum install -y samba
 
Create directory for sharing:
 
[root@server ~]# mkdir /sharedir
Create a new group called samba
 
#groupadd samba
 [root@server ~]# groupadd samba
 
 

change the group and permission for the directory which we are going to share using samba

[root@server ~]# chgrp -R samba /sharedir
[root@server ~]# chmod -R 777 /sharedir


check for the existing group and permission details for the directory.

[root@server ~]# ll / | grep sharedir
drwxrwxrwx. 2 root samba 6 Nov 11 08:59 sharedir
Now change the group and permission for the directory

Now again check for the group and permission for the directory and it’s changed.

Create a new user called test and add it to our newly created group which is called samba. Then set the samba password for the user.


[root@server ~]# useradd smbuser
[root@server ~]# usermod -G samba smbuser
[root@server ~]# smbpasswd -a smbuser
New SMB password:
Retype new SMB password:
Added user smbuser.
For samba default configuration file is /etc/samba/smb.conf 


We are going to edit this configuration file. Before that its advisable to take backup of configuration file.

#cp -p /etc/samba/smb.conf  /etc/samba/smb.conf.bkp


now we will edit the smb.conf file

[root@server ~]# vi /etc/samba/smb.conf
make the below entries at end of line.
Comment:   This will explain the operation what we are doing like sharing directory or sharing printer.
Path:           We are going to share a directory. So, here we should mention the directory with absolute path
Valid users:  Here we can mention the users and groups who has permission to access this directory.
Writeable:    i am giving yes, because i need read and write both permission.
browseable:  If you want to access the shared things using browser, we can make it as yes
Public:          We are not going to share this directory for all users. So, we should use no option.
[sharedir]
 comment = shared-directory
 path = /sharedir
 valid users = smbuser, @samba
 writeable = yes
 browseable = yes
 read only = no
 inherit acls = Yes

In the same smb.conf  file we should add our interface name and IP Address to allow the network in samba server.

And one more entry is very important that we need to mention our windows machines workgroup name. First we will use default one. If the windows machines are falling under different workgroup name. Then we have to change the workgroup name in this configuration file.

WORKGROUP  =  MYGROUP

We can add the services in /etc/services file.


[root@server ~]# vi /etc/services
netbios-ns 137/tcp # netbios name service
netbios-ns 137/udp # netbios name service
netbios-dgm 138/tcp # netbios datagram service
netbios-dgm 138/udp # netbios datagram service
netbios-ssn 139/tcp # netbios session service
netbios-ssn 139/udp # netbios session service


Now start the samba service and enable the service permanently on this run level.

[root@server ~]# systemctl start smb.service
[root@server ~]# systemctl enable smb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.

Same like that start and enable nmb service.

#systemctl start nmb.service
#systemctl enable nmb.service



 Add the firewall rule to allow the samba service via firewall.
In RHEL 7 firewall has been shipped from iptables to firewalld.

[root@server ~]# systemctl start firewalld
[root@server ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.56.0/24" service name="samba" log prefix="samba" level="info" limit value="1/m" accept'
success
[root@server ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.



Then reload the firewall configuration using below command

[root@server ~]# firewall-cmd --reload
success

Now all the configuration has been completed and will check in windows machine whether the samba is working well or not.

Connecting SAMBA server from linux  client machine.

samba client should be installed in linux client machine.

Package: samba-client-4.4.4-9.el7.x86_64

#yum install samba-client*

[root@server ~]# smbclient -L 192.168.43.126 -U test


-L :    This option will list the shared directories
192.168.43.226 :  IP Address of samba server
-U :  Option to mention the user name next to this which has access to this shared directory.

Output should be like below

Accessing via samba console:

#smbclient //192.168.43.226/sharedir -U test

above command will help you to show the content of shared directory and to do operations over their.



We successfully configure SAMBA server. Thanks for the support. 


Configuring DHCP Server in RHEL7/ Cent OS 7

DHCP – Dynamic host configuration protocol

We are going to configure DHCP Server in RHEL7

It’s a network protocol used to assign IP’s to the client dynamically over the network.

DHCP Workflow:

Required Package installation:

#yum install dhcp

Now we should assign a insterface in DHCPDARGS in /etc/sysconfig/dhcpd

 [root@localhost ~]# vi /etc/sysconfig/dhcpd
 
  DHCPDARGS=enp0s3

After installing package it will create one empty configuration file /etc/dhcp/dhcpd.conf  and we have one sample configuration file under /usr/share/doc/dhcp-4.2.15/dhcpd.conf.exmaple.

So as first, append the content from example file to original file using cat command.

[root@localhost ~]# cat /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example >> /etc/dhcp/dhcpd.conf

Open the configuration file to configure DHCP Server:

First will give basic configuration which will be common for your network.

[root@localhost ~]# vi /etc/dhcp/dhcpd.conf


Make the below entries 

 option domain-name "lbcdomain.com";
 option domain-name-servers server.lbcdomain.com;
 default-lease-time 600;
 max-lease-time 7200;
 authoritative;
 log-facility local7;



Now make subnet details in same configuration file.

subnet 192.168.1.0 netmask 255.255.255.0 {
 option routers 192.168.1.254;
 option subnet-mask 255.255.255.0;
 option domain-search "lbcdomain.com";
 option domain-name-servers 192.168.1.1;
 option time-offset -18000; # Eastern Standard Time
 range 192.168.1.10 192.168.1.100;
}

Optional(To reserve IP for a dhcp client machine) :

If you wan to assign a static IP to a client using DHCP service, use the below command.

host station1 {
 option host-name "node11.lbcdomain.com";
 hardware ethernet 00:12:2A:2B:3C:AB;
 fixed-address 192.168.1.100;
}

Restart the dhcp service now to complete the DHCP server configuration.

[root@localhost ~]# systemctl restart dhcp
To check dhcp we should login in client machine which is in same network physically and edit the interface configuration file to make dhcp ip assigned.
#vi /etc/sysconfig/network-scripts/ifcfg-eth0
 change the entry for BOOTPROTO as dhcp

DEVICE=eth0

BOOTPROTO=dhcp

TYPE=Ethernet

ONBOOT=yes
 
Save and quit.
 
Now restart the network service.
 #service network restart
 
now check for the ip and it should be assigned in between 192. 168.1.50 to 192.168.1.254
  
DHCP Configuration has been done.
Do practice well. All the best.

Bash Shell Script – 2

Bash Shell Script - 2

Today we are going to see how to use if statement in bash shell scripting.

before going to work with if statement, we should know the options which will be used in if statement to compare conditions.

-gt :    greater than
-lt  :    less than
-eq :   equal too
-ge :   greater than or equal
-le  :   less than or equal

We are going to see a script with a simple if statement.

From the below script we are going to check given number is equal to 100 or not and using read command to get keyboard interaction while running the script.
It will read the number from our keyboard interaction and store it in a variable called number. Then will check for the condition, which we mentioned in if statement and display the string.

create a file called ifstat.sh using vi

#vi ifstat.sh

#!/bin/bash
echo “Enter a numeric value”
read number
if [ $number -eq 100 ]
then
echo “Numeric value is 100”
else
echo “Numeric values is not equal to 100”
fi

We can use elif, if we need to execute more than one statement for if condition.

For the same numeric value validation we are going to change use this elif  option.

#vi ifstat1.sh

#!/bin/bash
echo “Enter a numeric value”
read number
if [ $number -eq 100 ]
then
echo “Numeric value is 100”
elif [ $number -gt 100 ]
then
echo “Numeric values is greater then 100”
elif [ $number -lt 100 ]
then
echo “Numeric values is less then 100”
fi

and we have nested if statement to validate the sme numeric values.
nested if is nothing but we are using if statement inside of if statement.

#vi ifstat2.sh

#!/bin/bash
echo “Enter a numeric value”
read number
if [ $number -eq 100 ]
then
echo “Numeric value is 100”
else
if[ $number -gt 100 ]
then
echo “Numeric values is greater then 100”
else
echo “Numeric values is less then 100”
fi
fi

Working with firewalld in RHEL 7/ Cent OS 7

            First we make sure the firewall service is running before going to do any work related to ports.

Use the command to check the firewall service status:

[root@server ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
 Active: active (running) since Sun 2017-10-29 08:46:09 IST; 4min 23s ago
 Docs: man:firewalld(1)
 Main PID: 523 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─523 /usr/bin/python -Es /usr/sbin/firewalld --nofork --...

Oct 29 08:46:07 server systemd[1]: Starting firewalld - dynamic fir....
Oct 29 08:46:09 server systemd[1]: Started firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.

Now we came to know that currently firewall is running and will check what are all the zone’s available and in public zone what are all the ports enabled/Listening, using below commands.

Command to check the available zone’s:


[root@server ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

Command to check the listening ports in public zone:

 

 [root@server ~]# firewall-cmd --zone=public --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s8
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
From the output we came to know that there are none ports enabled. So, will see how to enable a port.
For example i’m going to show you how to enable 8080(TCP Traffic) port.
[root@server ~]# firewall-cmd --zone=public --add-port=8080/tcp --permanent
success
 
–permanent:                 This is used to make the change permanent after rebooting the system.
–zone=public:               We are enabling the port in public zone.
–add-port=8080/tcp:    port number which we are going to enable.
We must reload the firewall configuration to make the changes effect in current session. However it will take the effect by next booting.
[root@server ~]# firewall-cmd --reload
success
Again will check for the enabled ports status in public zone after this changes.
[root@server ~]# firewall-cmd --zone=public --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s8
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports: 8080/tcp
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
It shows that 8080 port has been enabled.
I am going to show you how to remove the enabled port in firewall and as i said will reload the firewall configuration to make effect in this session. Then check for the status.
[root@server ~]# firewall-cmd --zone=public --remove-port=8080/tcp --permanent
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --zone=public --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s8
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
 
We can get the list of zones where we have assigned interfaces and sources.
[root@server ~]# firewall-cmd --get-active-zone
external
 interfaces: enp0s3
public
 interfaces: enp0s8
To get the which zone is associate with a interface. Here i’m taking enp0s3 interface for test.
[root@server ~]# firewall-cmd --get-zone-of-interface=enp0s3
external

Command to get the permanent configuration of a zone. Here i’m taking public zone to test.

[root@server ~]# firewall-cmd --permanent --zone=public --list-all
public
 target: default
 icmp-block-inversion: no
 interfaces:
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
Command to get the default zone:
[root@server ~]# firewall-cmd --get-default-zone
public
Command to set the default zone:
[root@server ~]# firewall-cmd --set-default-zone=home
success