INFN wiki

User Tools

Site Tools

Trace:
cn:ccr:formazione:centos7:2018-11:firewalld

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
cn:ccr:formazione:centos7:2018-11:firewalld [2018/11/29 10:40] carbone@infn.itcn:ccr:formazione:centos7:2018-11:firewalld [2018/11/29 10:41] (current) – [cpnfigure a zone to reject/drop a service] carbone@infn.it
Line 1: Line 1:
 +====== firewalld ======
 +suggested exercises. some suggestions are bare suggestions - no explanation at all 8-)
  
 +
 +
 +==== change default zone ====
 +----
 +
 +
 +==== add/remove a service from a zone ====
 +----
 +
 +
 +==== create/delete a new service ====
 +
 +----
 +
 +
 +
 +==== configure a zone to reject/drop a service ====
 +
 +<code bash>
 +# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject'
 +</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject' --permanent</code>
 +<file>success</file>
 +
 +<code bash># cat /etc/firewalld/zones/trusted.xml</code>
 +<file xml>
 +<?xml version="1.0" encoding="utf-8"?>
 +<zone>
 +  <rule>
 +    <service name="iperf3"/>
 +    <reject/>
 +  </rule>
 +</zone>
 +</file>
 +
 +----
 +
 +
 +
 +==== remove service reject/drop from a zone ====
 +
 +<code bash>
 +# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject' --permanent</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject'</code>
 +<file>success</file>
 +
 +<code bash># cat /etc/firewalld/zones/trusted.xml</code>
 +<file xml><?xml version="1.0" encoding="utf-8"?>
 +<zone>
 +</zone>
 +</file>
 +
 +----
 +
 +
 +
 +==== reject/drop an ip address ====
 +
 +<code bash># firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent</code>
 +<file>success</file>
 +
 +<code bash># cat /etc/firewalld/zones/trusted.xml</code>
 +<file xml><?xml version="1.0" encoding="utf-8"?>
 +<zone>
 +  <rule family="ipv4">
 +    <source address="192.168.100.70"/>
 +    <drop/>
 +  </rule>
 +</zone></file>
 +
 +<code bash>$ iperf3 -c  virtone.hmib.infn.it </code>
 +<file>iperf3: error - unable to connect to server: Connection timed out</file>
 +
 +<code bash># firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent</code>
 +<file>success</file>
 +
 +<code bash># cat /etc/firewalld/zones/trusted.xml<?xml version="1.0" encoding="utf-8"?></code>
 +<file xml><zone>
 +  <rule family="ipv4">
 +    <source address="192.168.100.70"/>
 +    <reject/>
 +  </rule>
 +</zone>
 +</file>
 +<code bash>$ iperf3 -c  virtone.hmib.infn.it </code>
 +<file>iperf3: error - unable to connect to server: Connection refused</file>
 +
 +<code bash># firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'</code>
 +<file>success</file>
 +
 +
 +----
 +
 +
 +==== create an ipset ====
 +
 +----
 +
 +
 +==== reject/drop globally a single ip address; defining a global black list ====
 +
 +<code bash>
 +# firewall-cmd --get-ipset-types </code>
 +<file>hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net</file>
 +
 +<code bash># firewall-cmd --new-ipset=whitelist --type=hash:ip --family=inet</code>
 +<file>usage: see firewall-cmd man page
 +Option can be used only with --permanent.</file>
 +
 +<code bash># firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --family=inet</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --permanent --info-ipset=blacklist</code>
 +<file>blacklist
 +  type: hash:ip
 +  options: family=inet
 +  entries: </file>
 +
 +<code bash># firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.100.70</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd --permanent --info-ipset=blacklist</code> #### occhio alle ipset con il permanent...
 +<file>blacklist
 +  type: hash:ip
 +  options: family=inet
 +  entries: 192.168.100.70</file>
 +
 +<code bash># firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set blacklist src -j REJECT</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd  --direct --get-all-rules</code>
 +<file>ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT
 +ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
 +ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT</file>
 +
 +<code bash># firewall-cmd --reload</code>
 +<file>success</file>
 +
 +<code bash># firewall-cmd  --direct --get-all-rules</code>
 +<file>ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT
 +ipv4 filter INPUT 2 -m set --match-set blacklist src -j REJECT
 +ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
 +ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT</file>
 +
 +<code bash># iptables -t filter -L INPUT_direct</code>
 +<file>Chain INPUT_direct (1 references)
 +target     prot opt source               destination         
 +REJECT     tcp  --  anywhere             anywhere             multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
 +ACCEPT     tcp  --  ssire.mib.infn.it    anywhere             tcp dpt:targus-getdata2
 +REJECT     all  --  anywhere             anywhere             match-set blacklist src reject-with icmp-port-unreachable</file>
 +
 +
 +----
 +
 +==== defining a blacklist binding an ipset as a source to a zone ====
 +
 +<code>
 +# firewall-cmd --zone=block --add-source=ipset:blacklist 
 +success
 +
 +# firewall-cmd --info-zone=block (active)
 +  target: %%REJECT%%
 +  icmp-block-inversion: no
 +  interfaces: 
 +  sources: ipset:blacklist
 +  services: 
 +  ports: 
 +  protocols: 
 +  masquerade: no
 +  forward-ports: 
 +  source-ports: 
 +  icmp-blocks: 
 +  rich rules: 
 +
 +# firewall-cmd --ipset=blacklist --add-entry=192.168.100.70
 +success
 +
 +# firewall-cmd --info-ipset=blacklist
 +blacklist
 +  type: hash:ip
 +  options: family=inet
 +  entries: 192.168.100.70
 +
 +# firewall-cmd --get-active-zones 
 +trusted
 +  interfaces: em2
 +work
 +  interfaces: em1
 +netperf
 +  sources: 212.189.204.0/24
 +block
 +  sources: ipset:blacklist
 +mgmt
 +  sources: 193.206.156.10/32 193.206.156.143/32 212.189.204.240/28
 +
 +</code>
 +
 +----
 +
 +==== reject/drop globally a network ====
 +
 +
 +----
 +
 +==== define a network global black list ====
 +
 +
 +----
 +
 +
 +
 +==== create a firewall configuration ====
 +requirements
 +  * a management zone with access restricted to a few hosts
 +  * a zone providing auth services (ldap, kerberos) to a list of hosts/networks
 +  * a public zone providing http/https services
 +  * a global blacklist
 +
 +----
 +
 +==== create a masquerading firewall ====
 +----
 +
 +==== blacklist a port (or a host) in the trusted zone ====
 +----
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki