This virtual machine is running Oracle Linux (fully compatible with CentOS and RedHat enterprise Linux) :

[root@firewalld-lab ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)

We have 2 network interfaces :

[root@firewalld-lab ~]# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:0c:29:ed:3c:d6 brd ff:ff:ff:ff:ff:ff
3: eno33557248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:0c:29:ed:3c:e0 brd ff:ff:ff:ff:ff:ff

One interface is up and has already an I.P. address :

[root@firewalld-lab ~]# ip address show dev eno16777984
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:ed:3c:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.157/24 brd 192.168.1.255 scope global eno16777984
    inet6 fe80::20c:29ff:feed:3cd6/64 scope link
       valid_lft forever preferred_lft forever

“firewalld” service is active :

[root@firewalld-lab ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2016-11-19 13:58:34 CET; 7min ago
     Docs: man:firewalld(1)
 Main PID: 628 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─628 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 19 13:58:32 firewalld-lab systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 19 13:58:34 firewalld-lab systemd[1]: Started firewalld - dynamic firewall daemon.
[root@firewalld-lab ~]# systemctl is-enabled firewalld
enabled

Here is the default “firewalld” zone, currently applied to “eno16777984” interface :

[root@firewalld-lab ~]# firewall-cmd --get-active-zones
public
  interfaces: eno16777984

“ssh” is allowed :

[root@firewalld-lab ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno16777984
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

New zone

Create a new zone :

[root@firewalld-lab ~]# firewall-cmd --permanent --new-zone=test
success
[root@firewalld-lab ~]# firewall-cmd --reload
success
[root@firewalld-lab ~]# firewall-cmd --get-zones
work drop internal external trusted test home dmz public block

This zone has currently no rule :

[root@firewalld-lab ~]# firewall-cmd --zone=test --list-all
test
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:/span>

Allow SSH to this zone from all hosts in 192.168.1.0/24 range :

[root@firewalld-lab ~]# firewall-cmd --permanent --zone=test --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh accept'
success
[root@firewalld-lab ~]# firewall-cmd --reload
success

Where SSH service has (by default) already been defined :

/usr/lib/firewalld/services/ssh.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>SSH</short>
 <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
 <port protocol="tcp" port="22"/>
</service>

Allow port 8080/tcp from all hosts in 192.168.1.0/24 range :

[root@firewalld-lab ~]# firewall-cmd --permanent --zone=test --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8080 protocol=tcp accept'
success

Reload the configuration :

[root@firewalld-lab ~]# firewall-cmd --reload
success

Here are our rules :

[root@firewalld-lab ~]# firewall-cmd --zone=test --list-all
test
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.1.0/24" port port="8080" protocol="tcp" accept

Assigning firewalld zone to an interface

We don’t use NetworkManager service :

[root@firewalld-lab ~]# systemctl status NetworkManager
● NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:NetworkManager(8)
[root@firewalld-lab ~]# systemctl is-enabled NetworkManager
disabled

Currently, our “test” zone is note assigned to any interface :

[root@firewalld-lab ~]# firewall-cmd --get-active-zone
public
  interfaces: eno16777984

Remove “public” default zone from this interface :

[root@firewalld-lab ~]# firewall-cmd --zone public --remove-interface eno16777984
success

Assign “test” zone to this interface :

[root@firewalld-lab ~]# firewall-cmd --permanent --zone test --add-interface eno16777984
success

Validate this change :

[root@firewalld-lab ~]# firewall-cmd --reload
success

Check :

[root@firewalld-lab ~]# firewall-cmd --get-active-zone
test
  interfaces: eno16777984

This configuration has been recorded in an XML file :

/etc/firewalld/zones/test.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <interface name="eno16777984"/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <port protocol="tcp" port="8080"/>
    <accept/>
  </rule>
</zone>

It’s time to test !

From another virtual machine :

[root@puppetserver ~]# ip addr show dev eno16777984
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:c0:c3:20 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.151/24 brd 192.168.1.255 scope global eno16777984
    inet6 fe80::20c:29ff:fec0:c320/64 scope link
       valid_lft forever preferred_lft forever

“ping” works well :

[root@puppetserver ~]# ping -c2 192.168.1.157
PING 192.168.1.157 (192.168.1.157) 56(84) bytes of data.
64 bytes from 192.168.1.157: icmp_seq=1 ttl=64 time=0.218 ms
64 bytes from 192.168.1.157: icmp_seq=2 ttl=64 time=0.290 ms

--- 192.168.1.157 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.218/0.254/0.290/0.036 ms

“ssh” as well :

[root@puppetserver ~]# ssh 192.168.1.157
The authenticity of host '192.168.1.157 (192.168.1.157)' can't be established.
ECDSA key fingerprint is 51:ca:80:f4:b1:80:30:e4:4c:1a:f1:d6:4e:0b:1b:d4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.157' (ECDSA) to the list of known hosts.
root@192.168.1.157's password:
Last failed login: Sat Nov 19 14:37:04 CET 2016 from 192.168.1.151 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sat Nov 19 14:05:40 2016 from 192.168.1.13
[root@firewalld-lab ~]#

Don’t want to authorize “ping” anymore ?

Here are predefined ICMP types :

[root@firewalld-lab ~]# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request

Currently, no one ICMP request is blocked :

[root@firewalld-lab ~]# firewall-cmd --zone test --list-icmp-blocks

Block ICMP reply :

[root@firewalld-lab ~]# firewall-cmd --permanent --zone test --add-icmp-block=echo-request
success

Once again, we reload the configuration :

[root@firewalld-lab ~]# firewall-cmd --reload
success

Our zone configuration is now :

[root@firewalld-lab ~]# firewall-cmd --zone=test --list-all
test (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno16777984
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks: echo-request
  rich rules:
        rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.1.0/24" port port="8080" protocol="tcp" accept

Corresponding XML file :

/etc/firewalld/zones/test.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <interface name="eno16777984"/>
  <icmp-block name="echo-request"/>
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <port protocol="tcp" port="8080"/>
    <accept/>
  </rule>
</zone>

We test :

[root@puppetserver ~]# ping -c2 192.168.1.157
PING 192.168.1.157 (192.168.1.157) 56(84) bytes of data.
From 192.168.1.157 icmp_seq=1 Destination Host Prohibited
From 192.168.1.157 icmp_seq=2 Destination Host Prohibited

--- 192.168.1.157 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms

 

en.pdf24.org    Send article as PDF   

Leave a Reply

Your email address will not be published. Required fields are marked *


*