Saturday, June 11, 2016

RHEL7 - Introduction to firewall

firewallD is a front end command line interface to iptables. We use firewall-cmd to manage firewall rules. It allow you to create firewall zones to associate IP, services, ports and rules.

Check if package is installed
# rpm -qa | grep -i firewalld

Find the config file location
# rpm -qc firewalld


View the confile file content
# vi /etc/firewalld/firewalld.conf

Check if firewall is running
# systemctl status firewalld
or
# firewall-cmd --state

Check what is allow or what is not allowed
# firewall-cmd --list-all

Note the active zone and the interface it is using

Playing with zones
List default zone
# firewall-cmd --get-default-zone

[root@sam yum.repos.d]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s25
  sources:
  services: dhcp dhcpv6-client ssh tftp
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

List the zones available on the system
# firewall-cmd --get-zones

List active zone
# firewall-cmd --get-active-zone
On active zone output, you will also see what interface the rule is defined to.

List the services
# firewall-cmd --get-services

Check the configuration of the services
1. The default service location and 2. Custom/user define services

1. The default service location
# cd /usr/lib/firewalld
[root@sam firewalld]# ls
icmptypes  services  xmlschema  zones
# cd services
# cat ssh.xml

review the file content

Playing with zone
Get default zone
# firewall-cmd --get-default-zone

Change your default zone
# firewall-cmd --set-default-zone=internal

Now, add port to the configuration
# firewall-cmd --add-port=22/tcp
# firewall-cmd --list-all

Now, remove the port
# firewall-cmd --remove-port=22/tcp
# firewall-cmd --add-service=ssh

reload the service
# firewall-cmd --reload

All configuration (run-time) is lost. so you have to use the permanent flag, while adding the service

# firewall-cmd --add-service=mysql --permanent

reload the service to make the change
# firewall-cmd --reload

Make sure to reboad other wise it will not have impack.


adding multiple ports
# firewall-cmd --add-port={2800/tcp,300/tcp,4300/tcp}

Adding port on range
# firewall-cmd --add-port=4000-4200/tcp

or adding multiple services
# firewall-cmd --add-service={mysql,ssh,http,https,ldap}
# firewall-cmd --list-all

You can remove multiple services samway
# firewall-cmd --remove-service={mysql,ssh,http,https,ldap}
# firewall-cmd --list-all


port  Forwarding

# netstat -ntlp
# firewall-cmd --list-all
review the ports open

Now add new port to the firewall
# firewall-cmd --add-port=8080/tcp

# firewall-cmd --list-all
# netstat -ntlp

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80

Now, anything comming to port 8080/tcp will be fordwarded to port 80 on the same address. you will see toaddr is empty.
if you want to sent it to different address on different port do the following

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddress=192.168.10.110



- configure more and complex rules Using rich rules

Allow all traffic from .20 server and block from .30 server
# firewall-cmd --add-rich-rule='rule family='ipv4' source address=192.168.10.20" accept'
# firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.10.30" drop'

Now, lets enable web server on this host
# firewall-cmd --add-service=http

Now, go to both server and try to access the web server

on .20 host
$ elink .20
or
$ curl .20
you should be accessing the server

go to .30 host
$ it should block

No comments:

Post a Comment