linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2018/03/30 00:05]
billdozor [Masquerading] 		linux_wiki:use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat [2019/05/25 23:50] (current)
Line 49: Line 49:
 nmcli con up enp0s8 nmcli con up enp0s8
 </code> </code>
-    * Route for server1 to reach server2<code bash>nmcli con mod enp0s8 +ipv4.routes 172.16.0.0/24</code>+    * Route for server1 to reach server2<code bash>vim /etc/sysconfig/static-routes  
 +any net 172.16.0.0/24 gw 10.0.0.254 dev enp0s8 
 + 
 +#save, then restart the network service 
 +systemctl restart network</code>
  
   * server2 (192.168.1.151) -> Will be the external system   * server2 (192.168.1.151) -> Will be the external system
Line 60: Line 64:
 # Bring interface up # Bring interface up
 nmcli con up enp0s8</code> nmcli con up enp0s8</code>
-    * Route for server2 to reach server1<code bash>nmcli con mod enp0s8 +ipv4.routes 10.0.0.0/24</code>+    * Route for server2 to reach server1<code bash>vim /etc/sysconfig/static-routes  
 +any net 10.0.0.0/24 gw 172.16.0.254 dev enp0s8 
 + 
 +#save, then restart the network service 
 +systemctl restart network</code>
  
   * ipa (192.168.1.152) -> Will be the "router"   * ipa (192.168.1.152) -> Will be the "router"
Line 80: Line 88:
 # Bring interface up # Bring interface up
 nmcli con up enp0s9</code> nmcli con up enp0s9</code>
 +
 +----
 +
 +====== Help ======
 +
 +Finding help in this section.
 +  * Firewalld Rich Rules<code bash>man firewalld.richlanguage</code>
 +  * Firewall Cmd Man page (forward ports)<code bash>man firewall-cmd</code>
  
 ---- ----
Line 172: Line 188:
 \\ \\
 **Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam. **Note:** As of RHEL 7.4, you **do not** need to execute the removal command/network script update like you did in earlier versions. Listed below just in case you get an older version on the exam.
-  * Removal example<code bash>firewall-cmd --remove-interface-enp0s8 --zone=public</code>+  * Removal example<code bash>firewall-cmd --remove-interface=enp0s8 --zone=public</code>
   * Network script update example<code bash>nmcli con mod enp0s8 connection.zone internal</code>   * Network script update example<code bash>nmcli con mod enp0s8 connection.zone internal</code>
  
Line 251: Line 267:
   * log level=notice -> Change log level of http access   * log level=notice -> Change log level of http access
   * prefix -> Add this text to the front of the log   * prefix -> Add this text to the front of the log
-  * limit value -> Limit the amount of connections to 100 a second+  * limit value -> Limit the amount of logged connection attempts to 100 a second
   * accept -> Accept the connection   * accept -> Accept the connection
  
Line 287: Line 303:
 ===== Port Forwarding ===== ===== Port Forwarding =====
  
-Forward a connection to the public IP on tcp/2222 to 10.10.5.100 on tcp/22 +Port forwarding allows external systems to access internal systems. 
 + 
 +They come in from external on one port, and get forwarded to an internal system on a different port. 
 + 
 +\\ 
 +Forward a connection from external 172.16.0.254 (ipa/router) on port tcp/2222 to internal 10.0.0.1 (server1) on port tcp/22 
 <code bash> <code bash>
-firewall-cmd --permanent --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.10.5.100+firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=10.0.0.1
 firewall-cmd --reload firewall-cmd --reload
 </code> </code>
 +
 +\\
 +Test the connection from server2<code bash>[root@server2 ~]# ssh -p 2222 root@172.16.0.254
 +
 +The authenticity of host '[172.16.0.254]:2222 ([172.16.0.254]:2222)' can't be established.               
 +ECDSA key fingerprint is SHA256:klAqN92d6UnV80L99E5TxQHBxFDMSk9HNcL7E4DsKdY.                             
 +ECDSA key fingerprint is MD5:9d:56:7a:12:32:fd:df:b6:9e:6d:4c:9e:1a:72:a0:78.                            
 +Are you sure you want to continue connecting (yes/no)? yes                                               
 +Warning: Permanently added '[172.16.0.254]:2222' (ECDSA) to the list of known hosts.                                    
 +root@172.16.0.254's password:                                                                                                              
 +[root@server1 ~]# </code>
 +  * server2 connects to port 2222 on the ipa/router VM.
 +  * The firewall port forward rule forwards the connection to port 22 on server1
  
 ---- ----
  
  • linux_wiki/use_firewalld_and_associated_mechanisms_such_as_rich_rules_zones_and_custom_rules_to_implement_packet_filtering_and_configure_network_address_translation_nat.1522382738.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)