linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/03/29 23:33]
billdozor [Multiple Interfaces] 		linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2019/05/25 23:50] (current)
Line 49: Line 49:
 nmcli con up enp0s8 nmcli con up enp0s8
 </code> </code>
 +    * Route for server1 to reach server2<code bash>vim /etc/sysconfig/static-routes 
 +any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8
 +
 +#save, then restart the network service
 +systemctl restart network</code>
  
   * server2 (192.168.1.151) -> Will be the external system   * server2 (192.168.1.151) -> Will be the external system
Line 59: Line 64:
 # Bring interface up # Bring interface up
 nmcli con up enp0s8</code> nmcli con up enp0s8</code>
 +    * Route for server2 to reach server1<code bash>vim /etc/sysconfig/static-routes 
 +any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8
 +
 +#save, then restart the network service
 +systemctl restart network</code>
  
   * ipa (192.168.1.152) -> Will be the "router"   * ipa (192.168.1.152) -> Will be the "router"
Line 78: Line 88:
 # Bring interface up # Bring interface up
 nmcli con up enp0s9</code> nmcli con up enp0s9</code>
 +
 +----
 +
 +====== Help ======
 +
 +Finding help in this section.
 +  * Firewalld Rich Rules<code bash>man firewalld.richlanguage</code>
 +  * Firewall Cmd Man page (forward ports)<code bash>man firewall-cmd</code>
  
 ---- ----
Line 90: Line 108:
 ---- ----
  
-====== Multiple Interfaces ======+====== Forwarding: Multiple Interfaces ======
  
 If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled. If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.
Line 97: Line 115:
 Enable ip forwarding (**on ipa/the router**) Enable ip forwarding (**on ipa/the router**)
 <code bash> <code bash>
-vim /etc/sysctl.conf+vim /etc/sysctl.d/router.conf
  
 +# Enable IP Forwarding to other interfaces
 net.ipv4.ip_forward=1 net.ipv4.ip_forward=1
 </code> </code>
  
 \\ \\
-Load changes from /etc/sysctl.conf+Load changes from all locations
 <code bash> <code bash>
-sysctl -p+sysctl --system 
 +</code> 
 + 
 +\\ 
 +Verify 
 +<code bash> 
 +sysctl -a | grep ip_forward
 </code> </code>
  
Line 119: Line 144:
  
 ===== Zones ===== ===== Zones =====
 +
 +Firewall-cmd zone commands.
 +
 +==== General Commands ====
  
 Show default zone Show default zone
Line 150: Line 179:
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
 +
 +==== Lab: Set Zones for Router ====
 +
 +Setting zones for the router (ipa) system.
 +  * Add enp0s8 to internal<code bash>firewall-cmd --permanent --add-interface=enp0s8 --zone=internal</code>
 +  * Add enp0s9 to external<code bash>firewall-cmd --permanent --add-interface=enp0s9 --zone=external</code>
 +
 +\\
 +**Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
 +  * Removal example<code bash>firewall-cmd --remove-interface=enp0s8 --zone=public</code>
 +  * Network script update example<code bash>nmcli con mod enp0s8 connection.zone internal</code>
  
 ---- ----
Line 172: Line 212:
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
 +  * **Note**: Since the file was copied, the SELinux file context should have been copied as well.
 +    * View<code bash>ls -lZ /etc/firewalld/services/leetservice.xml</code>
 +    * Restore if needed<code bash>restorecon -v /etc/firewalld/services/leetservice.xml</code>
  
 \\ \\
Line 224: Line 267:
   * log level=notice -> Change log level of http access   * log level=notice -> Change log level of http access
   * prefix -> Add this text to the front of the log   * prefix -> Add this text to the front of the log
-  * limit value -> Limit the amount of connections to 100 a second+  * limit value -> Limit the amount of logged connection attempts to 100 a second
   * accept -> Accept the connection   * accept -> Accept the connection
  
Line 248: Line 291:
 Configure masquerading for hosts in a zone Configure masquerading for hosts in a zone
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-masquerade+firewall-cmd --permanent --zone=external --add-masquerade
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
  
 \\ \\
-Masquerading for specific source addresses+Additional Example: Masquerading for specific source addresses
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.10.5.0/24 masquerade'+firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
 </code> </code>
  
 ===== Port Forwarding ===== ===== Port Forwarding =====
  
-Forward a connection to the public IP on tcp/2222 to 10.10.5.100 on tcp/22 +Port forwarding allows external systems to access internal systems. 
 + 
 +They come in from external on one port, and get forwarded to an internal system on a different port. 
 + 
 +\\ 
 +Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22 
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.10.5.100+firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
 +
 +\\
 +Test the connection from server2<code bash>[root@server2 ~]# ssh -p 2222 root@172.16.0.254
 +
 +The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established.               
 +ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY.                             
 +ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78.                            
 +Are you sure you want to continue connecting (yes/no)? yes                                               
 +Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts.                                    
 +root@172.16.0.254's password:                                                                                                              
 +[root@server1 ~]# </code>
 +  * server2 connects to port 2222 on the ipa/router VM.
 +  * The firewall port forward rule forwards the connection to port 22 on server1
  
 ---- ----
  
  • linux_wiki/use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat.1522380790.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)