23 Firewalld | netfilter hooks | firewall-cmd --get-zones/services | --add-rich-rule

By OK -
The basic firewall software most commonly used in Linux is called iptables. The iptables firewall works by interacting with the packet filtering hooks in the Linux kernel's networking stack. These kernel hooks are known as the netfilter framework.



Every packet that enters networking system (incoming or outgoing) will trigger these hooks as it progresses through the stack, allowing programs that register with these hooks to interact with the traffic at key points. The kernel modules associated with iptables register at these hooks in order to ensure that the traffic conforms to the conditions laid out by the firewall rules.
The following hooks (крючок,зацепка) represent various well-defined points in the networking stack:
  • NF_IP_PRE_ROUTING: This hook will be triggered by any incoming traffic very soon after entering the network stack. This hook is processed before any routing decisions have been made regarding where to send the packet.
  • NF_IP_LOCAL_IN: This hook is triggered after an incoming packet has been routed if the packet is destined for the local system.
  • NF_IP_FORWARD: This hook is triggered after an incoming packet has been routed if the packet is to be forwarded to another host.
  • NF_IP_LOCAL_OUT: This hook is triggered by any locally created outbound traffic as soon it hits the network stack.
  • NF_IP_POST_ROUTING: This hook is triggered by any outgoing or forwarded traffic after routing has taken place and just before being put out on the wire.
=========================================
In the linux kernel there is netfilter

in RHEL 6 iptables to manage netfilter
in RHEL 7 default is firewalld to manage netfilter
in RHEL 7 it's recommended to use firewalld as many utilities write info directly to firewalld
=========================================
To work with firewalld there are interfaces
To each interface we assign a zone
There might be private zone for private network, public zone for Internet or DMZ
Then we connect services to zones

kernel netfilter<-->firewalld<-->zone<-->services

=========================================
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2017-09-22 12:54:03 EDT; 2 days ago
     Docs: man:firewalld(1)
 Main PID: 786 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─786 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Sep 22 12:54:00 localhost.localdomain systemd[1]: Starting firewalld - dynamic fire....
Sep 22 12:54:03 localhost.localdomain systemd[1]: Started firewalld - dynamic firew....
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]#
=========================================
to configure firewalld there are 2 utilities
[root@localhost ~]# firewall
firewall-cmd          
firewall-config      
=========================================

[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

[root@localhost ~]# firewall-cmd --get-default-zone 
public

=========================================
service is a name associated with protocol and port

[root@localhost ~]# cd /usr/lib/firewalld/services/
[root@localhost services]# ls
amanda-client.xml        ipp-client.xml    pmwebapis.xml       squid.xml
amanda-k5-client.xml     ipp.xml           pmwebapi.xml        ssh.xml
bacula-client.xml        ipsec.xml         pop3s.xml           synergy.xml
...
...
docker-registry.xml      libvirt.xml       radius.xml          transmission-client.xml
dropbox-lansync.xml      mdns.xml          RH-Satellite-6.xml  vdsm.xml
...
...
ftp.xml                  mysql.xml         samba.xml           xmpp-client.xml
high-availability.xml    nfs.xml           sane.xml            xmpp-local.xml
https.xml                ntp.xml           smtps.xml           xmpp-server.xml
http.xml                 openvpn.xml       smtp.xml
imaps.xml                pmcd.xml          snmptrap.xml
imap.xml                 pmproxy.xml       snmp.xml
[root@localhost services]# 

some services need a collection of ports
[root@localhost services]# cat high-availability.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Red Hat High Availability</short>
  <description>This allows you to use the Red Hat High Availability (previously named Red Hat Cluster Suite). Ports are opened for corosync, pcsd, pacemaker_remote, dlm and corosync-qnetd.</description>
  <port protocol="tcp" port="2224"/>
  <port protocol="tcp" port="3121"/>
  <port protocol="tcp" port="5403"/>
  <port protocol="udp" port="5404"/>
  <port protocol="udp" port="5405"/>
  <port protocol="tcp" port="21064"/>
</service>
[root@localhost services]# 

[root@localhost services]# cat samba.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Samba</short>
  <description>This option allows you to access and participate in Windows file and printer sharing networks. You need the samba package installed for this option to be useful.</description>
  <port protocol="udp" port="137"/>
  <port protocol="udp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="445"/>
  <module name="nf_conntrack_netbios_ns"/>
</service>
[root@localhost services]# 
==============================
for samba service , specific kernel module has to be loaded
 <module name="nf_conntrack_netbios_ns"/>

STEP #1
[root@localhost services]# firewall-cmd --zone=public --add-service=high-availability
success

STEP #2
[root@localhost services]# firewall-cmd --permanent --zone=public --add-service=high-availability
success

[root@localhost services]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client high-availability ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
[root@localhost services]# 

=================
firewall-config - GUI tool the same like firewall-cmd
=================

Changing the Zone of an Interface for the Current Session

You can transition an interface between zones during a session by using the --zone= parameter in combination with the --change-interface= parameter. As with all commands that modify the firewall, you will need to use sudo.
For instance, we can transition our eth0 interface to the "home" zone by typing this:
    

  • sudo firewall-cmd --zone=home --change-interface=eth0

    • 




output

success
=====================



Rich Rules

Rich rules syntax is extensive but fully documented in the firewalld.richlanguage(5) man page (or see man firewalld.richlanguage in your terminal). Use --add-rich-rule--list-rich-rules and --remove-rich-rule with firewall-cmd command to manage them.
Here are some common examples:
Allow all IPv4 traffic from host 192.168.0.14.
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'
Deny IPv4 traffic over TCP from host 192.168.1.10 to port 22.
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'
Allow IPv4 traffic over TCP from host 10.1.0.3 to port 80, and forward it locally to port 6532.
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'
Forward all IPv4 traffic on port 80 to port 8080 on host 172.31.4.2 (masquerade should be active on the zone).
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'
To list your current Rich Rules:
sudo firewall-cmd --list-rich-rules






Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log ...
Read more

teamcity Automatic Agent Start under Linux

By OK -
Automatic Agent Start under Linux To run agent automatically on the machine boot under Linux, configure daemon process with the  agent.sh start  command to start it and  agent.sh stop  command to stop it. Refer to an example procedure below: 1. Navigate to the services start/stop services scripts directory: cd /etc/init.d/ 2. Open the build agent service script: sudo vim buildAgent 3. Paste the following into the file : #!/bin/sh ### BEGIN INIT INFO # Provides: TeamCity Build Agent # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start build agent daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Provide the correct user name: USER="agentuser" case "$1" in start) su - $USER -c "cd BuildAgent/bin ; ./agent.sh start" ;; stop) su - $USER -c "cd BuildAgent/bin ; ./agent....
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availabi...
Read more