Differences

This shows you the differences between two versions of the page.

--- linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/03/29 23:18]
billdozor [Configure Interfaces]
+++ linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== Use Firewalld And Associated Mechanisms Such As Rich Rules Zones And Custom Rules To Implement Packet Filtering And Configure Network Address Translation Nat ======
-**General Information**
-Firewalld replaces iptables. It connects to the netfilter kernel code.
-It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.
-----
-====== Lab Setup ======
-The following virtual machines will be used:
-  * server1 (192.168.1.150) -> Will be the internal system
-    * Add 1 interface for **internal**: 10.0.0.1/24
-  * server2 (192.168.1.151) -> Will be the external system
-    * Add 1 interface for **external**: 172.16.0.1/24
-  * ipa (192.168.1.152) -> Will be the "router"
-    * Add 2 interfaces
-      * **Internal**: 10.0.0.254/24
-      * **External**: 172.16.0.254/24
-===== Adding Interfaces =====
-Virtualbox example for adding interfaces
-  * Pre-Req: VMs must be powered off
-  * Select the VM
-  * In the top bar, click "Settings"
-    * On the left navigation, select "Network"
-      * In the middle pane, click "Adapter 2"
-        * Check "Enable Network Adapter"
-        * Attached to: Internal Network
-      * Repeat for each VM
-      * Add "Adapter 3" for the ipa/router VM
-  * Power on all VMs
-===== Configure Interfaces =====
-  * server1 (192.168.1.150) -> Will be the internal system
-    * IP for **internal**: 10.0.0.1/24<code bash># Renamed connection to match device
-nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
-# Set IP info
-nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254
-# Bring interface up
-nmcli con up enp0s8
-</code>
-  * server2 (192.168.1.151) -> Will be the external system
-    * IP for **external**: 172.16.0.1/24<code bash># Renamed connection to match device
-nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
-# Set IP info and assign device to connection
-nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254
-# Bring interface up
-nmcli con up enp0s8</code>
-  * ipa (192.168.1.152) -> Will be the "router"
-    * IPs for
-      * **Internal**: 10.0.0.254/24<code bash># Renamed connection to match device
-nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
-# Set IP info
-nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24
-# Bring interface up
-nmcli con up enp0s8</code>
-      * **External**: 172.16.0.254/24<code bash># Renamed connection to match device
-nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9
-# Set IP info
-nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24
-# Bring interface up
-nmcli con up enp0s9</code>
-----
-====== Firewalld Service ======
-Ensure its running
-<code bash>
-systemctl status firewalld
-</code>
-----
-====== Multiple Interfaces ======
-If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.
-\\
-Enable ip forwarding
-<code bash>
-vim /etc/sysctl.conf
-net.ipv4.ip_forward=1
-</code>
-\\
-Load changes from /etc/sysctl.conf
-<code bash>
-sysctl -p
-</code>
-----
-====== Packet Filtering ======
-Open http(tcp/80)
-<code bash>
-firewall-cmd --permanent --add-service=http
-firewall-cmd --reload
-</code>
-===== Zones =====
-Show default zone
-<code bash>
-firewall-cmd --get-default-zone
-</code>
-\\
-Active Zones (interfaces or sources assigned)
-<code bash>
-firewall-cmd --get-active-zones
-</code>
-\\
-Show all zones
-<code bash>
-firewall-cmd --get-zones
-</code>
-\\
-List config of all zones
-<code bash>
-firewall-cmd --list-all-zones
-</code>
-\\
-Create rule for a specific zone
-<code bash>
-firewall-cmd --permanent --zone=work --add-source=192.168.1.151
-firewall-cmd --permanent --zone=work --add-service=http
-firewall-cmd --reload
-</code>
-----
-====== Custom Service ======
-  * Built in rules: /usr/lib/firewalld/services/
-  * Custom rules/over rides: /etc/firewalld/services/
-Copy a built in service file
-<code bash>
-cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml
-</code>
-\\
-Edit it, then reload the firewall
-<code bash>
-vim /etc/firewalld/services/leetservice.xml
-<make changes, save, quit>
-firewall-cmd --reload
-</code>
-\\
-Custom service can now be viewed and used
-<code bash>
-firewall-cmd --get-services
-firewall-cmd --permanent --add-service=leetservice
-firewall-cmd --reload
-</code>
-----
-====== Rich Rules ======
-Rich rules allow you to create allow or deny rules in order to define:
-  * Logging
-  * Port forwarding
-  * Masquerading
-  * Rate limiting
-  * Connections for one specific zone
-Rich rule help/examples
-<code bash>
-man firewalld.richlanguage
-</code>
-  * All examples start with 'rule'
-  * The entire string is quoted inside of the --add-rich-rule=' ' argument to a firewall-cmd command.
-===== Rich Rule Examples =====
-Log SSH Attempts
-<code bash>
-firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'
-</code>
-\\
-ICMP traffic
-<code bash>
-firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'
-</code>
-\\
-Extending the HTTP Rule
-<code bash>
-firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept'
-firewall-cmd --reload
-</code>
-  * family=ipv4 -> required to specify an address family when including IP addresses as a source or destination
-  * source address=192.168.1.151 -> Where the HTTP connection attempt is coming from
-  * service name=http -> http service (tcp/80)
-  * log level=notice -> Change log level of http access
-  * prefix -> Add this text to the front of the log
-  * limit value -> Limit the amount of connections to 100 a second
-  * accept -> Accept the connection
-----
-====== NAT ======
-Network Address Translation.
-**Prerequisites**
-  * Two interfaces
-  * [[linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat#multiple_interfaces|ip_forward must be enabled]] in order for NAT to work.
-===== Masquerading =====
-Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.
-A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.
-The masquerading is configured on the **external** zone/interface.
-\\
-Configure masquerading for hosts in a zone
-<code bash>
-firewall-cmd --permanent --zone=public --add-masquerade
-firewall-cmd --reload
-</code>
-\\
-Masquerading for specific source addresses
-<code bash>
-firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.10.5.0/24 masquerade'
-</code>
-===== Port Forwarding =====
-Forward a connection to the public IP on tcp/2222 to 10.10.5.100 on tcp/22
-<code bash>
-firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.10.5.100
-firewall-cmd --reload
-</code>
-----