Linux firewalld rules

  Security

Een van de klanten wilden firewall rules op het systeem hebben, maar anders als je zou verwachten normaal zou je alles dicht zetten en dan een minimaal aantal poorten open zetten, alleen bij deze klant staat standaard alles op de machine open. de netwerken zijn met aparte firewalls beveiligd. maar het verzoek voor deze applicatie/machines is om alle poorten open te laten maar een aantal poorten te blokkeren voor alles ip adressen behalve de leden van het applicateve

We get some request from cust to set firewall rules on some systems, mainly to because some applications have no security setting build in.
On our rhel7 machine all tools are available and already active. The default setting on our systems is “trusted” this means none of the ports in blocked.
Rhel7 comes with several predefined zones, all these zones except trusted zone drop/block/reject incoming connections. So to stay as close to what
We normaly use on our systems is to create a new zone on these systems and block only de requested ports.

In this example the request is to block 4 port from the out side (5043, 5070 and 5071) 2 of the 3 port are used for communication between the 4 machines.
So those 2 ports have to be closed for the outside but not for the 4 machines in the application group.

First we have to create a new zone. I named it “klanttrusted” because all port are open and we close only 3 ports the option –permant means that it’s only
Saved to a file. To make it active you can run the command again without the –permant option or just reload the firewall. (I used the last option)

# firewall-cmd --permanent --new-zone=klanttrusted

second I created an ipset. This is more flexible then entering the ip in the rules them self. The ipset is named ipallow and you have to give it a type that’s hash:ip

# firewall-cmd --permanent --new-ipset=ipallow --type=hash:ip

Because I’ve used –permant I have to make it active before I can fill it with ip address, just reload the firewall

# firewall-cmd --reload

The zone is now loaded as well.default a new created zone is all ports are blocked, we do not want that so we change the target and set is to ACCEPT. All ports are open
Options used off course is the zone name en the target and to write it to the file permanent.

# firewall-cmd --zone=klanttrusted --set-target=ACCEPT --permanent

Next. We have to connect the ipset the zone. Option used are zone name and the ipset name and permanent

# firewall-cmd --permanent --zone=klanttrusted --add-source=ipset:ipallow

And off course to make it all active do an extra reload.

# firewall-cmd --reload

Next is to fill the ip set with ip addresses of the connected servers in this case these are 4 servers for simple admin give every system the same list
The own ip address is not necessary.

# firewall-cmd --ipset=ipallow --add-entry=10.2.206.235 --permanent
# firewall-cmd --ipset=ipallow --add-entry=10.2.208.251 --permanent
# firewall-cmd --ipset=ipallow --add-entry=10.2.206.243 --permanent
# firewall-cmd --ipset=ipallow --add-entry=10.2.208.250 --permanent

Now that the ip addresses are there we need to block the ports with. We do this with a rich rule. 2 of the port are open for ip addresses in the ip set

# firewall-cmd --permanent --zone=klanttrusted --add-rich-rule='rule family="ipv4" source NOT ipset="ipallow" port port="5043" protocol="tcp" reject'
# firewall-cmd --permanent --zone=klanttrusted --add-rich-rule='rule family="ipv4" source NOT ipset="ipallow" port port="5070" protocol="tcp" reject'

And the third one is closed for all connections .

# firewall-cmd --permanent --zone=klanttrusted --add-rich-rule='rule family="ipv4" port port="5071" protocol="tcp" reject'

To make all available to use reload.

# firewall-cmd --reload

Now we’ve created a zone it not connected to an interface. To connect it to an interface and make it active

# firewall-cmd --zone=klanttrusted --change-interface=eth0

Because we do not have real support for this and we see it as a special the customer is responsible for monitoring the zone is in place. If there is a problem we help him on best effort base.
The customer can use the following command as a normal user. To see if the zone is active on the eth0 interface.

# firewall-cmd --get-active-zones
klanttrusted
interfaces: eth0
sources: ipset:ipallow

other commands we can use, with admin permission to check stuff. Ip addresses in the ipset

# firewall-cmd --info-ipset=ipallow
ipallow
type: hash:ip
options:
entries: 10.2.210.191 10.2.210.198 10.2.210.187 10.2.210.188

And list alle entry’ in the zone

# firewall-cmd --zone=klanttrusted --list-all
rabotrusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eth0
sources: ipset:ipallow
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source NOT ipset="ipallow" port port="5043" protocol="tcp" reject
rule family="ipv4" source NOT ipset="ipallow" port port="5070" protocol="tcp" reject
rule family="ipv4" port port="5071" protocol="tcp" reject

If you want to know more RTFM