General Information

Firewalld replaces iptables. It connects to the netfilter kernel code.

It differs from iptables in that it allows configuration changes without stopping current connections and it is a zone based firewall.

The following virtual machines will be used:

• server1 (192.168.1.150) → Will be the internal system
  • Add 1 interface for internal: 10.0.0.1/24

• server2 (192.168.1.151) → Will be the external system
  • Add 1 interface for external: 172.16.0.1/24

• ipa (192.168.1.152) → Will be the “router”
  • Add 2 interfaces
    • Internal: 10.0.0.254/24
    • External: 172.16.0.254/24

Virtualbox example for adding interfaces

• Pre-Req: VMs must be powered off
• Select the VM
• In the top bar, click “Settings”
  • On the left navigation, select “Network”
    • In the middle pane, click “Adapter 2”
      • Check “Enable Network Adapter”
      • Attached to: Internal Network
    • Repeat for each VM
    • Add “Adapter 3” for the ipa/router VM
• Power on all VMs

• server1 (192.168.1.150) → Will be the internal system
  • IP for internal: 10.0.0.1/24

    # Renamed connection to match device
    nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
     
    # Set IP info
    nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.1/24 ipv4.gateway 10.0.0.254
     
    # Bring interface up
    nmcli con up enp0s8

• server2 (192.168.1.151) → Will be the external system
  • IP for external: 172.16.0.1/24

    # Renamed connection to match device
    nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
     
    # Set IP info and assign device to connection
    nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 172.16.0.1/24 ipv4.gateway 172.16.0.254
     
    # Bring interface up
    nmcli con up enp0s8

• ipa (192.168.1.152) → Will be the “router”
  • IPs for
    • Internal: 10.0.0.254/24

      # Renamed connection to match device
      nmcli con mod Wired\ connection\ 1 con-name enp0s8 ifname enp0s8
       
      # Set IP info
      nmcli con mod enp0s8 ipv4.method manual ipv4.addresses 10.0.0.254/24
       
      # Bring interface up
      nmcli con up enp0s8

    • External: 172.16.0.254/24

      # Renamed connection to match device
      nmcli con mod Wired\ connection\ 2 con-name enp0s9 ifname enp0s9
       
      # Set IP info
      nmcli con mod enp0s9 ipv4.method manual ipv4.addresses 172.16.0.254/24
       
      # Bring interface up
      nmcli con up enp0s9

Ensure its running

systemctl status firewalld

If you have multiple interfaces and need to forward packets through them, IP Forwarding needs to be enabled.

Enable ip forwarding (on ipa/the router)

vim /etc/sysctl.d/router.conf
 
# Enable IP Forwarding to other interfaces
net.ipv4.ip_forward=1

Load changes from all locations

sysctl --system

Verify

sysctl -a | grep ip_forward

Open http(tcp/80)

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Show default zone

firewall-cmd --get-default-zone

Active Zones (interfaces or sources assigned)

firewall-cmd --get-active-zones

Show all zones

firewall-cmd --get-zones

List config of all zones

firewall-cmd --list-all-zones

Create rule for a specific zone

firewall-cmd --permanent --zone=work --add-source=192.168.1.151
firewall-cmd --permanent --zone=work --add-service=http
firewall-cmd --reload

• Built in rules: /usr/lib/firewalld/services/
• Custom rules/over rides: /etc/firewalld/services/

Copy a built in service file

cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/leetservice.xml

Edit it, then reload the firewall

vim /etc/firewalld/services/leetservice.xml
 
<make changes, save, quit>
 
firewall-cmd --reload

Custom service can now be viewed and used

firewall-cmd --get-services
 
firewall-cmd --permanent --add-service=leetservice
firewall-cmd --reload

Rich rules allow you to create allow or deny rules in order to define:

• Logging
• Port forwarding
• Masquerading
• Rate limiting
• Connections for one specific zone

Rich rule help/examples

man firewalld.richlanguage

• All examples start with 'rule'
• The entire string is quoted inside of the –add-rich-rule=' ' argument to a firewall-cmd command.

Log SSH Attempts

firewall-cmd --zone=public --add-rich-rule='rule service name="ssh" log prefix="SSH Attempt: " level="notice" limit value="5/m" accept'

ICMP traffic

firewall-cmd --zone=public --add-rich-rule='rule protocol value=icmp accept'

Extending the HTTP Rule

firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.151 service name="http" log level=notice prefix="NEW HTTP RULE " limit value="100/s" accept'
firewall-cmd --reload

• family=ipv4 → required to specify an address family when including IP addresses as a source or destination
• source address=192.168.1.151 → Where the HTTP connection attempt is coming from
• service name=http → http service (tcp/80)
• log level=notice → Change log level of http access
• prefix → Add this text to the front of the log
• limit value → Limit the amount of connections to 100 a second
• accept → Accept the connection

Network Address Translation.

Prerequisites

• Two interfaces
• ip_forward must be enabled in order for NAT to work.

Masquerading is often done when a private network is going out to an external network (the internet) through a gateway.

A server that has both an external and internal interface that is acting as a gateway provides the NAT Masquerading.

The masquerading is configured on the external zone/interface.

Configure masquerading for hosts in a zone

firewall-cmd --permanent --zone=public --add-masquerade
firewall-cmd --reload

Masquerading for specific source addresses

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.10.5.0/24 masquerade'

Forward a connection to the public IP on tcp/2222 to 10.10.5.100 on tcp/22

firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.10.5.100
firewall-cmd --reload