linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat

Use Firewalld And Associated Mechanisms Such As Rich Rules Zones And Custom Rules To Implement Packet Filtering And Configure Network Address Translation Nat

General Information

Firewalld replaces iptables. It connects to the netfilter kernel code.

It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.

Lab Setup

The following virtual machines will be used:

  • server1 (192.168.1.150) → Will be the internal system
    • Add 1 interface for internal: 10.0.0.1/24
  • server2 (192.168.1.151) → Will be the external system
    • Add 1 interface for external: 172.16.0.1/24
  • ipa (192.168.1.152) → Will be the “router”
    • Add 2 interfaces
      • Internal: 10.0.0.254/24
      • External: 172.16.0.254/24

Adding Interfaces

Virtualbox example for adding interfaces

  • Pre-Req: VMs must be powered off
  • Select the VM
  • In the top bar, click “Settings”
    • On the left navigation, select “Network”
      • In the middle pane, click “Adapter 2”
        • Check “Enable Network Adapter”
        • Attached to: Internal Network
      • Repeat for each VM
      • Add “Adapter 3” for the ipa/router VM
  • Power on all VMs

Configure Interfaces

  • server1 (192.168.1.150) → Will be the internal system
    • IP for internal: 10.0.0.1/24
      # Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
 
# Set IP info
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254
 
# Bring interface up
nmcli con up enp0s8
    • Route for server1 to reach server2
      vim /etc/sysconfig/static-routes 
any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8
 
#save, then restart the network service
systemctl restart network
  • server2 (192.168.1.151) → Will be the external system
    • IP for external: 172.16.0.1/24
      # Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
 
# Set IP info and assign device to connection
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254
 
# Bring interface up
nmcli con up enp0s8
    • Route for server2 to reach server1
      vim /etc/sysconfig/static-routes 
any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8
 
#save, then restart the network service
systemctl restart network
  • ipa (192.168.1.152) → Will be the “router”
    • IPs for
      • Internal: 10.0.0.254/24
        # Renamed connection to match device
nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
 
# Set IP info
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24
 
# Bring interface up
nmcli con up enp0s8
      • External: 172.16.0.254/24
        # Renamed connection to match device
nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9
 
# Set IP info
nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24
 
# Bring interface up
nmcli con up enp0s9

Help

Finding help in this section.

  • Firewalld Rich Rules
    man firewalld.richlanguage
  • Firewall Cmd Man page (forward ports)
    man firewall-cmd

Firewalld Service

Ensure its running 

systemctl status firewalld

Forwarding: Multiple Interfaces

If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.


Enable ip forwarding (on ipa/the router) 

vim /etc/sysctl.d/router.conf
 
# Enable IP Forwarding to other interfaces
net.ipv4.ip_forward=1


Load changes from all locations 

sysctl --system


Verify 

sysctl -a | grep ip_forward

Packet Filtering

Open http(tcp/80) 

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Zones

Firewall-cmd zone commands.

General Commands

Show default zone 

firewall-cmd --get-default-zone


Active Zones (interfaces or sources assigned) 

firewall-cmd --get-active-zones


Show all zones 

firewall-cmd --get-zones


List config of all zones 

firewall-cmd --list-all-zones


Create rule for a specific zone 

firewall-cmd --permanent --zone=work --add-source=192.168.1.151
firewall-cmd --permanent --zone=work --add-service=http
firewall-cmd --reload

Lab: Set Zones for Router

Setting zones for the router (ipa) system.

  • Add enp0s8 to internal
    firewall-cmd --permanent --add-interface=enp0s8 --zone=internal
  • Add enp0s9 to external
    firewall-cmd --permanent --add-interface=enp0s9 --zone=external


Note: As of RHEL 7.4, you do not need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.

  • Removal example
    firewall-cmd --remove-interface=enp0s8 --zone=public
  • Network script update example
    nmcli con mod enp0s8 connection.zone internal

Custom Service

  • Built in rules: /usr/lib/firewalld/services/
  • Custom rules/over rides: /etc/firewalld/services/

Copy a built in service file 

cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml


Edit it, then reload the firewall 

vim /etc/firewalld/services/leetservice.xml
 
<make changes, save, quit>
 
firewall-cmd --reload
  • Note: Since the file was copied, the SELinux file context should have been copied as well.
    • View
      ls -lZ /etc/firewalld/services/leetservice.xml
    • Restore if needed
      restorecon -v /etc/firewalld/services/leetservice.xml


Custom service can now be viewed and used 

firewall-cmd --get-services
 
firewall-cmd --permanent --add-service=leetservice
firewall-cmd --reload

Rich Rules

Rich rules allow you to create allow or deny rules in order to define:

  • Logging
  • Port forwarding
  • Masquerading
  • Rate limiting
  • Connections for one specific zone

Rich rule help/examples 

man firewalld.richlanguage
  • All examples start with 'rule'
  • The entire string is quoted inside of the –add-rich-rule=' ' argument to a firewall-cmd command.

Rich Rule Examples

Log SSH Attempts 

firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'


ICMP traffic 

firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'


Extending the HTTP Rule 

firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept'
firewall-cmd --reload
  • family=ipv4 → required to specify an address family when including IP addresses as a source or destination
  • source address=192.168.1.151 → Where the HTTP connection attempt is coming from
  • service name=http → http service (tcp/80)
  • log level=notice → Change log level of http access
  • prefix → Add this text to the front of the log
  • limit value → Limit the amount of logged connection attempts to 100 a second
  • accept → Accept the connection

NAT

Network Address Translation.

Prerequisites

Masquerading

Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.

A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.

The masquerading is configured on the external zone/interface.


Configure masquerading for hosts in a zone 

firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --reload


Additional Example: Masquerading for specific source addresses 

firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'

Port Forwarding

Port forwarding allows external systems to access internal systems.

They come in from external on one port, and get forwarded to an internal system on a different port.


Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22 

firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1
firewall-cmd --reload


Test the connection from server2 

[root@server2 ~]# ssh -p 2222 root@172.16.0.254
 
The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established.               
ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY.                             
ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78.                            
Are you sure you want to continue connecting (yes/no)? yes                                               
Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts.                                    
root@172.16.0.254's password:                                                                                                              
[root@server1 ~]#
  • server2 connects to port 2222 on the ipa/router VM.
  • The firewall port forward rule forwards the connection to port 22 on server1
  • linux_wiki/use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)