Difference between revisions of "Firewall"
m (→Overview / Gotcha's) |
m |
||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could be rebooted if it became unavailable | + | === Overview / Gotcha's === |
+ | Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could simply be rebooted (if it became unavailable) to get it back to the previous working state. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a 'firewall-cmd --reload', though is not recommended. | ||
=== iptables examples (before ent 7) === | === iptables examples (before ent 7) === | ||
− | |||
Allow https port: | Allow https port: | ||
− | + | TEMPORARY | |
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | ||
− | + | PERMANENT | |
do temporary step and "service iptables save", OR | do temporary step and "service iptables save", OR | ||
# vi /etc/sysconfig/iptables | # vi /etc/sysconfig/iptables | ||
− | + | ADD | |
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | ||
# service iptables restart | # service iptables restart | ||
Allow a custom ssh port: | Allow a custom ssh port: | ||
− | + | TEMPORARY | |
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT | # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT | ||
− | + | PERMANENT | |
do temporary step and "service iptables save", OR | do temporary step and "service iptables save", OR | ||
# vi /etc/sysconfig/iptables | # vi /etc/sysconfig/iptables | ||
− | + | ADD | |
-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT | -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT | ||
# service iptables restart | # service iptables restart | ||
Line 27: | Line 26: | ||
Allow samba | Allow samba | ||
figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples | figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples | ||
− | |||
=== firewalld examples (ent 7) === | === firewalld examples (ent 7) === | ||
− | |||
Allow https port: | Allow https port: | ||
− | + | TEMPORARY | |
# firewall-cmd --add-port 443/tcp | # firewall-cmd --add-port 443/tcp | ||
− | + | PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload") | |
# firewall-cmd --add-port 443/tcp --permanent | # firewall-cmd --add-port 443/tcp --permanent | ||
Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need | Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need | ||
Allow a custom ssh port: | Allow a custom ssh port: | ||
− | + | TEMPORARY | |
# firewall-cmd --add-port 222/tcp | # firewall-cmd --add-port 222/tcp | ||
− | + | PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload") | |
# firewall-cmd --add-port 222/tcp --permanent | # firewall-cmd --add-port 222/tcp --permanent | ||
Allow samba: | Allow samba: | ||
# firewall-cmd --add-service smb --permanent | # firewall-cmd --add-service smb --permanent | ||
− | |||
=== firewalld - running/enabling firewalld === | === firewalld - running/enabling firewalld === | ||
− | + | when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service gets started/enabled, this will cause problems/contention between the two services. To ensure this doesn't happen accidentally after you've gotten a firewalld setup configured/working correctly, it is recommended to 'mask' the conflicting services (where they could not just be enabled without someone finding out they've been masked, and explicitly having to disable the masking to enable iptables). Recommended enable procedure for firewalld: | |
− | when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service | + | # systemctl mask iptables |
− | + | # systemctl mask ip6tables | |
− | # systemctl mask iptables | + | # systemctl mask ebtables |
− | # systemctl mask ip6tables | + | |
− | # systemctl mask ebtables | + | |
# systemctl enable firewalld | # systemctl enable firewalld | ||
− | # systemctl start firewalld | + | # systemctl start firewalld |
− | + | ||
=== firewalld - zones === | === firewalld - zones === | ||
− | |||
The following is a description of the default zones that currently come preconfigured on a system: | The following is a description of the default zones that currently come preconfigured on a system: | ||
− | + | {| class="wikitable" | |
− | + | ! Zone !! Description | |
− | | drop | Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. | | + | |- |
− | | block | Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible. | | + | | drop || Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. |
− | | public | For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. | | + | |- |
− | | external | For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. | | + | | block || Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible. |
− | | dmz | For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. | | + | |- |
− | | work | For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. | | + | | public || For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
− | | home | For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. | | + | |- |
− | | internal | For use on internal networks. You mostly trust the other computers on | + | | external || For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
− | | trusted | All network connections are accepted. | + | |- |
− | + | | dmz || For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. | |
− | The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone. | + | |- |
− | + | | work || For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. | |
+ | |- | ||
+ | | home || For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. | ||
+ | |- | ||
+ | | internal || For use on internal networks. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. | ||
+ | |- | ||
+ | | trusted || All network connections are accepted. | ||
+ | |} | ||
+ | The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone, unless the zone is specified. | ||
=== firewall-cmd Quick Reference === | === firewall-cmd Quick Reference === | ||
− | |||
Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld): | Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld): | ||
# nmcli con mod em1 connection.zone trusted | # nmcli con mod em1 connection.zone trusted | ||
Line 113: | Line 112: | ||
# firewall-cmd --add-source 98.200.183.180 --zone block | # firewall-cmd --add-source 98.200.183.180 --zone block | ||
− | + | === Zone Examples === | |
− | === | + | |
− | + | ||
Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface): | Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface): | ||
− | |||
# nmcli con mod em1 connection.zone public | # nmcli con mod em1 connection.zone public | ||
# nmcli con mod p2p1 connection.zone trusted | # nmcli con mod p2p1 connection.zone trusted | ||
Line 133: | Line 129: | ||
# firewall-cmd --list-all --zone=trusted | # firewall-cmd --list-all --zone=trusted | ||
# firewall-cmd --list-all --zone=pinemgmt | # firewall-cmd --list-all --zone=pinemgmt | ||
− | |||
=== iptables Quick Reference === | === iptables Quick Reference === | ||
− | + | NAT'ing/forwarding<br> | |
− | NAT'ing/forwarding | + | |
We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables) | We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables) | ||
*nat | *nat |
Latest revision as of 11:46, 9 May 2017
Contents
Overview / Gotcha's
Warning: making firewalld changes are either done to the running/active config or the permanent config, there is not one command for both configurations. However, this was done so you can test changes in the active config (which would not be permanent) and the system could simply be rebooted (if it became unavailable) to get it back to the previous working state. To update both the active and permanent configs, all commands would need to be run twice, once to affect the active state (without --permanent) and a second time (with --permanent) to save/make permanent the change. Alternately you can do all commands with --permanent and then do a 'firewall-cmd --reload', though is not recommended.
iptables examples (before ent 7)
Allow https port:
TEMPORARY # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT PERMANENT do temporary step and "service iptables save", OR # vi /etc/sysconfig/iptables ADD -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # service iptables restart
Allow a custom ssh port:
TEMPORARY # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT PERMANENT do temporary step and "service iptables save", OR # vi /etc/sysconfig/iptables ADD -A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT # service iptables restart
Allow samba figure out all it's udp & tcp ports and add the various needed lines for this in a similar fashion to the previous examples
firewalld examples (ent 7)
Allow https port:
TEMPORARY # firewall-cmd --add-port 443/tcp PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload") # firewall-cmd --add-port 443/tcp --permanent
Note: you can use; '--add-service http' instead, but this adds a long list of ports 80/443/8080/8443/etc/etc, therefore it's more secure/preferable to only open the individual ports you need
Allow a custom ssh port:
TEMPORARY # firewall-cmd --add-port 222/tcp PERMANENT (to make active, also do temporary step, or after the permanent step do "firewall-cmd --reload") # firewall-cmd --add-port 222/tcp --permanent
Allow samba:
# firewall-cmd --add-service smb --permanent
firewalld - running/enabling firewalld
when running firewalld, this will conflict with the old iptables service, so if firewalld rules are set up and the iptables service gets started/enabled, this will cause problems/contention between the two services. To ensure this doesn't happen accidentally after you've gotten a firewalld setup configured/working correctly, it is recommended to 'mask' the conflicting services (where they could not just be enabled without someone finding out they've been masked, and explicitly having to disable the masking to enable iptables). Recommended enable procedure for firewalld:
# systemctl mask iptables # systemctl mask ip6tables # systemctl mask ebtables # systemctl enable firewalld # systemctl start firewalld
firewalld - zones
The following is a description of the default zones that currently come preconfigured on a system:
Zone | Description |
---|---|
drop | Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. |
block | Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible. |
public | For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
external | For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. |
dmz | For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. |
work | For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
home | For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
internal | For use on internal networks. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
trusted | All network connections are accepted. |
The primary zone defaults to public, but the primary interface (and others) can be moved into other zones. Adding new rules automatically go into the default zone, unless the zone is specified.
firewall-cmd Quick Reference
Moving interfaces into other zones (actually done via NetworkManager, and not through firewalld):
# nmcli con mod em1 connection.zone trusted
Creating new Zones example (adding new zone, setting to ACCEPT (like the trusted zone) and accepting connections from a subnet for these rules):
# firewall-cmd --new-zone=pinemgmt --permanent # firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent # firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent # firewall-cmd --add-port=222/tcp --zone=pinemgmt --permanent
Viewing default Zone info:
# firewall-cmd --list-all
Viewing Zone info for a specific zone:
# firewall-cmd --list-all --zone=trusted
Viewing all Zones:
# firewall-cmd --list-all-zones
Removing a service
# firewall-cmd --remove-service=ssh # firewall-cmd --remove-service=http
Remove a port
# firewall-cmd --remove-port=80/tcp
Add a port (not recommended to add a service like http, which adds 8443/8080/etc/etc)
# firewall-cmd --add-port=443/tcp # firewall-cmd --add-port=222/tcp
Disallow connections from a hacking IP
# firewall-cmd --add-source 98.200.183.180 --zone drop OR # firewall-cmd --add-source 98.200.183.180 --zone block
Zone Examples
Example setup/scenario for a system at a client site using various zones (p2p1 is a capture interface):
# nmcli con mod em1 connection.zone public # nmcli con mod p2p1 connection.zone trusted # systemctl mask iptables # systemctl mask ip6tables # systemctl enable firewalld # systemctl start firewalld # firewall-cmd --remove-service=ssh --permanent # firewall-cmd --new-zone=pinemgmt --permanent # firewall-cmd --zone=pinemgmt --set-target=ACCEPT --permanent # firewall-cmd --add-source=210.110.40.230/29 --zone=pinemgmt --permanent # firewall-cmd --reload OPTIONAL/FYI: # firewall-cmd --list-all # firewall-cmd --list-all --zone=trusted # firewall-cmd --list-all --zone=pinemgmt
iptables Quick Reference
NAT'ing/forwarding
We're not sure how to get NAT to work via command line (if you type these commands, it fails), however, NAT works if the following is set in the iptables rules file (/etc/sysconfig/iptables)
*nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 163.120.170.170:1101 -A POSTROUTING -d 163.120.170.170/32 -p tcp -m tcp -j MASQUERADE COMMIT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT COMMIT
Note: the PREROUTING rule looks at anything (TCP) coming in to the local port 1904 and passes it on to 163.120.170.170 port 1101, the MASQUERADE rule is for anything going to/from 163.120.170.170 (only one MASQUERADE line is needed for all/any rules forwarding traffic to 163.120.170.170)