Firewalls
Define Firewall. Its Principle
Firewall controlling
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages Firewalld, it Dynamic Firewall Manager.
Installing firewall
$ sudo yum install firewalld firewall-config
Now configure firewall
$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld
$ sudo systemctl status firewalld
use help command for firewall-cmd
# firewall-cmd --help
firewall-cmd key option for basic
$ firewall-cmd --help
Usage: firewall-cmd [OPTIONS...]
General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages
Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and loose state information
Permanent Options
--permanent Set an option permanently
Usable for options maked with [P]
Zone Options
--get-default-zone Print default zone for connections and interfaces
--set-default-zone=<zone>
Set default zone
--get-active-zones Print currently active zones
--get-zones Print predefined zones [P]
--get-services Print predefined services [P]
--get-icmptypes Print predefined icmptypes [P]
--get-zone-of-interface=<interface>
Print name of the zone the interface is bound to [P]
--get-zone-of-source=<source>[/<mask>]
Print name of the zone the source[/mask] is bound to [P]
--list-all-zones List everything added for or enabled in all zones [P]
--new-zone=<zone> Add a new zone [P only]
--delete-zone=<zone> Delete an existing zone [P only]
--zone=<zone> Use this zone to set or query options, else default zone
Usable for options maked with [Z]
--get-target Get the zone target [P only]
--set-target=<target>
Set the zone target [P only]
IcmpType Options
--new-icmptype=<icmptype>
Add a new icmptype [P only]
--delete-icmptype=<icmptype>
Delete and existing icmptype [P only]
Service Options
--new-service=<service>
Add a new service [P only]
--delete-service=<service>
Delete and existing service [P only]
Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z]
--list-services List services added for a zone [P] [Z]
--timeout=<seconds> Enable an option for seconds only
Usable for options maked with [T]
--add-service=<service>
Add a service for a zone [P] [Z] [T]
--remove-service=<service>
Remove a service from a zone [P] [Z]
--query-service=<service>
Return whether service has been added for a zone [P] [Z]
--list-ports List ports added for a zone [P] [Z]
--add-port=<portid>[-<portid>]/<protocol>
Add the port for a zone [P] [Z] [T]
--remove-port=<portid>[-<portid>]/<protocol>
Remove the port from a zone [P] [Z]
--query-port=<portid>[-<portid>]/<protocol>
Return whether the port has been added for zone [P] [Z]
--list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
--add-icmp-block=<icmptype>
Add an ICMP block for a zone [P] [Z] [T]
--remove-icmp-block=<icmptype>
Remove the ICMP block from a zone [P] [Z]
--query-icmp-block=<icmptype>
Return whether an ICMP block has been added for a zone
[P] [Z]
--list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Add the IPv4 forward port for a zone [P] [Z] [T]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Remove the IPv4 forward port from a zone [P] [Z]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Return whether the IPv4 forward port has been added for
a zone [P] [Z]
--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
--query-masquerade Return whether IPv4 masquerading has been enabled for a
zone [P] [Z]
--list-rich-rules List rich language rules added for a zone [P] [Z]
--add-rich-rule=<rule>
Add rich language rule 'rule' for a zone [P] [Z] [T]
--remove-rich-rule=<rule>
Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=<rule>
Return whether a rich language rule 'rule' has been
added for a zone [P] [Z]
Options to Handle Bindings of Interfaces
--list-interfaces List interfaces that are bound to a zone [P] [Z]
--add-interface=<interface>
Bind the <interface> to a zone [P] [Z]
--change-interface=<interface>
Change zone the <interface> is bound to [Z]
--query-interface=<interface>
Query whether <interface> is bound to a zone [P] [Z]
--remove-interface=<interface>
Remove binding of <interface> from a zone [P] [Z]
Options to Handle Bindings of Sources
--list-sources List sources that are bound to a zone [P] [Z]
--add-source=<source>[/<mask>]
Bind <source>[/<mask>] to a zone [P] [Z]
--change-source=<source>[/<mask>]
Change zone the <source>[/<mask>] is bound to [Z]
--query-source=<source>[/<mask>]
Query whether <source>[/<mask>] is bound to a zone
[P] [Z]
--remove-source=<source>[/<mask>]
Remove binding of <source>[/<mask>] from a zone [P] [Z]
Direct Options
--direct First option for all direct options
--get-all-chains
Get all chains [P]
--get-chains {ipv4|ipv6|eb} <table>
Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb} <table> <chain>
Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb} <table> <chain>
Remove the chain from the table [P]
--query-chain {ipv4|ipv6|eb} <table> <chain>
Return whether the chain has been added to the table [P]
--get-all-rules
Get all rules [P]
--get-rules {ipv4|ipv6|eb} <table> <chain>
Get all rules added to chain in table [P]
--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Add rule to chain in table [P]
--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Remove rule with priority from chain in table [P]
--remove-rules {ipv4|ipv6|eb} <table> <chain>
Remove rules from chain in table [P]
--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Return whether a rule with priority has been added to
chain in table [P]
--passthrough {ipv4|ipv6|eb} <arg>...
Pass a command through
--get-all-passthroughs
Get all passthrough rules [P only]
--get-passthroughs {ipv4|ipv6|eb} <arg>...
Get passthrough rules [P only]
--add-passthrough {ipv4|ipv6|eb} <arg>...
Add a new passthrough rule [P only]
--remove-passthrough {ipv4|ipv6|eb} <arg>...
Remove a passthrough rule [P only]
--query-passthrough {ipv4|ipv6|eb} <arg>...
Return whether the passthrough rule has been added
[P only]
Lockdown Options
--lockdown-on Enable lockdown.
--lockdown-off Disable lockdown.
--query-lockdown Query whether lockdown is enabled
Lockdown Whitelist Options
--list-lockdown-whitelist-commands
List all command lines that are on the whitelist [P]
--add-lockdown-whitelist-command=<command>
Add the command to the whitelist [P]
--remove-lockdown-whitelist-command=<command>
Remove the command from the whitelist [P]
--query-lockdown-whitelist-command=<command>
Query whether the command is on the whitelist [P]
--list-lockdown-whitelist-contexts
List all contexts that are on the whitelist [P]
--add-lockdown-whitelist-context=<context>
Add the context context to the whitelist [P]
--remove-lockdown-whitelist-context=<context>
Remove the context from the whitelist [P]
--query-lockdown-whitelist-context=<context>
Query whether the context is on the whitelist [P]
--list-lockdown-whitelist-uids
List all user ids that are on the whitelist [P]
--add-lockdown-whitelist-uid=<uid>
Add the user id uid to the whitelist [P]
--remove-lockdown-whitelist-uid=<uid>
Remove the user id uid from the whitelist [P]
--query-lockdown-whitelist-uid=<uid>
Query whether the user id uid is on the whitelist [P]
--list-lockdown-whitelist-users
List all user names that are on the whitelist [P]
--add-lockdown-whitelist-user=<user>
Add the user name user to the whitelist [P]
--remove-lockdown-whitelist-user=<user>
Remove the user name user from the whitelist [P]
--query-lockdown-whitelist-user=<user>
Query whether the user name user is on the whitelist [P]
Panic Options
--panic-on Enable panic mode
--panic-off Disable panic mode
--query-panic Query whether panic mode is enabled
use firewall by simple command line
for service
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --add-service=nfs --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --add-service=samba --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --add-service=ldap --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --add-service=kerberos --permanent
success
$ sudo firewall-cmd --reload
success
check the service list
$ sudo firewall-cmd --list-service
dhcpv6-client http https kerberos ldap nfs samba ssh
for ip
$ sudo firewall-cmd --add-source=192.168.4.49/24 --permanent
$ sudo firewall-cmd --list-all
public (default, active)
interfaces: enp0s3
sources: 192.168.4.49/24
services: dhcpv6-client http https kerberos ldap nfs samba ssh
ports: 8961/tcp 22/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
for port
$ sudo firewall-cmd --add-port=22/tcp --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --add-port=8961/tcp --permanent
success
$ sudo firewall-cmd --reload
success
check the port list
$ sudo firewall-cmd --list-port
8961/tcp 22/tcp
Another command for basic
check the firewall start or not.
$ sudo systemctl status firewalld.service
$ sudo systemctl enable firewalld.service
$ sudo systemctl start firewalld.service
check or verify the service firewall
$ sudo firewall-cmd --state
running
check the default zone of firewall
$ sudo firewall-cmd --get-default
public
set next zone use that command by simple way
$ sudo firewall-cmd --set-default-zone home
$ sudo firewall-cmd --get-default
home
check the home zone list
$ sudo firewall-cmd --list-all
You're performing an operation over default zone ('home'),
but your connections/interfaces are in zone 'public' (see --get-active-zones)
You most likely need to use --zone=public option.
home (default)
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Another way u check the home zone list
$ sudo firewall-cmd --zone=home --list-all
home (default)
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
list of all zone list
$ sudo firewall-cmd --list-all-zones | less
check type of services
$ sudo firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
check type of zone
$ sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work
check the active zone
$ sudo firewall-cmd --get-active-zones
public
interfaces: enp0s3
For adding new zone
$ sudo firewall-cmd --new-zone=publicdns --permanent
success
$ sudo firewall-cmd --new-zone=privatedns --permanent
success
$ sudo firewall-cmd --new-zone=homedns --permanent
success
check the adding zone
$ sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work
$ sudo firewall-cmd --get-zones --permanent
block dmz drop external home homedns internal privatedns public publicdns trusted work
So Reload the Firewall set for active
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --get-zones
block dmz drop external home homedns internal privatedns public publicdns trusted work
How it work
Masking and Unmasking the iptables.
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages iptables,it iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT(Network Address Translation).
For package Download/install command line
$ yum install iptables -y
use help command for iptables
# iptables --help
iptables key option for basic
$ iptables --help
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
Now use iptables mask by command line
check the status
$ sudo systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2016-05-20 05:17:09 EDT; 2s ago
Process: 2474 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 2474 (code=exited, status=0/SUCCESS)
May 20 05:17:09 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
May 20 05:17:09 localhost.localdomain iptables.init[2474]: iptables: Applying firewall rules: [ OK ]
May 20 05:17:09 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
then mask the iptables
$ sudo systemctl mask iptables.service
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
then After check iptables either mask or not
$ sudo systemctl status iptables.service
● iptables.service
Loaded: masked (/dev/null)
Active: active (exited) since Fri 2016-05-20 05:17:09 EDT; 23s ago
Main PID: 2474 (code=exited, status=0/SUCCESS)
May 20 05:17:09 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
May 20 05:17:09 localhost.localdomain iptables.init[2474]: iptables: Applying firewall rules: [ OK ]
May 20 05:17:09 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
For unmask the iptable
$ sudo systemctl unmask iptables.service
Removed symlink /etc/systemd/system/iptables.service.
Another for ip6tables
check the status of ip6tables
$ sudo systemctl status ip6tables.service
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2016-05-20 05:35:26 EDT; 2s ago
Process: 2573 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=0/SUCCESS)
Main PID: 2573 (code=exited, status=0/SUCCESS)
May 20 05:35:26 localhost.localdomain systemd[1]: Starting IPv6 firewall with...
May 20 05:35:26 localhost.localdomain ip6tables.init[2573]: ip6tables: Applyi...
May 20 05:35:26 localhost.localdomain systemd[1]: Started IPv6 firewall with ...
Hint: Some lines were ellipsized, use -l to show in full.
then mask the ip6tables
$ sudo systemctl mask ip6tables.service
Created symlink from /etc/systemd/system/ip6tables.service to /dev/null.
then after check the ip6tables mask or not
$ sudo systemctl status ip6tables.service
● ip6tables.service
Loaded: masked (/dev/null)
Active: active (exited) since Fri 2016-05-20 05:35:26 EDT; 40s ago
Main PID: 2573 (code=exited, status=0/SUCCESS)
May 20 05:35:26 localhost.localdomain systemd[1]: Starting IPv6 firewall with...
May 20 05:35:26 localhost.localdomain ip6tables.init[2573]: ip6tables: Applyi...
May 20 05:35:26 localhost.localdomain systemd[1]: Started IPv6 firewall with ...
Hint: Some lines were ellipsized, use -l to show in full.
For unmask the ip6tables
$ sudo systemctl unmask ip6tables.service
Removed symlink /etc/systemd/system/ip6tables.service.
How it work
Managing rich Rules
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages firewalld.richlanguage, it Rich Language Documentation. S
use rich rule for accept/reject/drop
for Ip reject/accept
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.4.49 reject' --permanent
success
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.4.49 accept' --permanent
success
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.4.49 drop' --permanent
success
simple command for remote service which is accept/reject do by owner
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.4.49 service name=ssh reject' --permanent
success
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.4.49 service name=ssh accept' --permanent
success
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.4.49 service name=ssh drop' --permanent
success
How it work
Port security
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
Masquerading and Port Forwarding
Creating masquerade
$ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.56.102 masquerade' --permanent
success
$ sudo firewall-cmd --reload
success
check the list
$ sudo firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.56.102" masquerade
delete masquerade
$ sudo firewall-cmd --remove-rich-rule='rule family=ipv4 source address=192.168.56.102 masquerade' --permanent
success
$ sudo firewall-cmd --reload
success
Create port forwarding (8960 to 80)
First install http
$ sudo yum install httpd
configure the service
$ sudo systemctl enable httpd
$ sudo systemctl start httpd
SELinux Port Labeling
$ sudo semanage port -a -t http_port_t -p tcp 8960
$ sudo semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 8960, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
Add port in firewall
$ sudo firewall-cmd --permanent --add-port=8960/tcp
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --list-ports
8960/tcp 3260/tcp
Now forward the port
$ sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.56.102 forward-port port=8960 protocol=tcp to-port=80'
$ sudo firewall-cmd --reload
success
Now check the port
$ sudo firewall-cmd --list-rich-rules rule family="ipv4" source address="192.168.56.102/24" forward-port port="8960" protocol="tcp" to-port="80"
```
$ curl http://centos7server.com:8960
This is My First web
delete port
$ sudo firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=192.168.56.102 forward-port port=8960 protocol=tcp to-port=80'
success
$ sudo firewall-cmd --reload
Now using in remote ssh
In server
$ sudo semanage port -a -t ssh_port_t -p tcp 8961
$ sudo firewall-cmd --permanent --add-port=8961/tcp
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.56.102 forward-port port=8961 protocol=tcp to-port=22'
$ sudo firewall-cmd --reload
success
In client
Now check the port
$ sudo ssh -p 8961 [email protected]
The authenticity of host '192.168.56.102:8961 (192.168.56.102:8961)' can't be established.
ECDSA key fingerprint is 68:51:62:02:b9:9a:23:0c:9e:1f:3d:ce:9b:96:31:e2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.102' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Fri May 27 12:17:30 2016
Now in sealert of selinux meassage
$ sudo sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log
Failed log
How it work
Check in man pages for basic review
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5)