====== Use Firewalld And Associated Mechanisms Such As Rich Rules Zones And Custom Rules To Implement Packet Filtering And Configure Network Address Translation Nat ======

**General Information**

Firewalld replaces iptables. It connects to the netfilter kernel code.

It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1 (192.168.1.150) -> Will be the internal system
    * Add 1 interface for **internal**: 10.0.0.1/24

  * server2 (192.168.1.151) -> Will be the external system
    * Add 1 interface for **external**: 172.16.0.1/24

  * ipa (192.168.1.152) -> Will be the "router"
    * Add 2 interfaces
      * **Internal**: 10.0.0.254/24
      * **External**: 172.16.0.254/24

===== Adding Interfaces =====

Virtualbox example for adding interfaces
  * Pre-Req: VMs must be powered off
  * Select the VM
  * In the top bar, click "Settings"
    * On the left navigation, select "Network"
      * In the middle pane, click "Adapter 2"
        * Check "Enable Network Adapter"
        * Attached to: Internal Network
      * Repeat for each VM
      * Add "Adapter 3" for the ipa/router VM
  * Power on all VMs

===== Configure Interfaces =====

  * server1 (192.168.1.150) -> Will be the internal system
    * IP for **internal**: 10.0.0.1/24<code bash># Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8

# Set IP info
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254

# Bring interface up
nmcli con up enp0s8
</code>
    * Route for server1 to reach server2<code bash>vim /etc/sysconfig/static-routes 
any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8

#save, then restart the network service
systemctl restart network</code>

  * server2 (192.168.1.151) -> Will be the external system
    * IP for **external**: 172.16.0.1/24<code bash># Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8

# Set IP info and assign device to connection
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254

# Bring interface up
nmcli con up enp0s8</code>
    * Route for server2 to reach server1<code bash>vim /etc/sysconfig/static-routes 
any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8

#save, then restart the network service
systemctl restart network</code>

  * ipa (192.168.1.152) -> Will be the "router"
    * IPs for
      * **Internal**: 10.0.0.254/24<code bash># Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8

# Set IP info
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24

# Bring interface up
nmcli con up enp0s8</code>
      * **External**: 172.16.0.254/24<code bash># Renamed connection to match device
nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9

# Set IP info
nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24

# Bring interface up
nmcli con up enp0s9</code>

----

====== Help ======

Finding help in this section.
  * Firewalld Rich Rules<code bash>man firewalld.richlanguage</code>
  * Firewall Cmd Man page (forward ports)<code bash>man firewall-cmd</code>

----

====== Firewalld Service ======

Ensure its running
<code bash>
systemctl status firewalld
</code>

----

====== Forwarding: Multiple Interfaces ======

If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.

\\
Enable ip forwarding (**on ipa/the router**)
<code bash>
vim /etc/sysctl.d/router.conf

# Enable IP Forwarding to other interfaces
net.ipv4.ip_forward=1
</code>

\\
Load changes from all locations
<code bash>
sysctl --system
</code>

\\
Verify
<code bash>
sysctl -a | grep ip_forward
</code>

----

====== Packet Filtering ======

Open http(tcp/80)
<code bash>
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
</code>

===== Zones =====

Firewall-cmd zone commands.

==== General Commands ====

Show default zone
<code bash>
firewall-cmd --get-default-zone
</code>

\\
Active Zones (interfaces or sources assigned)
<code bash>
firewall-cmd --get-active-zones
</code>

\\
Show all zones
<code bash>
firewall-cmd --get-zones
</code>

\\
List config of all zones
<code bash>
firewall-cmd --list-all-zones
</code>

\\
Create rule for a specific zone
<code bash>
firewall-cmd --permanent --zone=work --add-source=192.168.1.151
firewall-cmd --permanent --zone=work --add-service=http
firewall-cmd --reload
</code>

==== Lab: Set Zones for Router ====

Setting zones for the router (ipa) system.
  * Add enp0s8 to internal<code bash>firewall-cmd --permanent --add-interface=enp0s8 --zone=internal</code>
  * Add enp0s9 to external<code bash>firewall-cmd --permanent --add-interface=enp0s9 --zone=external</code>

\\
**Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
  * Removal example<code bash>firewall-cmd --remove-interface=enp0s8 --zone=public</code>
  * Network script update example<code bash>nmcli con mod enp0s8 connection.zone internal</code>

----

====== Custom Service ======

  * Built in rules: /usr/lib/firewalld/services/
  * Custom rules/over rides: /etc/firewalld/services/

Copy a built in service file
<code bash>
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml
</code>

\\
Edit it, then reload the firewall
<code bash>
vim /etc/firewalld/services/leetservice.xml

<make changes, save, quit>

firewall-cmd --reload
</code>
  * **Note**: Since the file was copied, the SELinux file context should have been copied as well.
    * View<code bash>ls -lZ /etc/firewalld/services/leetservice.xml</code>
    * Restore if needed<code bash>restorecon -v /etc/firewalld/services/leetservice.xml</code>

\\
Custom service can now be viewed and used
<code bash>
firewall-cmd --get-services

firewall-cmd --permanent --add-service=leetservice
firewall-cmd --reload
</code>

----

====== Rich Rules ======

Rich rules allow you to create allow or deny rules in order to define:
  * Logging
  * Port forwarding
  * Masquerading
  * Rate limiting
  * Connections for one specific zone

Rich rule help/examples
<code bash>
man firewalld.richlanguage
</code>
  * All examples start with 'rule'
  * The entire string is quoted inside of the --add-rich-rule=' ' argument to a firewall-cmd command.

===== Rich Rule Examples =====

Log SSH Attempts
<code bash>
firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'
</code>

\\
ICMP traffic
<code bash>
firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'
</code>

\\
Extending the HTTP Rule
<code bash>
firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept'
firewall-cmd --reload
</code>
  * family=ipv4 -> required to specify an address family when including IP addresses as a source or destination
  * source address=192.168.1.151 -> Where the HTTP connection attempt is coming from
  * service name=http -> http service (tcp/80)
  * log level=notice -> Change log level of http access
  * prefix -> Add this text to the front of the log
  * limit value -> Limit the amount of logged connection attempts to 100 a second
  * accept -> Accept the connection

----

====== NAT ======

Network Address Translation.

**Prerequisites**
  * Two interfaces
  * [[linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat#multiple_interfaces|ip_forward must be enabled]] in order for NAT to work.

===== Masquerading =====

Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.

A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.

The masquerading is configured on the **external** zone/interface.

\\
Configure masquerading for hosts in a zone
<code bash>
firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --reload
</code>

\\
Additional Example: Masquerading for specific source addresses
<code bash>
firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
</code>

===== Port Forwarding =====

Port forwarding allows external systems to access internal systems.

They come in from external on one port, and get forwarded to an internal system on a different port.

\\
Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22 
<code bash>
firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1
firewall-cmd --reload
</code>

\\
Test the connection from server2<code bash>[root@server2 ~]# ssh -p 2222 root@172.16.0.254

The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established.               
ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY.                             
ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78.                            
Are you sure you want to continue connecting (yes/no)? yes                                               
Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts.                                    
root@172.16.0.254's password:                                                                                                              
[root@server1 ~]# </code>
  * server2 connects to port 2222 on the ipa/router VM.
  * The firewall port forward rule forwards the connection to port 22 on server1

----