linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/03/30 00:01]
billdozor [Configure Interfaces] 		linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/05/03 23:00]
billdozor [Rich Rule Examples]
Line 49: Line 49:
 nmcli con up enp0s8 nmcli con up enp0s8
 </code> </code>
-    * Route for server1 to reach server2<code bash>nmcli con mod enp0s8 +ipv4.routes 172.16.0.0/24</code>+    * Route for server1 to reach server2<code bash>vim /etc/sysconfig/static-routes  
 +any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8 
 + 
 +#save, then restart the network service 
 +systemctl restart network</code>
  
   * server2 (192.168.1.151) -> Will be the external system   * server2 (192.168.1.151) -> Will be the external system
Line 60: Line 64:
 # Bring interface up # Bring interface up
 nmcli con up enp0s8</code> nmcli con up enp0s8</code>
-    * Route for server2 to reach server1<code bash>nmcli con mod enp0s8 +ipv4.routes 10.0.0.0/24</code>+    * Route for server2 to reach server1<code bash>vim /etc/sysconfig/static-routes  
 +any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8 
 + 
 +#save, then restart the network service 
 +systemctl restart network</code>
  
   * ipa (192.168.1.152) -> Will be the "router"   * ipa (192.168.1.152) -> Will be the "router"
Line 172: Line 180:
 \\ \\
 **Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam. **Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
-  * Removal example<code bash>firewall-cmd --remove-interface-enp0s8 --zone=public</code>+  * Removal example<code bash>firewall-cmd --remove-interface=enp0s8 --zone=public</code>
   * Network script update example<code bash>nmcli con mod enp0s8 connection.zone internal</code>   * Network script update example<code bash>nmcli con mod enp0s8 connection.zone internal</code>
  
Line 251: Line 259:
   * log level=notice -> Change log level of http access   * log level=notice -> Change log level of http access
   * prefix -> Add this text to the front of the log   * prefix -> Add this text to the front of the log
-  * limit value -> Limit the amount of connections to 100 a second+  * limit value -> Limit the amount of logged connection attempts to 100 a second
   * accept -> Accept the connection   * accept -> Accept the connection
  
Line 275: Line 283:
 Configure masquerading for hosts in a zone Configure masquerading for hosts in a zone
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-masquerade+firewall-cmd --permanent --zone=external --add-masquerade
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
  
 \\ \\
-Masquerading for specific source addresses+Additional Example: Masquerading for specific source addresses
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.10.5.0/24 masquerade'+firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
 </code> </code>
  
 ===== Port Forwarding ===== ===== Port Forwarding =====
  
-Forward a connection to the public IP on tcp/2222 to 10.10.5.100 on tcp/22 +Port forwarding allows external systems to access internal systems. 
 + 
 +They come in from external on one port, and get forwarded to an internal system on a different port. 
 + 
 +\\ 
 +Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22 
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.10.5.100+firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
 +
 +\\
 +Test the connection from server2<code bash>[root@server2 ~]# ssh -p 2222 root@172.16.0.254
 +
 +The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established.               
 +ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY.                             
 +ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78.                            
 +Are you sure you want to continue connecting (yes/no)? yes                                               
 +Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts.                                    
 +root@172.16.0.254's password:                                                                                                              
 +[root@server1 ~]# </code>
 +  * server2 connects to port 2222 on the ipa/router VM.
 +  * The firewall port forward rule forwards the connection to port 22 on server1
  
 ---- ----
  
  • linux_wiki/use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)