HOWTO: CentOS 7/Redhat 7 Firewalld Setup for Cassandra Server

How to do initial firewalld configuration for Cassandra Server and Opscenter on CentOS/Redhat 7 with 2 network interfaces, in my case Dell 1950/2950.

First: verify that your network interfaces are associated with a NetworkManager zone:

# grep -i zone /etc/sysconfig/network-scripts/ifcfg-*
/etc/sysconfig/network-scripts/ifcfg-enp4s0:ZONE=internal
/etc/sysconfig/network-scripts/ifcfg-enp8s0:ZONE=public
# service network restart


Second: add the Cassandra ports to the internal zone (private interface) and public zone (public interface):

#!/bin/bash

# add ports on internal interface for Cassandra server

firewall-cmd --zone=internal --add-port=7000/tcp --add-port=7199/tcp --add-port=9042/tcp --add-port=9160/tcp --add-port=61619-61621/tcp --permanent

# add ports on public interface for Cassandra server

firewall-cmd --zone=public --add-port=80/tcp --add-port=8888/tcp --permanent

firewall-cmd --reload

Edit the files in /etc/firewalld/zones to remove the desktop helper services, then do

service firewalld restart


3. Verify configuration:

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-ports
firewall-cmd --zone=internal --list-services


Output is:

# firewall-cmd --get-active-zones
internal
interfaces: enp4s0
public
interfaces: enp8s0

# firewall-cmd --zone=internal --list-ports
7000/tcp 7199/tcp 9042/tcp 9160/tcp 61619-61621/tcp

# firewall-cmd --zone=internal --list-services
ssh

# firewall-cmd --zone=public --list-ports
80/tcp 8888/tcp

# firewall-cmd --zone=public --list-services
ssh

4. Verify firewall rules with nmap:

# nmap -sS my.external.interface.com

Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-15 22:34 PDT
Nmap scan report for my.external.interface.com
Host is up (0.075s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8888/tcp open opscenter

Nice! Image may be NSFW.
Clik here to view.

Troubleshooting

As always, if you experience network issues on linux, disable selinux, firewalld and TCP wrappers first and verify if those are the source of the problem:

setenforce 0
service firewalld stop
cat /etc/hosts.*


Fedora introduces Network Zones
fedoraproject.org: Network Zones