Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/03/29 23:18] billdozor [Configure Interfaces] |
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 49: | Line 49: | ||
nmcli con up enp0s8 | nmcli con up enp0s8 | ||
</ | </ | ||
+ | * Route for server1 to reach server2< | ||
+ | any net 172.16.0.0/ | ||
+ | |||
+ | #save, then restart the network service | ||
+ | systemctl restart network</ | ||
* server2 (192.168.1.151) -> Will be the external system | * server2 (192.168.1.151) -> Will be the external system | ||
Line 59: | Line 64: | ||
# Bring interface up | # Bring interface up | ||
nmcli con up enp0s8</ | nmcli con up enp0s8</ | ||
+ | * Route for server2 to reach server1< | ||
+ | any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8 | ||
+ | |||
+ | #save, then restart the network service | ||
+ | systemctl restart network</ | ||
* ipa (192.168.1.152) -> Will be the " | * ipa (192.168.1.152) -> Will be the " | ||
Line 78: | Line 88: | ||
# Bring interface up | # Bring interface up | ||
nmcli con up enp0s9</ | nmcli con up enp0s9</ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Help ====== | ||
+ | |||
+ | Finding help in this section. | ||
+ | * Firewalld Rich Rules< | ||
+ | * Firewall Cmd Man page (forward ports)< | ||
---- | ---- | ||
Line 90: | Line 108: | ||
---- | ---- | ||
- | ====== Multiple Interfaces ====== | + | ====== |
If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled. | If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled. | ||
\\ | \\ | ||
- | Enable ip forwarding | + | Enable ip forwarding |
<code bash> | <code bash> | ||
- | vim / | + | vim /etc/sysctl.d/router.conf |
+ | # Enable IP Forwarding to other interfaces | ||
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
</ | </ | ||
\\ | \\ | ||
- | Load changes from / | + | Load changes from all locations |
<code bash> | <code bash> | ||
- | sysctl -p | + | sysctl --system |
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Verify | ||
+ | <code bash> | ||
+ | sysctl -a | grep ip_forward | ||
</ | </ | ||
Line 119: | Line 144: | ||
===== Zones ===== | ===== Zones ===== | ||
+ | |||
+ | Firewall-cmd zone commands. | ||
+ | |||
+ | ==== General Commands ==== | ||
Show default zone | Show default zone | ||
Line 150: | Line 179: | ||
firewall-cmd --reload | firewall-cmd --reload | ||
</ | </ | ||
+ | |||
+ | ==== Lab: Set Zones for Router ==== | ||
+ | |||
+ | Setting zones for the router (ipa) system. | ||
+ | * Add enp0s8 to internal< | ||
+ | * Add enp0s9 to external< | ||
+ | |||
+ | \\ | ||
+ | **Note:** As of RHEL 7.4, you **do not** need to execute the removal command/ | ||
+ | * Removal example< | ||
+ | * Network script update example< | ||
---- | ---- | ||
Line 172: | Line 212: | ||
firewall-cmd --reload | firewall-cmd --reload | ||
</ | </ | ||
+ | * **Note**: Since the file was copied, the SELinux file context should have been copied as well. | ||
+ | * View< | ||
+ | * Restore if needed< | ||
\\ | \\ | ||
Line 224: | Line 267: | ||
* log level=notice -> Change log level of http access | * log level=notice -> Change log level of http access | ||
* prefix -> Add this text to the front of the log | * prefix -> Add this text to the front of the log | ||
- | * limit value -> Limit the amount of connections | + | * limit value -> Limit the amount of logged connection attempts |
* accept -> Accept the connection | * accept -> Accept the connection | ||
Line 248: | Line 291: | ||
Configure masquerading for hosts in a zone | Configure masquerading for hosts in a zone | ||
<code bash> | <code bash> | ||
- | firewall-cmd --permanent --zone=public | + | firewall-cmd --permanent --zone=external |
firewall-cmd --reload | firewall-cmd --reload | ||
</ | </ | ||
\\ | \\ | ||
- | Masquerading for specific source addresses | + | Additional Example: |
<code bash> | <code bash> | ||
- | firewall-cmd --permanent --zone=public | + | firewall-cmd --permanent --zone=external |
</ | </ | ||
===== Port Forwarding ===== | ===== Port Forwarding ===== | ||
- | Forward a connection | + | Port forwarding allows external systems to access internal systems. |
+ | |||
+ | They come in from external on one port, and get forwarded to an internal system on a different port. | ||
+ | |||
+ | \\ | ||
+ | Forward a connection | ||
<code bash> | <code bash> | ||
- | firewall-cmd --permanent --zone=public | + | firewall-cmd --permanent --zone=external |
firewall-cmd --reload | firewall-cmd --reload | ||
</ | </ | ||
+ | |||
+ | \\ | ||
+ | Test the connection from server2< | ||
+ | |||
+ | The authenticity of host ' | ||
+ | ECDSA key fingerprint is SHA256: | ||
+ | ECDSA key fingerprint is MD5: | ||
+ | Are you sure you want to continue connecting (yes/no)? yes | ||
+ | Warning: Permanently added ' | ||
+ | root@172.16.0.254' | ||
+ | [root@server1 ~]# </ | ||
+ | * server2 connects to port 2222 on the ipa/router VM. | ||
+ | * The firewall port forward rule forwards the connection to port 22 on server1 | ||
---- | ---- | ||