Firewall

From The Linux Source
Revision as of 15:20, 8 May 2017 by Support (Talk | contribs)

Jump to: navigation, search


Overview / Gotcha's

Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could be rebooted if it became unavailable, to get it back to the previous state that was working. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a 'firewall-cmd --reload', though is not recommended.


iptables examples (before ent 7)

Allow https port:

temporary
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
permanent
do temporary step and "service iptables save", OR
# vi /etc/sysconfig/iptables
add
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# service iptables restart

Allow a custom ssh port:

temporary
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
permanent
do temporary step and "service iptables save", OR
# vi /etc/sysconfig/iptables
add
-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
# service iptables restart

Allow samba figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples


firewalld examples (ent 7)

Allow https port:

temporary
# firewall-cmd --add-port 443/tcp
permanent (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
# firewall-cmd --add-port 443/tcp --permanent

Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need

Allow a custom ssh port:

temporary
# firewall-cmd --add-port 222/tcp
permanent (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
# firewall-cmd --add-port 222/tcp --permanent

Allow samba:

# firewall-cmd --add-service smb --permanent


firewalld - running/enabling firewalld

when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service get started/enabled, this will cause problems/contention between the two services. To ensure this doesn't happen accidentally after you've gotten a firewalld setup configured/working correctly, it is recommended to 'mask' the conflicting services, where they could not just be enabled without someone finding out they've been masked, and explicitly having to disable the masking to enable iptables. Recommended enable procedure for firewalld:

# systemctl mask iptables
# systemctl mask ip6tables
# systemctl mask ebtables
# systemctl enable firewalld
# systemctl start firewalld


firewalld - zones

The following is a description of the default zones that currently come preconfigured on a system:

Zone Description
drop Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted All network connections are accepted.

The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone.


firewall-cmd Quick Reference

Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld):

# nmcli con mod em1 connection.zone trusted

Creating new Zones example (adding new zone, setting to ACCEPT (like the trusted zone) and accepting connections from a subnet for these rules):

# firewall-cmd --new-zone=pinemgmt --permanent
# firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent
# firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent
# firewall-cmd --add-port=222/tcp --zone=pinemgmt --permanent

Viewing default Zone info:

# firewall-cmd --list-all

Viewing Zone info for a specific zone:

# firewall-cmd --list-all --zone=trusted

Viewing all Zones:

# firewall-cmd --list-all-zones

Removing a service

# firewall-cmd --remove-service=ssh
# firewall-cmd --remove-service=http

Remove a port

# firewall-cmd --remove-port=80/tcp

Add a port (not recommended to add a service like http, which adds 8443/8080/etc/etc)

# firewall-cmd --add-port=443/tcp
# firewall-cmd --add-port=222/tcp

Disallow connections from a hacking IP

# firewall-cmd --add-source 98.200.183.180 --zone drop
OR
# firewall-cmd --add-source 98.200.183.180 --zone block


Examples

Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface):

# nmcli con mod em1 connection.zone public
# nmcli con mod p2p1 connection.zone trusted
# systemctl mask iptables
# systemctl mask ip6tables
# systemctl enable firewalld
# systemctl start firewalld
# firewall-cmd --remove-service=ssh --permanent
# firewall-cmd --new-zone=pinemgmt --permanent
# firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent
# firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent
# firewall-cmd --reload
OPTIONAL/FYI:
# firewall-cmd --list-all
# firewall-cmd --list-all --zone=trusted
# firewall-cmd --list-all --zone=pinemgmt


iptables Quick Reference

NAT'ing/forwarding in Net Discovery We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables)

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 163.120.170.170:1101
-A POSTROUTING -d 163.120.170.170/32 -p tcp -m tcp -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT

Note: the PREROUTING rule looks at anything (TCP) coming in to the local port 1904 and passes it on to 163.120.170.170 port 1101, the MASQUERADE rule is for anything going to/from 163.120.170.170 (only one MASQUERADE line is needed for all/any rules forwarding traffic to 163.120.170.170)