Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
FIREWALLd – blocking unwanted traffic in Linux, based on zones
Firewalld alike iptables relies on Netfilter service that is responsible for packets filtering.The difference is that iptables works based on “chain of filter” rules, alike ACLs on the router, firewalld based on “zones” similar to ASA. The idea that stands behind the firewalld is that interfaces and networks are grouped into zones. Each zone has different level of trust.
Below table presents particular predefined zones and what they do with incoming and outgoing traffic. Of course we may create our own zones.
rpm -qa firewalld – checking if firewalld daemon is installed
systemctl status firewalld – checking if the daemon is running, also we may check with “firewall-cmd –state“.
/etc/firewalld/firewalld.conf – configuration file of firewalld
systemctl mask ipatbles – turning off iptables, both iptables and firewalld use the same resources so chouldn’t be run in the same time.
Also we want firewalld make active and enable by default just after reboot:
systemctl is-active firewalld
active
systemctl is-enabled firewalld
enabled
firewall-cmd –[double TAB] – shows current ‘help’, with a list of commands that we may use in given moment. Similar to ‘?’ in Cisco.
/usr/lib/firewalld/services – location of predefined “services” in xml format , we may create our own service in /etc/firewalld/services
/usr/lib/firewalld/zones – location of predefined “zones”, we may create our own zones in /etc/firewalld/zones
FIREWALLd – fundamentals
Firewalld daemon runs 2 instances in the same time : runtime and permanent. Any changes that you make are being written into ‘runtime’ configuration to make them permanent you have to mark that with ‘–permanent‘ statement
firewall-cmd –add-service=http –permanent
If we make any changes in ‘permanent’ configuration we have to reloade its, otherwise they will not be taken into consideration. Runtime confiuration always dissapear after server reboot, also will dissapear after –reload command.
firewall-cmd –reload
If we want to write ‘runtime’ to ‘permanent’ configuration we run
firewall-cmd –runtime-to-permanent
FIREWALLd – zones
As I mentioned at the beginning we have a couple of definied zones. If you run command “firewall-cmd –list-all –zone=public” you gona get below output (without a rules of course). Public is a default zone.
target default is REJECT, the other targets are ACCEPT and DROP. The traffic that don’t match the rules will be rejected.
interfaces – interfaces bound to the zone
sources – network bound to the zone
services – services allowed within a zone
ports – ports allowed within a zone
protocols – allowed protocols
masquarade – if masquarade enable on the zone
forward-ports – ports forwarding
rich rules – more granular rules based on the source and destination
As you see we may bind interfaces or particular networks to the zone. The incoming packet that hit any of the interfaces is being assigned to the zone. The order of checking what zone the packet should be assigned to is following:
– firstly the SOURCE network is being checked on all zones
– secondly the INTERFACE, if is bind to any zone
– if not any of above, the packet is assigned to default zone (PUBLIC – if we didin’t change).
FIREWALLd configuration commands
The list of below commands is based on sight only and of course is much more longer. Remeber about <double TAB> that will help you out in making decision.
firewall-cmd –list-all – shows all zones and assigned to them interfaces, services, rules etc
firewall-cmd –get-zones – shows active zones
firewall-cmd –zone=internal –change-interface=eth0 – assigning interface to the particular zone, if interface is managed by Network Manager, then we have to change it by nmcli or directly in /etc/sysconfig/network-scripts/interface-name we add line : “ZONE=internal”
firewall-cmd –add-source=192.168.1.0/24 – adding range of hosts to the zone
firewall-cmd –panic-on – blocking all incoming and outgoing traffic
firewall-cmd –query-panic
firewall-cmd –get-services – shows active services, that we may use
firewall-cmd –get-default-zone – shows default zone on the server
firewall-cmd –get-active-zones – shows zones and bound interfacs to them
firewall-cmd –set-default-zone=[name] – setting up default zone
firewall-cmd –add-service=mysql – adding service mysql to default zone
firewall-cmd –add-service={http,https,ftp} – adding the range of services
firewall-cmd –zone=public –add-port=3360/tcp – adding allowed port 360 to default zone public
firewall-cmd –add-port={3360/tcp,5000/tcp,6000tcp/tcp} – adding more ports
firewall-cmd –add-port=5000-5010/tcp – adding the range of ports
firewall-cmd –remove-port=3360/tcp – removal port from configuration
Rich rules – enable us blocking connections based on source and destination addresses and ports, services as well, alike extended ACLs in Cisco world
firewall-cmd –add-rich-rule=’rule family=ipv4 source address=192.168.1.20/24
accept’ – allows for any connection from 192.168.1.20 host
firewall-cmd –add-rich-rule=’rule family=ipv4 source address=10.0.0.40 destination address=10.10.10.1 port port=80 protocol=tcp drop’ – block connection from 10.0.0.40 to 10.10.10.1 on port 80 (server www)
Ports forwarding PAT
firewall-cmd –add-forward-port=port=8080:proto=tcp:toport=80 – forwarding port 8080 to port 80 on the same server
firewall-cmd –add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.1.1 – forwarding port 8080 to 80 with address redirection
NAT
firewall-cmd –permanent –zone=public –add-masquerade – natting any IP address that will hit public zone
FIREWALLd – Let’s lab it out !
I’ve created a simple lab to try a couple of commands and solutionswithin “firewalld” in “production environment” according to below diagram
The final outcome of thge lab is : server WWW 10.10.10.1:80 is subjected to PAT with address 10.0.0.1:80, so for both hosts outside will be reachable with IP address 10.0.0.1. Next, host 172.16.0.1 will be blocked when tries to get access to FTP server 10.0.0.1. Also host 192.168.0.1 will be blocked when tries to get access to WWW 10.10.10.1 server.
I assume you’ve installed ‘httpd’ daemon on 10.10.10.1 and ‘vsftpd’ on 10.0.0.1 server.
1. Assigne interfaces to zones DMZ and PUBLIC on FTP server
firewall-cmd –zone=dmz –change-interface=ens37
firewall-cmd –zone=public –change-interface=ens33
because my interfaces are managed by Network Manager, I have to edit network scripts in /etc/sysconfig/network-scripts/ifcfg-ens37 and add at the end of configuration file ZONE=dmz and respectively ZONE=public to ens33
2. Enable service FTP on appropriate zone Public
firewall-cmd –permanent –zone=public –add-service=ftp
3. Create NAT rule for WWW server according to the diagram. If anyone wants to connect to WWW server will be using outside address 10.0.0.1 that is mapped to 10.10.10.1
firewall-cmd –permanent –zone=public –add-masquerade
firewall-cmd –permanent –zone=public –add-forward-
port=port=80:proto=tcp:toport=80:toaddr=10.10.10.1
4. Block host 192.168.0.1 from access to WWW server (10.10.10.1) and accept 172.16.0.1 on WWW server :
Instead of add service http I add port 80 what is actually the same
firewall-cmd add-port=80/tcp permanent
firewall-cmd –zone=public –permanent –add-rich-rule=’rule family=ipv4
source address=192.168.0.1/24 destination address=10.10.10.1 port port=80
protocol=tcp drop’
5. Block host 172.16.0.1 from access to FTP server (10.0.0.1) of FTP server
firewall-cmd –zone=public –permanent –add-rich-rule=’rule family=ipv4
source address=172.16.0.1/24 destination address=10.0.0.1 service name=ftp
drop‘