This is an old revision of the document!
Use Firewalld And Associated Mechanisms Such As Rich Rules Zones And Custom Rules To Implement Packet Filtering And Configure Network Address Translation Nat
General Information
Firewalld replaces iptables. It connects to the netfilter kernel code.
It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.
Lab Setup
The following virtual machines will be used:
- server1 (192.168.1.150) → Will be the internal system
- Add 1 interface for internal: 10.0.0.1/24
- server2 (192.168.1.151) → Will be the external system
- Add 1 interface for external: 172.16.0.1/24
- ipa (192.168.1.152) → Will be the “router”
- Add 2 interfaces
- Internal: 10.0.0.254/24
- External: 172.16.0.254/24
Adding Interfaces
Virtualbox example for adding interfaces
- Pre-Req: VMs must be powered off
- Select the VM
- In the top bar, click “Settings”
- On the left navigation, select “Network”
- In the middle pane, click “Adapter 2”
- Check “Enable Network Adapter”
- Attached to: Internal Network
- Repeat for each VM
- Add “Adapter 3” for the ipa/router VM
- Power on all VMs
Configure Interfaces
- server1 (192.168.1.150) → Will be the internal system
- IP for internal: 10.0.0.1/24
# Renamed connection to match device nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 # Set IP info nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254 # Bring interface up nmcli con up enp0s8
- Route for server1 to reach server2
vim /etc/sysconfig/static-routes any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8 #save, then restart the network service systemctl restart network
- server2 (192.168.1.151) → Will be the external system
- IP for external: 172.16.0.1/24
# Renamed connection to match device nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 # Set IP info and assign device to connection nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254 # Bring interface up nmcli con up enp0s8
- Route for server2 to reach server1
vim /etc/sysconfig/static-routes any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8 #save, then restart the network service systemctl restart network
- ipa (192.168.1.152) → Will be the “router”
- IPs for
- Internal: 10.0.0.254/24
# Renamed connection to match device nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 # Set IP info nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24 # Bring interface up nmcli con up enp0s8
- External: 172.16.0.254/24
# Renamed connection to match device nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9 # Set IP info nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24 # Bring interface up nmcli con up enp0s9
Help
Finding help in this section.
- Firewalld Rich Rules
man firewalld.richlanguage
- Firewall Cmd Man page (forward ports)
man firewall-cmd
Firewalld Service
Ensure its running
systemctl status firewalld
Forwarding: Multiple Interfaces
If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.
Enable ip forwarding (on ipa/the router)
vim /etc/sysctl.d/router.conf # Enable IP Forwarding to other interfaces net.ipv4.ip_forward=1
Load changes from all locations
sysctl --system
Verify
sysctl -a | grep ip_forward
Packet Filtering
Open http(tcp/80)
firewall-cmd --permanent --add-service=http firewall-cmd --reload
Zones
Firewall-cmd zone commands.
General Commands
Show default zone
firewall-cmd --get-default-zone
Active Zones (interfaces or sources assigned)
firewall-cmd --get-active-zones
Show all zones
firewall-cmd --get-zones
List config of all zones
firewall-cmd --list-all-zones
Create rule for a specific zone
firewall-cmd --permanent --zone=work --add-source=192.168.1.151 firewall-cmd --permanent --zone=work --add-service=http firewall-cmd --reload
Lab: Set Zones for Router
Setting zones for the router (ipa) system.
- Add enp0s8 to internal
firewall-cmd --permanent --add-interface=enp0s8 --zone=internal
- Add enp0s9 to external
firewall-cmd --permanent --add-interface=enp0s9 --zone=external
Note: As of RHEL 7.4, you do not need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
- Removal example
firewall-cmd --remove-interface=enp0s8 --zone=public
- Network script update example
nmcli con mod enp0s8 connection.zone internal
Custom Service
- Built in rules: /usr/lib/firewalld/services/
- Custom rules/over rides: /etc/firewalld/services/
Copy a built in service file
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml
Edit it, then reload the firewall
vim /etc/firewalld/services/leetservice.xml <make changes, save, quit> firewall-cmd --reload
- Note: Since the file was copied, the SELinux file context should have been copied as well.
- View
ls -lZ /etc/firewalld/services/leetservice.xml
- Restore if needed
restorecon -v /etc/firewalld/services/leetservice.xml
Custom service can now be viewed and used
firewall-cmd --get-services firewall-cmd --permanent --add-service=leetservice firewall-cmd --reload
Rich Rules
Rich rules allow you to create allow or deny rules in order to define:
- Logging
- Port forwarding
- Masquerading
- Rate limiting
- Connections for one specific zone
Rich rule help/examples
man firewalld.richlanguage
- All examples start with 'rule'
- The entire string is quoted inside of the –add-rich-rule=' ' argument to a firewall-cmd command.
Rich Rule Examples
Log SSH Attempts
firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'
ICMP traffic
firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'
Extending the HTTP Rule
firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept' firewall-cmd --reload
- family=ipv4 → required to specify an address family when including IP addresses as a source or destination
- source address=192.168.1.151 → Where the HTTP connection attempt is coming from
- service name=http → http service (tcp/80)
- log level=notice → Change log level of http access
- prefix → Add this text to the front of the log
- limit value → Limit the amount of logged connection attempts to 100 a second
- accept → Accept the connection
NAT
Network Address Translation.
Prerequisites
- Two interfaces
- ip_forward must be enabled in order for NAT to work.
Masquerading
Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.
A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.
The masquerading is configured on the external zone/interface.
Configure masquerading for hosts in a zone
firewall-cmd --permanent --zone=external --add-masquerade firewall-cmd --reload
Additional Example: Masquerading for specific source addresses
firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
Port Forwarding
Port forwarding allows external systems to access internal systems.
They come in from external on one port, and get forwarded to an internal system on a different port.
Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22
firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1 firewall-cmd --reload
Test the connection from server2
[root@server2 ~]# ssh -p 2222 root@172.16.0.254 The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established. ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY. ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts. root@172.16.0.254's password: [root@server1 ~]#
- server2 connects to port 2222 on the ipa/router VM.
- The firewall port forward rule forwards the connection to port 22 on server1