====== Use Firewalld And Associated Mechanisms Such As Rich Rules Zones And Custom Rules To Implement Packet Filtering And Configure Network Address Translation Nat ======
**General Information**
Firewalld replaces iptables. It connects to the netfilter kernel code.
It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.
----
====== Lab Setup ======
The following virtual machines will be used:
* server1 (192.168.1.150) -> Will be the internal system
* Add 1 interface for **internal**: 10.0.0.1/24
* server2 (192.168.1.151) -> Will be the external system
* Add 1 interface for **external**: 172.16.0.1/24
* ipa (192.168.1.152) -> Will be the "router"
* Add 2 interfaces
* **Internal**: 10.0.0.254/24
* **External**: 172.16.0.254/24
===== Adding Interfaces =====
Virtualbox example for adding interfaces
* Pre-Req: VMs must be powered off
* Select the VM
* In the top bar, click "Settings"
* On the left navigation, select "Network"
* In the middle pane, click "Adapter 2"
* Check "Enable Network Adapter"
* Attached to: Internal Network
* Repeat for each VM
* Add "Adapter 3" for the ipa/router VM
* Power on all VMs
===== Configure Interfaces =====
* server1 (192.168.1.150) -> Will be the internal system
* IP for **internal**: 10.0.0.1/24# Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
# Set IP info
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254
# Bring interface up
nmcli con up enp0s8
* Route for server1 to reach server2vim /etc/sysconfig/static-routes
any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8
#save, then restart the network service
systemctl restart network
* server2 (192.168.1.151) -> Will be the external system
* IP for **external**: 172.16.0.1/24# Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
# Set IP info and assign device to connection
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254
# Bring interface up
nmcli con up enp0s8
* Route for server2 to reach server1vim /etc/sysconfig/static-routes
any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8
#save, then restart the network service
systemctl restart network
* ipa (192.168.1.152) -> Will be the "router"
* IPs for
* **Internal**: 10.0.0.254/24# Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
# Set IP info
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24
# Bring interface up
nmcli con up enp0s8
* **External**: 172.16.0.254/24# Renamed connection to match device
nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9
# Set IP info
nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24
# Bring interface up
nmcli con up enp0s9
----
====== Help ======
Finding help in this section.
* Firewalld Rich Rulesman firewalld.richlanguage
* Firewall Cmd Man page (forward ports)man firewall-cmd
----
====== Firewalld Service ======
Ensure its running
systemctl status firewalld
----
====== Forwarding: Multiple Interfaces ======
If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.
\\
Enable ip forwarding (**on ipa/the router**)
vim /etc/sysctl.d/router.conf
# Enable IP Forwarding to other interfaces
net.ipv4.ip_forward=1
\\
Load changes from all locations
sysctl --system
\\
Verify
sysctl -a | grep ip_forward
----
====== Packet Filtering ======
Open http(tcp/80)
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
===== Zones =====
Firewall-cmd zone commands.
==== General Commands ====
Show default zone
firewall-cmd --get-default-zone
\\
Active Zones (interfaces or sources assigned)
firewall-cmd --get-active-zones
\\
Show all zones
firewall-cmd --get-zones
\\
List config of all zones
firewall-cmd --list-all-zones
\\
Create rule for a specific zone
firewall-cmd --permanent --zone=work --add-source=192.168.1.151
firewall-cmd --permanent --zone=work --add-service=http
firewall-cmd --reload
==== Lab: Set Zones for Router ====
Setting zones for the router (ipa) system.
* Add enp0s8 to internalfirewall-cmd --permanent --add-interface=enp0s8 --zone=internal
* Add enp0s9 to externalfirewall-cmd --permanent --add-interface=enp0s9 --zone=external
\\
**Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
* Removal examplefirewall-cmd --remove-interface=enp0s8 --zone=public
* Network script update examplenmcli con mod enp0s8 connection.zone internal
----
====== Custom Service ======
* Built in rules: /usr/lib/firewalld/services/
* Custom rules/over rides: /etc/firewalld/services/
Copy a built in service file
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml
\\
Edit it, then reload the firewall
vim /etc/firewalld/services/leetservice.xml
firewall-cmd --reload
* **Note**: Since the file was copied, the SELinux file context should have been copied as well.
* Viewls -lZ /etc/firewalld/services/leetservice.xml
* Restore if neededrestorecon -v /etc/firewalld/services/leetservice.xml
\\
Custom service can now be viewed and used
firewall-cmd --get-services
firewall-cmd --permanent --add-service=leetservice
firewall-cmd --reload
----
====== Rich Rules ======
Rich rules allow you to create allow or deny rules in order to define:
* Logging
* Port forwarding
* Masquerading
* Rate limiting
* Connections for one specific zone
Rich rule help/examples
man firewalld.richlanguage
* All examples start with 'rule'
* The entire string is quoted inside of the --add-rich-rule=' ' argument to a firewall-cmd command.
===== Rich Rule Examples =====
Log SSH Attempts
firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'
\\
ICMP traffic
firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'
\\
Extending the HTTP Rule
firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept'
firewall-cmd --reload
* family=ipv4 -> required to specify an address family when including IP addresses as a source or destination
* source address=192.168.1.151 -> Where the HTTP connection attempt is coming from
* service name=http -> http service (tcp/80)
* log level=notice -> Change log level of http access
* prefix -> Add this text to the front of the log
* limit value -> Limit the amount of logged connection attempts to 100 a second
* accept -> Accept the connection
----
====== NAT ======
Network Address Translation.
**Prerequisites**
* Two interfaces
* [[linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat#multiple_interfaces|ip_forward must be enabled]] in order for NAT to work.
===== Masquerading =====
Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.
A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.
The masquerading is configured on the **external** zone/interface.
\\
Configure masquerading for hosts in a zone
firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --reload
\\
Additional Example: Masquerading for specific source addresses
firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
===== Port Forwarding =====
Port forwarding allows external systems to access internal systems.
They come in from external on one port, and get forwarded to an internal system on a different port.
\\
Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22
firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1
firewall-cmd --reload
\\
Test the connection from server2[root@server2 ~]# ssh -p 2222 root@172.16.0.254
The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established.
ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY.
ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts.
root@172.16.0.254's password:
[root@server1 ~]#
* server2 connects to port 2222 on the ipa/router VM.
* The firewall port forward rule forwards the connection to port 22 on server1
----