{"id":300,"date":"2018-06-14T11:40:37","date_gmt":"2018-06-14T11:40:37","guid":{"rendered":"http:\/\/faq.graven-ict.nl\/wordpress\/?p=300"},"modified":"2021-02-02T18:29:17","modified_gmt":"2021-02-02T18:29:17","slug":"linux-firewalld-rules","status":"publish","type":"post","link":"https:\/\/wiki.graven-ict.nl\/wordpress\/linux-firewalld-rules\/","title":{"rendered":"Linux firewalld rules"},"content":{"rendered":"<p>Een van de klanten wilden firewall rules op het systeem hebben, maar anders als je zou verwachten normaal zou je alles dicht zetten en dan een minimaal aantal poorten open zetten, alleen bij deze klant staat standaard alles op de machine open. de netwerken zijn met aparte firewalls beveiligd. maar het verzoek voor deze applicatie\/machines is om alle poorten open te laten maar een aantal poorten te blokkeren voor alles ip adressen behalve de leden van het applicateve<\/p>\n<p>We get some request from cust to set firewall rules on some systems, mainly to because some applications have no security setting build in.<br \/>\nOn our rhel7 machine all tools are available and already active. The default setting on our systems is \u201ctrusted\u201d this means none of the ports in blocked.<br \/>\nRhel7 comes with several predefined zones, all these zones except trusted zone drop\/block\/reject incoming connections. So to stay as close to what<br \/>\nWe normaly use on our systems is to create a new zone on these systems and block only de requested ports.<\/p><div id=\"grave-3982813053\" class=\"grave-content grave-entity-placement\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1970734611769428\" crossorigin=\"anonymous\"><\/script><ins class=\"adsbygoogle\" style=\"display:inline-block;width:728px;height:90px;\" \ndata-ad-client=\"ca-pub-1970734611769428\" \ndata-ad-slot=\"1820224830\"><\/ins> \n<script> \n(adsbygoogle = window.adsbygoogle || []).push({}); \n<\/script>\n<\/div>\n<p>In this example the request is to block 4 port from the out side (5043, 5070 and 5071) 2 of the 3 port are used for communication between the 4 machines.<br \/>\nSo those 2 ports have to be closed for the outside but not for the 4 machines in the application group.<\/p>\n<p>First we have to create a new zone. I named it \u201cklanttrusted\u201d because all port are open and we close only 3 ports the option \u2013permant means that it\u2019s only<br \/>\nSaved to a file. To make it active you can run the command again without the \u2013permant option or just reload the firewall. (I used the last option)<\/p>\n<p><code># firewall-cmd --permanent --new-zone=klanttrusted<\/code><\/p>\n<p>second I created an ipset. This is more flexible then entering the ip in the rules them self. The ipset is named ipallow and you have to give it a type that\u2019s hash:ip<\/p>\n<p><code># firewall-cmd --permanent --new-ipset=ipallow --type=hash:ip<\/code><\/p>\n<p>Because I\u2019ve used \u2013permant I have to make it active before I can fill it with ip address, just reload the firewall<\/p>\n<p><code># firewall-cmd --reload<\/code><\/p>\n<p>The zone is now loaded as well.default a new created zone is all ports are blocked, we do not want that so we change the target and set is to ACCEPT. All ports are open<br \/>\nOptions used off course is the zone name en the target and to write it to the file permanent.<\/p>\n<p><code># firewall-cmd --zone=klanttrusted --set-target=ACCEPT --permanent<\/code><\/p>\n<p>Next. We have to connect the ipset the zone. Option used are zone name and the ipset name and permanent<\/p>\n<p><code># firewall-cmd --permanent --zone=klanttrusted --add-source=ipset:ipallow<\/code><\/p>\n<p>And off course to make it all active do an extra reload.<\/p>\n<p><code># firewall-cmd --reload<\/code><\/p>\n<p>Next is to fill the ip set with ip addresses of the connected servers in this case these are 4 servers for simple admin give every system the same list<br \/>\nThe own ip address is not necessary.<\/p>\n<p><code># firewall-cmd --ipset=ipallow --add-entry=10.2.206.235 --permanent<\/code><br \/>\n<code># firewall-cmd --ipset=ipallow --add-entry=10.2.208.251 --permanent<\/code><br \/>\n<code># firewall-cmd --ipset=ipallow --add-entry=10.2.206.243 --permanent<\/code><br \/>\n<code># firewall-cmd --ipset=ipallow --add-entry=10.2.208.250 --permanent<\/code><\/p>\n<p>Now that the ip addresses are there we need to block the ports with. We do this with a rich rule. 2 of the port are open for ip addresses in the ip set<\/p>\n<p><code># firewall-cmd --permanent --zone=klanttrusted --add-rich-rule='rule family=\"ipv4\" source NOT ipset=\"ipallow\" port port=\"5043\" protocol=\"tcp\" reject'<\/code><br \/>\n<code># firewall-cmd --permanent --zone=klanttrusted --add-rich-rule='rule family=\"ipv4\" source NOT ipset=\"ipallow\" port port=\"5070\" protocol=\"tcp\" reject'<\/code><\/p>\n<p>And the third one is closed for all connections .<\/p><div id=\"grave-4212388398\" class=\"grave-content_2 grave-entity-placement\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1970734611769428\" crossorigin=\"anonymous\"><\/script><ins class=\"adsbygoogle\" style=\"display:inline-block;width:728px;height:90px;\" \ndata-ad-client=\"ca-pub-1970734611769428\" \ndata-ad-slot=\"1820224830\"><\/ins> \n<script> \n(adsbygoogle = window.adsbygoogle || []).push({}); \n<\/script>\n<\/div>\n<p><code># firewall-cmd --permanent --zone=klanttrusted --add-rich-rule='rule family=\"ipv4\" port port=\"5071\" protocol=\"tcp\" reject'<\/code><\/p>\n<p>To make all available to use reload.<\/p>\n<p><code># firewall-cmd --reload<\/code><\/p>\n<p>Now we\u2019ve created a zone it not connected to an interface. To connect it to an interface and make it active<\/p>\n<p><code># firewall-cmd --zone=klanttrusted --change-interface=eth0<\/code><\/p>\n<p>Because we do not have real support for this and we see it as a special the customer is responsible for monitoring the zone is in place. If there is a problem we help him on best effort base.<br \/>\nThe customer can use the following command as a normal user. To see if the zone is active on the eth0 interface.<\/p>\n<p><code># firewall-cmd --get-active-zones<\/code><br \/>\n<code>klanttrusted<\/code><br \/>\n<code>interfaces: eth0<\/code><br \/>\n<code>sources: ipset:ipallow<\/code><\/p>\n<p>other commands we can use, with admin permission to check stuff. Ip addresses in the ipset<\/p>\n<p><code># firewall-cmd --info-ipset=ipallow<\/code><br \/>\n<code>ipallow<\/code><br \/>\n<code>type: hash:ip<\/code><br \/>\n<code>options:<\/code><br \/>\n<code>entries: 10.2.210.191 10.2.210.198 10.2.210.187 10.2.210.188<\/code><\/p>\n<p>And list alle entry\u2019 in the zone<\/p>\n<p><code># firewall-cmd --zone=klanttrusted --list-all<\/code><br \/>\n<code>rabotrusted (active)<\/code><br \/>\n<code>target: ACCEPT<\/code><br \/>\n<code>icmp-block-inversion: no<\/code><br \/>\n<code>interfaces: eth0<\/code><br \/>\n<code>sources: ipset:ipallow<\/code><br \/>\n<code>services:<\/code><br \/>\n<code>ports:<\/code><br \/>\n<code>protocols:<\/code><br \/>\n<code>masquerade: no<\/code><br \/>\n<code>forward-ports:<\/code><br \/>\n<code>source-ports:<\/code><br \/>\n<code>icmp-blocks:<\/code><br \/>\n<code>rich rules:<\/code><br \/>\n<code>rule family=\"ipv4\" source NOT ipset=\"ipallow\" port port=\"5043\" protocol=\"tcp\" reject<\/code><br \/>\n<code>rule family=\"ipv4\" source NOT ipset=\"ipallow\" port port=\"5070\" protocol=\"tcp\" reject<\/code><br \/>\n<code>rule family=\"ipv4\" port port=\"5071\" protocol=\"tcp\" reject<\/code><\/p>\n<p>If you want to know more RTFM<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Een van de klanten wilden firewall rules op het systeem hebben, maar anders als je zou verwachten normaal zou je alles dicht zetten en dan een minimaal aantal poorten open zetten, alleen bij deze klant staat standaard alles op de machine open. de netwerken zijn met aparte firewalls beveiligd. maar het verzoek voor deze applicatie\/machines ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.graven-ict.nl\/wordpress\/linux-firewalld-rules\/\" title=\"Meer lezen...\">Lees meer<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[59],"tags":[],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/comments?post=300"}],"version-history":[{"count":7,"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/posts\/300\/revisions"}],"predecessor-version":[{"id":821,"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/posts\/300\/revisions\/821"}],"wp:attachment":[{"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/media?parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/categories?post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.graven-ict.nl\/wordpress\/wp-json\/wp\/v2\/tags?post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}