cn:ccr:formazione:centos7:2018-11:firewalld
Table of Contents
firewalld
suggested exercises. some suggestions are bare suggestions - no explanation at all 
change default zone
add/remove a service from a zone
create/delete a new service
configure a zone to reject/drop a service
# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <rule> <service name="iperf3"/> <reject/> </rule> </zone>
remove service reject/drop from a zone
# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject'
success
# cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?> <zone> </zone>
reject/drop an ip address
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <rule family="ipv4"> <source address="192.168.100.70"/> <drop/> </rule> </zone>
$ iperf3 -c virtone.hmib.infn.it
iperf3: error - unable to connect to server: Connection timed out
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent
success
# cat /etc/firewalld/zones/trusted.xml<?xml version="1.0" encoding="utf-8"?>
<zone> <rule family="ipv4"> <source address="192.168.100.70"/> <reject/> </rule> </zone>
$ iperf3 -c virtone.hmib.infn.it
iperf3: error - unable to connect to server: Connection refused
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'
success
create an ipset
reject/drop globally a single ip address; defining a global black list
# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# firewall-cmd --new-ipset=whitelist --type=hash:ip --family=inet
usage: see firewall-cmd man page Option can be used only with --permanent.
# firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --family=inet
success
# firewall-cmd --permanent --info-ipset=blacklist
blacklist type: hash:ip options: family=inet entries:
# firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.100.70
success
# firewall-cmd --permanent --info-ipset=blacklist
#### occhio alle ipset con il permanent…
blacklist type: hash:ip options: family=inet entries: 192.168.100.70
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set blacklist src -j REJECT
success
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT
# firewall-cmd --reload
success
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT ipv4 filter INPUT 2 -m set --match-set blacklist src -j REJECT ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT
# iptables -t filter -L INPUT_direct
Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable ACCEPT tcp -- ssire.mib.infn.it anywhere tcp dpt:targus-getdata2 REJECT all -- anywhere anywhere match-set blacklist src reject-with icmp-port-unreachable
defining a blacklist binding an ipset as a source to a zone
# firewall-cmd --zone=block --add-source=ipset:blacklist success # firewall-cmd --info-zone=block (active) target: %%REJECT%% icmp-block-inversion: no interfaces: sources: ipset:blacklist services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: # firewall-cmd --ipset=blacklist --add-entry=192.168.100.70 success # firewall-cmd --info-ipset=blacklist blacklist type: hash:ip options: family=inet entries: 192.168.100.70 # firewall-cmd --get-active-zones trusted interfaces: em2 work interfaces: em1 netperf sources: 212.189.204.0/24 block sources: ipset:blacklist mgmt sources: 193.206.156.10/32 193.206.156.143/32 212.189.204.240/28
reject/drop globally a network
define a network global black list
create a firewall configuration
requirements
- a management zone with access restricted to a few hosts
- a zone providing auth services (ldap, kerberos) to a list of hosts/networks
- a public zone providing http/https services
- a global blacklist
create a masquerading firewall
blacklist a port (or a host) in the trusted zone
cn/ccr/formazione/centos7/2018-11/firewalld.txt · Last modified: 2018/11/29 10:41 by carbone@infn.it