iptables
The iptables command is a low-level tool, and it can be challenging to correctly manage firewalls with that tool. In addition, it only adjusts IPv4 firewall rules.
ip6tables and ebtables
ip6tables for IPv6 and ebtables for software bridges.
firewalld
firewalld is a system daemon that can configure and monitor the system firewall rules. The firewalld daemon is installed from the firewalld package.
firewalld separates all incoming traffic into zones, with each zone having its own set of rules. To check which zone to use for an incoming connection, firewalld uses this logic, where the first rule that matches wins:
1. If the source address of an incoming packet matches a source rule setup for a zone, that packet will be routed through that zone.
2. If the incoming interface for a packet matches a filter setup for a zone, that zone will be used.
3. Otherwise, the default zone is used. The default zone is not a separate zone; instead, it points to one of the other zones defined on the system.
Unless overridden by an administrator or a NetworkManager configuration, the default zone for any new network interface will be set to the public zone.
Pre-defined zones
Pre-defined services
Configure firewall settings
1. By directly editing configuration files in /etc/firewalld/
2. By using the graphical firewall-config tool
3. By using firewall-cmd from the command line
Configure firewall settings with firewall-config
firewall-config is a graphical tool that can be used to alter and inspect both the running, in-memory configuration for firewalld, as well as the persistent, on-disk configuration. The firewall-config tool can be installed from the firewall-config package.
Once installed, firewall-config can be launched from the command line as firewall-config, or from the Applications menu under Applications > Sundry > Firewall.
On the main screen of firewall-config, a system administrator can select between modifying the current, in-memory configuration, or the persistent, on-disk configuration that will be used after a restart/reload of firewalld. This is achieved with the Configuration dropdown menu. In most cases, system administrators will want to adjust the persistent (Permanent) configuration, and then use the Options > Reload Firewalld menu entry to activate their changes.
To modify a zone, select the zone in the Zone menu on the left. Network interfaces and source IP addresses/ranges can be assigned in the Interfaces and Sources tabs on the right, respectively.
Ports can be opened by either putting a checkmark in front of them in the Services tab, or by adding a new port in the Ports tab for that zone.
If a specific set of ports has to be opened in multiple zones, a system administrator can also define a service for those ports. This can be done in the Services tab at the top of the window.
The default zone for otherwise unspecified connections can be changed under Options > Change Default Zone.
Configure firewall settings with firewall-cmd
firewall-cmd
firewall-cmd is installed as part of the main firewalld package. firewall-cmd can perform the same actions that firewall-config can.
The examples show the default zone being set to dmz, all traffic coming from the 192.168.0.0/24 network being assigned to the internal zone, and the network ports for mysql being opened on the internal zone.
[root@serverx-]#firewall-cmd --set-default-zone=dmz
[root@serverX-]#firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24
[root@serverx-]#firewall-cmd --permanent --zone=internal --add-service=mysql
[root@serverX-]#firewall-cmd --reload
Direct rules
Direct rules allow an administrator to insert hand-coded {ip, ip6, eb} tables rules into the zones managed by firewalld.
N.B: documentation is available in the firewall- cmd(1) and firewalld.direct(S) man pages for those administrators who are already familiar with {ip, ip6, eb}tables syntax.
A short example of adding some direct rules to blacklist an IP range:
[root@serverx-)#firewall-cmd --direct --permanent --add-chain ipv4 raw blacklist
[root@serverX-]#firewall-cmd --direct --permanent --add-rule ipv4 raw PREROUTING 0 -s 192.168.0.0/24 -j blacklist
[root@serverx-]#firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 0 -m limit --limit 1/min -j LOG --log-prefix "blacklisted"
[root@serverX-]#firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 1 -j DROP
Rich rules
Rich rules give administrators an expressive language in which to express custom firewall rules that are not covered by the basic firewalld syntax;
Rich rules can be used to express basic allow/deny rules, but can also be used to configure logging, both to syslog and auditd, as well as port forwards, masquerading, and rate limiting.
Rule ordering
Once multiple rules have been added to a zone (or the firewall in general), the ordering of rules can have a big effect on how the firewall behaves.
The basic ordering of rules inside a zone is the same for all zones:
1. Any port-forwarding and masquerading rules set for that zone.
2. Any logging rules set for that zone.
3. Any allow rules set for that zone.
4. Any deny rules set for that zone.
Testing and debugging
To make testing and debugging easier, almost all rules can be added to the runtime configuration with a timeout. The moment the rule with a timeout is added to the firewall, the timer starts counting down for that rule. Once the timer for a rule has reached zero seconds, that rule is removed from the runtime configuration.
Any configured rich rules are also shown in the output from firewall-cmd --list-all and firewall-cmd --list-all-zones.
Some examples of rich rules
[root@serverX-]# firewall-cmd --permanent --zone=classroom --add-rich-rule=' rule family=ipv4 source address=192.168.0.11/32 reject'
[root@serverX-]# firewall-cmd --add-rich-rule='rule service name=ftp limit value=2/m accept'
[root@serverX-]# firewall-cmd --permanent --add-rich-rule='rule protocol value=esp drop'
[root@serverX-]# firewall-cmd --permanent --zone=vnc --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'
Logging with rich rules
When debugging, or monitoring, a firewall, it can be useful to have a log of accepted or rejected connections. firewalld can accomplish this in two ways: by logging to syslog, or by sending messages to the kernel audit subsystem, managed by auditd.
Some examples of logging using rich rules
[root@serverx-]# firewall-cmd --permanent --zone=work --add-rich-rule='rule service name="ssh" log prefix= "ssh" level="notice" limit value="3/m" accept
[root@serverx-]# firewall-cmd --add-rich-rule='rule family=ipv6 source address= "2001:dbS::/64" service name="dns" audit limit value=" 1/h" reject' --timeout=300
NAT
firewalld supports two types of Network Address Translation (NAT): masquerading and port forwarding.
Masquerading
With masquerading, a system will forward packets that are not directly addressed to itself to the intended recipient, while changing the source address of the packets that go through to its own public IP address.
Configuring masquerading
[root@serverX-]# firewall-cmd --permanent --zone=<ZONE> --add-masquerade
This will masquerade any packets sent to the firewall from clients defined in the sources for that zone (both interfaces and subnets) that are not addressed to the firewall itself.
To gain more control over what clients will be masqueraded, a rich rule can be used as well.
[root@serverX-]# firewall-cmd --permanent --zone=<ZONE> --add-rich-rule=' rule family=ipv4 source address=192.168.0.0/24 masquerade'
Port forwarding
With port forwarding, traffic to a single port is forwarded either to a different port on the same machine, or to a port on a different machine. This mechanism is typically used to "hide" a server behind another machine, or to provide access to a service on an alternate port.
Configuring port forwarding
[root@serverX-]# firewall-cmd --permanent --zone=public --add-forward-port=port=513:proto=tcp:toport=132 toaddr=192.168.0.254
To gain more control over port forwarding rules, the following syntax can be used with rich rules:
[root@serverX-]# firewall-cmd --permanent --zone=work --add-rich-rule='rule family=ipv4 source address=192.168.0.0/26 forward-port port=80 protocol=tcp to-port=8080'
*****
Posts
0 Comments