General Information
Firewalld replaces iptables. It connects to the netfilter kernel code.
It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.
The following virtual machines will be used:
Virtualbox example for adding interfaces
# Renamed connection to match device nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 # Set IP info nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254 # Bring interface up nmcli con up enp0s8
vim /etc/sysconfig/static-routes any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8 #save, then restart the network service systemctl restart network
# Renamed connection to match device nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 # Set IP info and assign device to connection nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254 # Bring interface up nmcli con up enp0s8
vim /etc/sysconfig/static-routes any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8 #save, then restart the network service systemctl restart network
# Renamed connection to match device nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 # Set IP info nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24 # Bring interface up nmcli con up enp0s8
# Renamed connection to match device nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9 # Set IP info nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24 # Bring interface up nmcli con up enp0s9
Finding help in this section.
man firewalld.richlanguage
man firewall-cmd
Ensure its running
systemctl status firewalld
If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.
Enable ip forwarding (on ipa/the router)
vim /etc/sysctl.d/router.conf # Enable IP Forwarding to other interfaces net.ipv4.ip_forward=1
Load changes from all locations
sysctl --system
Verify
sysctl -a | grep ip_forward
Open http(tcp/80)
firewall-cmd --permanent --add-service=http firewall-cmd --reload
Firewall-cmd zone commands.
Show default zone
firewall-cmd --get-default-zone
Active Zones (interfaces or sources assigned)
firewall-cmd --get-active-zones
Show all zones
firewall-cmd --get-zones
List config of all zones
firewall-cmd --list-all-zones
Create rule for a specific zone
firewall-cmd --permanent --zone=work --add-source=192.168.1.151 firewall-cmd --permanent --zone=work --add-service=http firewall-cmd --reload
Setting zones for the router (ipa) system.
firewall-cmd --permanent --add-interface=enp0s8 --zone=internal
firewall-cmd --permanent --add-interface=enp0s9 --zone=external
Note: As of RHEL 7.4, you do not need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
firewall-cmd --remove-interface=enp0s8 --zone=public
nmcli con mod enp0s8 connection.zone internal
Copy a built in service file
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml
Edit it, then reload the firewall
vim /etc/firewalld/services/leetservice.xml <make changes, save, quit> firewall-cmd --reload
ls -lZ /etc/firewalld/services/leetservice.xml
restorecon -v /etc/firewalld/services/leetservice.xml
Custom service can now be viewed and used
firewall-cmd --get-services firewall-cmd --permanent --add-service=leetservice firewall-cmd --reload
Rich rules allow you to create allow or deny rules in order to define:
Rich rule help/examples
man firewalld.richlanguage
Log SSH Attempts
firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'
ICMP traffic
firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'
Extending the HTTP Rule
firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept' firewall-cmd --reload
Network Address Translation.
Prerequisites
Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.
A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.
The masquerading is configured on the external zone/interface.
Configure masquerading for hosts in a zone
firewall-cmd --permanent --zone=external --add-masquerade firewall-cmd --reload
Additional Example: Masquerading for specific source addresses
firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
Port forwarding allows external systems to access internal systems.
They come in from external on one port, and get forwarded to an internal system on a different port.
Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22
firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1 firewall-cmd --reload
Test the connection from server2
[root@server2 ~]# ssh -p 2222 root@172.16.0.254 The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established. ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY. ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts. root@172.16.0.254's password: [root@server1 ~]#