Part 6 Firewall
Firewalling:
netfilter runs at the kernel level
- iptables
Complete configurations - firewall-cmd
Easy command line that writes to iptables
Zone
A zone is an indication of the level of security you want on different interfaces. Interfaces are assigned to zones
- If source matches a zone, packet is routed to that zone.
- If incoming interface matches, the zone is used
- if neither apply, the default zone is used
Services
Service is not a systemd service, but a firewalld service. It lists the ports and other elements need to be opened for a specific service.
Commands to know
iptables
iptables -L to view current configuration
iptables -P INPUT DROP # Drops all traffic in.
iptables -P OUTPUT DROP # Drops all outbound traffic
iptables -A INPUT -p tcp --dport=80 -j ACCEPT # Allow port 80 in.
iptables -A OUTPUT -m state --state= ESTABLISHED,RELATED -j ACCEPT # Allow related traffic out.
iptables-save > /etc/sysconfig/iptables # Save configuration for startup
firewalld
firewalld writes to either running or persistent environments. The default is running environment.
firewalld-cmd --list-all # current configuration
firewall-cmd --get-services # To list services
firewall-cmd --add-service=http # Add Service to allow
firewall-cmd --permanent --add-service=http # Add Service and make permanent
firewall-cmd --reload # reload service
Firewalld Configuration
Configuration directories
/usr/lib/firewalld - System files
/etc/firewalld - User created files
Copy existing service file to
cp /usr/lib/firewalld/services/samba.xml \ /etc/firewalld/services/sample.xml
Edit new file as needed.
firewall-cmd --reload to read new service file.
Rich rules
- Direct rules
Allow insert hand coded iptables into filewalld - Rich rules
expressive language to create rules
Order:
Port forwarding
Logging rules
deny rules
allow rules
Man pages for firewalld.richlanguage
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.100.100.1 reject'
firewall-cmd --permanent --add-rich-rule='rule service name=http log limit value "3/m" accept
NAT
Configuring NAT
Setup Zones
firewall-cmd -get-active-zones
firewall-cmd --list-all --zone=<zone name>
Create new zone and added interface
firewall-cmd --permanent --zone=internal --change-interface eth1
Add masquerade to Public Zone
firewall-cmd --permanent --zone=public --add-masquerade
Reload after each configuration change. firewall-cmd --reload
Port Forwarding
Verify /proc/sys/net/ip_forward 0 = off | 1 = on
View current configuration
firewall-cmd --list-forward-ports
Add masquerade to Public zone.
firewall-cmd --permanent --zone=public --add-masquerade
Create a new port forward
firewall-cmd -zone=public --add-forward-port=port=2222:proto=tcp:toport22: toaddr=10.100.10.11