Difference between revisions of "Firewall"

From The Linux Source
Jump to: navigation, search
(Created page with "=== Overview / Gotcha\'s === Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both config...")
 
m
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
===  Overview / Gotcha\'s ===
 
 
Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could be rebooted if it became unavailable, to get it back to the previous state that was working. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a \'firewall-cmd --reload\', though is not recommended.
 
  
 +
===  Overview / Gotcha's ===
 +
Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could simply be rebooted (if it became unavailable) to get it back to the previous working state. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a 'firewall-cmd --reload', though is not recommended.
  
 
===  iptables examples (before ent 7) ===
 
===  iptables examples (before ent 7) ===
 
 
Allow https port:
 
Allow https port:
  temporary
+
  TEMPORARY
 
  # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 
  # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
  permanent
+
  PERMANENT
 
  do temporary step and "service iptables save", OR
 
  do temporary step and "service iptables save", OR
 
  # vi /etc/sysconfig/iptables
 
  # vi /etc/sysconfig/iptables
  add
+
  ADD
 
  -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 
  -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 
  # service iptables restart
 
  # service iptables restart
  
 
Allow a custom ssh port:
 
Allow a custom ssh port:
  temporary
+
  TEMPORARY
 
  # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
 
  # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
  permanent
+
  PERMANENT
 
  do temporary step and "service iptables save", OR
 
  do temporary step and "service iptables save", OR
 
  # vi /etc/sysconfig/iptables
 
  # vi /etc/sysconfig/iptables
  add
+
  ADD
 
  -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
 
  -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
 
  # service iptables restart
 
  # service iptables restart
  
 
Allow samba
 
Allow samba
figure out all it\'s udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples
+
figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples
 
+
  
 
===  firewalld examples (ent 7) ===
 
===  firewalld examples (ent 7) ===
 
 
Allow https port:
 
Allow https port:
  temporary
+
  TEMPORARY
 
  # firewall-cmd --add-port 443/tcp
 
  # firewall-cmd --add-port 443/tcp
  permanent (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
+
  PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
 
  # firewall-cmd --add-port 443/tcp --permanent
 
  # firewall-cmd --add-port 443/tcp --permanent
Note: you can use; \'--add-service http\' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it\'s more secure/preferable to only open the individual ports you need
+
Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need
  
 
Allow a custom ssh port:
 
Allow a custom ssh port:
  temporary
+
  TEMPORARY
 
  # firewall-cmd --add-port 222/tcp
 
  # firewall-cmd --add-port 222/tcp
  permanent (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
+
  PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
 
  # firewall-cmd --add-port 222/tcp --permanent
 
  # firewall-cmd --add-port 222/tcp --permanent
  
 
Allow samba:
 
Allow samba:
 
  # firewall-cmd --add-service smb --permanent
 
  # firewall-cmd --add-service smb --permanent
 
  
 
===  firewalld - running/enabling firewalld ===
 
===  firewalld - running/enabling firewalld ===
 
+
when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service gets started/enabled, this will cause problems/contention between the two services. To ensure this doesn't happen accidentally after you've gotten a firewalld setup configured/working correctly, it is recommended to 'mask' the conflicting services (where they could not just be enabled without someone finding out they've been masked, and explicitly having to disable the masking to enable iptables). Recommended enable procedure for firewalld:
when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service get started/enabled, this will cause problems/contention between the two services. To ensure this doesn\'t happen accidentally after you\'ve gotten a firewalld setup configured/working correctly, it is recommended to \'mask\' the conflicting services, where they could not just be enabled without someone finding out they\'ve been masked, and explicitly having to disable the masking to enable iptables. Recommended enable procedure for firewalld:
+
  # systemctl mask   iptables
 
+
  # systemctl mask   ip6tables
  # systemctl mask iptables
+
  # systemctl mask   ebtables
  # systemctl mask ip6tables
+
  # systemctl mask ebtables
+
 
  # systemctl enable firewalld
 
  # systemctl enable firewalld
  # systemctl start firewalld
+
  # systemctl start firewalld
 
+
  
 
===  firewalld - zones ===
 
===  firewalld - zones ===
 
 
The following is a description of the default zones that currently come preconfigured on a system:
 
The following is a description of the default zones that currently come preconfigured on a system:
 
+
{| class="wikitable"
|| Zone || Description ||
+
! Zone !! Description  
| drop | Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. |
+
|-
| block | Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible. |
+
| drop || Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
| public | For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
+
|-
| external | For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
+
| block || Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
| dmz | For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. |
+
|-
| work | For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
+
| public || For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
| home | For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
+
|-
| internal | For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. |
+
| external || For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
| trusted | All network connections are accepted. |
+
|-
 
+
| dmz || For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone.
+
|-
 
+
| work || For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
|-
 +
| home || For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
|-
 +
| internal || For use on internal networks. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
|-
 +
| trusted || All network connections are accepted.
 +
|}
 +
The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone, unless the zone is specified.
  
 
===  firewall-cmd Quick Reference ===
 
===  firewall-cmd Quick Reference ===
 
 
Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld):
 
Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld):
 
  # nmcli con mod em1 connection.zone trusted
 
  # nmcli con mod em1 connection.zone trusted
Line 114: Line 112:
 
  # firewall-cmd --add-source 98.200.183.180 --zone block
 
  # firewall-cmd --add-source 98.200.183.180 --zone block
  
 
+
=== Zone Examples ===
=== Examples ===
+
 
+
 
Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface):
 
Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface):
 
 
  # nmcli con mod em1 connection.zone public
 
  # nmcli con mod em1 connection.zone public
 
  # nmcli con mod p2p1 connection.zone trusted
 
  # nmcli con mod p2p1 connection.zone trusted
Line 134: Line 129:
 
  # firewall-cmd --list-all --zone=trusted
 
  # firewall-cmd --list-all --zone=trusted
 
  # firewall-cmd --list-all --zone=pinemgmt
 
  # firewall-cmd --list-all --zone=pinemgmt
 
  
 
===  iptables Quick Reference ===
 
===  iptables Quick Reference ===
 
+
NAT'ing/forwarding<br>
NAT'ing/forwarding in Net Discovery
+
 
We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables)
 
We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables)
 
 
  *nat
 
  *nat
 
  :PREROUTING ACCEPT
 
  :PREROUTING ACCEPT
Line 153: Line 145:
 
  :OUTPUT ACCEPT
 
  :OUTPUT ACCEPT
 
  COMMIT
 
  COMMIT
 
+
Note: the PREROUTING rule looks at anything (TCP) coming in to the local port 1904 and passes it on to 163.120.170.170 port 1101, the MASQUERADE rule is for anything going to/from 163.120.170.170 (only one MASQUERADE line is needed for all/any rules forwarding traffic to 163.120.170.170)
Notes: the PREROUTING rule looks at anything (TCP) coming in to the local port 1904 and passes it on to 163.120.170.170 port 1101, the MASQUERADE rule is for anything going to/from 163.120.170.170 (only one MASQUERADE line is needed for all/any rules forwarding traffic to 163.120.170.170)
+

Latest revision as of 11:46, 9 May 2017

Overview / Gotcha's

Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could simply be rebooted (if it became unavailable) to get it back to the previous working state. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a 'firewall-cmd --reload', though is not recommended.

iptables examples (before ent 7)

Allow https port:

TEMPORARY
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
PERMANENT
do temporary step and "service iptables save", OR
# vi /etc/sysconfig/iptables
ADD
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# service iptables restart

Allow a custom ssh port:

TEMPORARY
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
PERMANENT
do temporary step and "service iptables save", OR
# vi /etc/sysconfig/iptables
ADD
-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
# service iptables restart

Allow samba figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples

firewalld examples (ent 7)

Allow https port:

TEMPORARY
# firewall-cmd --add-port 443/tcp
PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
# firewall-cmd --add-port 443/tcp --permanent

Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need

Allow a custom ssh port:

TEMPORARY
# firewall-cmd --add-port 222/tcp
PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload")
# firewall-cmd --add-port 222/tcp --permanent

Allow samba:

# firewall-cmd --add-service smb --permanent

firewalld - running/enabling firewalld

when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service gets started/enabled, this will cause problems/contention between the two services. To ensure this doesn't happen accidentally after you've gotten a firewalld setup configured/working correctly, it is recommended to 'mask' the conflicting services (where they could not just be enabled without someone finding out they've been masked, and explicitly having to disable the masking to enable iptables). Recommended enable procedure for firewalld:

# systemctl mask   iptables
# systemctl mask   ip6tables
# systemctl mask   ebtables
# systemctl enable firewalld
# systemctl start  firewalld

firewalld - zones

The following is a description of the default zones that currently come preconfigured on a system:

Zone Description
drop Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
trusted All network connections are accepted.

The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone, unless the zone is specified.

firewall-cmd Quick Reference

Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld):

# nmcli con mod em1 connection.zone trusted

Creating new Zones example (adding new zone, setting to ACCEPT (like the trusted zone) and accepting connections from a subnet for these rules):

# firewall-cmd --new-zone=pinemgmt --permanent
# firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent
# firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent
# firewall-cmd --add-port=222/tcp --zone=pinemgmt --permanent

Viewing default Zone info:

# firewall-cmd --list-all

Viewing Zone info for a specific zone:

# firewall-cmd --list-all --zone=trusted

Viewing all Zones:

# firewall-cmd --list-all-zones

Removing a service

# firewall-cmd --remove-service=ssh
# firewall-cmd --remove-service=http

Remove a port

# firewall-cmd --remove-port=80/tcp

Add a port (not recommended to add a service like http, which adds 8443/8080/etc/etc)

# firewall-cmd --add-port=443/tcp
# firewall-cmd --add-port=222/tcp

Disallow connections from a hacking IP

# firewall-cmd --add-source 98.200.183.180 --zone drop
OR
# firewall-cmd --add-source 98.200.183.180 --zone block

Zone Examples

Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface):

# nmcli con mod em1 connection.zone public
# nmcli con mod p2p1 connection.zone trusted
# systemctl mask iptables
# systemctl mask ip6tables
# systemctl enable firewalld
# systemctl start firewalld
# firewall-cmd --remove-service=ssh --permanent
# firewall-cmd --new-zone=pinemgmt --permanent
# firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent
# firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent
# firewall-cmd --reload
OPTIONAL/FYI:
# firewall-cmd --list-all
# firewall-cmd --list-all --zone=trusted
# firewall-cmd --list-all --zone=pinemgmt

iptables Quick Reference

NAT'ing/forwarding
We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables)

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 163.120.170.170:1101
-A POSTROUTING -d 163.120.170.170/32 -p tcp -m tcp -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT

Note: the PREROUTING rule looks at anything (TCP) coming in to the local port 1904 and passes it on to 163.120.170.170 port 1101, the MASQUERADE rule is for anything going to/from 163.120.170.170 (only one MASQUERADE line is needed for all/any rules forwarding traffic to 163.120.170.170)