Differences
This shows you the differences between two versions of the page.
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/03/29 23:52] billdozor [Custom Service] |
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Use Firewalld And Associated Mechanisms Such As Rich Rules Zones And Custom Rules To Implement Packet Filtering And Configure Network Address Translation Nat ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Firewalld replaces iptables. It connects to the netfilter kernel code. | ||
- | |||
- | It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Lab Setup ====== | ||
- | |||
- | The following virtual machines will be used: | ||
- | * server1 (192.168.1.150) -> Will be the internal system | ||
- | * Add 1 interface for **internal**: | ||
- | |||
- | * server2 (192.168.1.151) -> Will be the external system | ||
- | * Add 1 interface for **external**: | ||
- | |||
- | * ipa (192.168.1.152) -> Will be the " | ||
- | * Add 2 interfaces | ||
- | * **Internal**: | ||
- | * **External**: | ||
- | |||
- | ===== Adding Interfaces ===== | ||
- | |||
- | Virtualbox example for adding interfaces | ||
- | * Pre-Req: VMs must be powered off | ||
- | * Select the VM | ||
- | * In the top bar, click " | ||
- | * On the left navigation, select " | ||
- | * In the middle pane, click " | ||
- | * Check " | ||
- | * Attached to: Internal Network | ||
- | * Repeat for each VM | ||
- | * Add " | ||
- | * Power on all VMs | ||
- | |||
- | ===== Configure Interfaces ===== | ||
- | |||
- | * server1 (192.168.1.150) -> Will be the internal system | ||
- | * IP for **internal**: | ||
- | nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 | ||
- | |||
- | # Set IP info | ||
- | nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254 | ||
- | |||
- | # Bring interface up | ||
- | nmcli con up enp0s8 | ||
- | </ | ||
- | |||
- | * server2 (192.168.1.151) -> Will be the external system | ||
- | * IP for **external**: | ||
- | nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 | ||
- | |||
- | # Set IP info and assign device to connection | ||
- | nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/ | ||
- | |||
- | # Bring interface up | ||
- | nmcli con up enp0s8</ | ||
- | |||
- | * ipa (192.168.1.152) -> Will be the " | ||
- | * IPs for | ||
- | * **Internal**: | ||
- | nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8 | ||
- | |||
- | # Set IP info | ||
- | nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/ | ||
- | |||
- | # Bring interface up | ||
- | nmcli con up enp0s8</ | ||
- | * **External**: | ||
- | nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9 | ||
- | |||
- | # Set IP info | ||
- | nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/ | ||
- | |||
- | # Bring interface up | ||
- | nmcli con up enp0s9</ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Firewalld Service ====== | ||
- | |||
- | Ensure its running | ||
- | <code bash> | ||
- | systemctl status firewalld | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Forwarding: Multiple Interfaces ====== | ||
- | |||
- | If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled. | ||
- | |||
- | \\ | ||
- | Enable ip forwarding (**on ipa/the router**) | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | # Enable IP Forwarding to other interfaces | ||
- | net.ipv4.ip_forward=1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Load changes from all locations | ||
- | <code bash> | ||
- | sysctl --system | ||
- | </ | ||
- | |||
- | \\ | ||
- | Verify | ||
- | <code bash> | ||
- | sysctl -a | grep ip_forward | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Packet Filtering ====== | ||
- | |||
- | Open http(tcp/ | ||
- | <code bash> | ||
- | firewall-cmd --permanent --add-service=http | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ===== Zones ===== | ||
- | |||
- | Firewall-cmd zone commands. | ||
- | |||
- | ==== General Commands ==== | ||
- | |||
- | Show default zone | ||
- | <code bash> | ||
- | firewall-cmd --get-default-zone | ||
- | </ | ||
- | |||
- | \\ | ||
- | Active Zones (interfaces or sources assigned) | ||
- | <code bash> | ||
- | firewall-cmd --get-active-zones | ||
- | </ | ||
- | |||
- | \\ | ||
- | Show all zones | ||
- | <code bash> | ||
- | firewall-cmd --get-zones | ||
- | </ | ||
- | |||
- | \\ | ||
- | List config of all zones | ||
- | <code bash> | ||
- | firewall-cmd --list-all-zones | ||
- | </ | ||
- | |||
- | \\ | ||
- | Create rule for a specific zone | ||
- | <code bash> | ||
- | firewall-cmd --permanent --zone=work --add-source=192.168.1.151 | ||
- | firewall-cmd --permanent --zone=work --add-service=http | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ==== Lab: Set Zones for Router ==== | ||
- | |||
- | Setting zones for the router (ipa) system. | ||
- | * Add enp0s8 to internal< | ||
- | * Add enp0s9 to external< | ||
- | |||
- | \\ | ||
- | **Note:** As of RHEL 7.4, you **do not** need to execute the removal command/ | ||
- | * Removal example< | ||
- | * Network script update example< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Custom Service ====== | ||
- | |||
- | * Built in rules: / | ||
- | * Custom rules/over rides: / | ||
- | |||
- | Copy a built in service file | ||
- | <code bash> | ||
- | cp / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Edit it, then reload the firewall | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | <make changes, save, quit> | ||
- | |||
- | firewall-cmd --reload | ||
- | </ | ||
- | * Note: Since the file was copied, the SELinux file context should have been copied as well. | ||
- | * View< | ||
- | * Restore if needed< | ||
- | |||
- | \\ | ||
- | Custom service can now be viewed and used | ||
- | <code bash> | ||
- | firewall-cmd --get-services | ||
- | |||
- | firewall-cmd --permanent --add-service=leetservice | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Rich Rules ====== | ||
- | |||
- | Rich rules allow you to create allow or deny rules in order to define: | ||
- | * Logging | ||
- | * Port forwarding | ||
- | * Masquerading | ||
- | * Rate limiting | ||
- | * Connections for one specific zone | ||
- | |||
- | Rich rule help/ | ||
- | <code bash> | ||
- | man firewalld.richlanguage | ||
- | </ | ||
- | * All examples start with ' | ||
- | * The entire string is quoted inside of the --add-rich-rule=' | ||
- | |||
- | ===== Rich Rule Examples ===== | ||
- | |||
- | Log SSH Attempts | ||
- | <code bash> | ||
- | firewall-cmd --zone=public --add-rich-rule=' | ||
- | </ | ||
- | |||
- | \\ | ||
- | ICMP traffic | ||
- | <code bash> | ||
- | firewall-cmd --zone=public --add-rich-rule=' | ||
- | </ | ||
- | |||
- | \\ | ||
- | Extending the HTTP Rule | ||
- | <code bash> | ||
- | firewall-cmd --permanent --zone=home --add-rich-rule=' | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | * family=ipv4 -> required to specify an address family when including IP addresses as a source or destination | ||
- | * source address=192.168.1.151 -> Where the HTTP connection attempt is coming from | ||
- | * service name=http -> http service (tcp/80) | ||
- | * log level=notice -> Change log level of http access | ||
- | * prefix -> Add this text to the front of the log | ||
- | * limit value -> Limit the amount of connections to 100 a second | ||
- | * accept -> Accept the connection | ||
- | |||
- | ---- | ||
- | |||
- | ====== NAT ====== | ||
- | |||
- | Network Address Translation. | ||
- | |||
- | **Prerequisites** | ||
- | * Two interfaces | ||
- | * [[linux_wiki: | ||
- | |||
- | ===== Masquerading ===== | ||
- | |||
- | Masquerading is often done when a private network is going out to an external network (the internet) through a gateway. | ||
- | |||
- | A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading. | ||
- | |||
- | The masquerading is configured on the **external** zone/ | ||
- | |||
- | \\ | ||
- | Configure masquerading for hosts in a zone | ||
- | <code bash> | ||
- | firewall-cmd --permanent --zone=public --add-masquerade | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | \\ | ||
- | Masquerading for specific source addresses | ||
- | <code bash> | ||
- | firewall-cmd --permanent --zone=public --add-rich-rule=' | ||
- | </ | ||
- | |||
- | ===== Port Forwarding ===== | ||
- | |||
- | Forward a connection to the public IP on tcp/2222 to 10.10.5.100 on tcp/ | ||
- | <code bash> | ||
- | firewall-cmd --permanent --zone=public --add-forward-port=port=2222: | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ---- | ||