RHCE (four) - Advanced Application Firewall

Firewall Advanced Application

First, management Firewalld

Composition 1.Linux firewall

Composition: netfilter (kernel module) + firewalld / iptables (application layer)       

                             +---------+

                  /---------| drop    |                 sip:172.16.0.0/16

+------------+           +---------+

| | + --------- + eth0

| localhost |---------- | public |                      

|            |                +---------+                eth1

+------------+            +---------+

                  \---------| trusted |                 sip: 192.168.1.0/24

                              +---------+

Predefined zone

trusted

         Xu any incoming packets and outgoing packets

home       

         Any packet flows are rejected, but allow the packet to the outgoing and predefined service (ssh, mdns, ipp-client, sbmclient, dhcpv6-client) data packets can flow

internal

         Ditto

work

         Any packet flows are rejected, but allow the packet to the outgoing and predefined service (ssh, ipp-client, dhcpv6-client) data packets can flow

public

         Any inflow of packets are rejected, but allows data packets and out of predefined services (ssh, dhcpv6-client) data packets can flow in. The newly added card default binding to the area

external

         Any packet flows are rejected, but allow the packet to a predefined service flows (ssh) data packets can flow all outgoing packets from this region are mapped

IP zone is bound to the network card.

dmz

         Any packet flows are rejected, but allow the packet to a predefined service flows (ssh) data packets can flow.

block

         Any packet flows are rejected, but allow the packet flow out

drop 

         Any flowing into the network packets are dropped, do not make any response. And allow only packets out.

2. Use firewalld

To be able to use firwalld services and related tools to manage the firewall, you must start firwalld services, but only before the old firewall-related services

# systemctl mask iptables

# systemctl mask ip6tables

# systemctl enable firewalld

# systemctl status firewalld 

If you see the current service is not running, then to systemctl start firewalld

Only firewalld service started to use tools: firewall-config (GUI), firewall-cmd

firewalld rules of two states: running and persistent configuration

Runtime: modify the rule to take effect immediately, but temporarily take effect

Persistence Configuration: Overload need not take effect until modified

All the above operations are not stored permanently, only temporarily into effect, if you want to permanently save, you need:

# firewall-cmd ..... --permanent

# firewall-cmd --reload  重载配置  --complete-reload

View the current default zone

# firewall-cmd  --get-default-zone 

public

The current default time zone modified to work

# firewall-cmd  --set-default-zone=work 

Add the http service work area, to allow others to access http services

# firewall-cmd --add-service=http --zone=work

In the public area of ​​binding the address range, only the range of IP packets will be routed to the district, the area is matched by the rules decide whether to release

# firewall-cmd --add-source=172.25.0.10/32 --zone=public 

View active area

# firewall-cmd --get-active-zones

work <--- use set-default-zone defines which zone is currently used by default

interfaces: eth0 eth0 interfaces bound the area, all traffic this interface should have the area defining area to filter

ROL <--- Red Hat Training environment dedicated to a zone

sources: 172.25.0.252/32

District public <--- there are currently active public, because the public area in front of us to bind a --add-source

sources: 172.25.0.10/32 "--- as long as the packet's source IP is 172.25.0.10, treatment will be given to public area

To bind the interface to the public area

# firewall-cmd  --change-interface=eth0 --zone=public

View details specified area

# firewall-cmd  --list-all --zone=work

work (default)

  interfaces:

  sources:

  services: dhcpv6-client http ipp-client ssh <--- open http

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:  

# firewall-cmd  --list-all --zone=public

public (active)

  interfaces: eth0 <--- the public is bound to eth0

  sources: 172.25.0.10/32

  services: ssh vnc-server <- not open http

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

Exercise:

1. Install httpd on the server, mod_ssl achieve http and https services

# yum install httpd mod_ssl -y

# systemctl enable httpd

# systemctl start httpd

2. Set the firewall to allow the user to access the machine's http and https services

# systemctl mask iptables

# systemctl mask ip6tables

# ststemctl status firewalld 如果没有启动必须保证开机启动和马上启动

GUI add a rule:

# firewall-config

Second, the rich management rules

In addition to grammar zone area use and service to achieve service limit communication connection, there are two ways to add two outside the firewall rule: direct rule direct rules and the rules of the rich rich rules

1. Direct Rule (not rhce7 of this syllabus)

Use iptables syntax similar to the traditional rule is inserted into an existing firewalld management area

Examples: All 192.168.0.0/24 from the IP network, maximum concurrent connections to a single IP 1 per minute, over concurrent connections are dropped

# firewall-cmd --direct --permanent --add-chain ipv4 raw blacklist

# firewall-cmd --direct --permanent --add-rule ipv4 raw PREROUTING 0 -s 192.168.0.0/24 -j blacklist

# firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 0 -m limit --limit 1/min -j LOG --log-prefix "blacklisted"

# firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 1 -j DROP

# firewall-cmd --reload

# firewall-cmd  --direct --get-all-rules

ipv4 raw PREROUTING 0 -s 192.168.0.0/24 -j blacklist

ipv4 raw blacklist 0 -m limit --limit 1/min -j LOG --log-prefix blacklisted

ipv4 raw blacklist 1 -j DROP

Experiment is completed, delete rules

# firewall-cmd --permanent --direct --remove-rules ipv4 raw blacklist

# firewall-cmd --permanent --direct --remove-rules ipv4 raw PREROUTING

# firewall-cmd  --direct --remove-rules ipv4 raw blacklist

# firewall-cmd  --direct --remove-rules ipv4 raw PREROUTING

# firewall-cmd  --direct --remove-chain ipv4 raw blacklist

# firewall-cmd --reload

2. The rich rules (compulsory examinations)

man firewall-cmd

man firewalld.richlanguage

           rule

             [source]

             [destination]

             service|port|protocol|icmp-block|masquerade|forward-port

             [log]

             [audit]

             [accept|reject|drop]

 

rule [family="ipv4|ipv6"]

source address="address[/mask]" [invert="True"]

destination address="address[/mask]" invert="True"

service name="service name"

port port="port value" protocol="tcp|udp"

protocol value="protocol value"

forward-port port="port value" protocol="tcp|udp" to-port="port value

" to-addr="address"

log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]

accept | reject [type="reject type"] | drop

District rich in chronological order matching rules, to take effect by the first match to the rule.

--add-rich-rule = '<RULE>' add a rule in the specified region rich

--remove-rich-rule = '<RULE>' rule to delete a specified region rich

--query-rich-rule = '<RULE>' finds a rule return 0 return 1 not found

--list-rich-rules list all the rules specified area where the rich

--list-all and --list-all-zones can be listed rich rule exists

example:

# firewall-cmd  --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject'

# firewall-cmd --permanent --zone=public --add-rich-rule='rule service name=ftp limit value=1/m accept'

# firewall-cmd --permanent --zone=public --add-rich-rule='rule protocol value=esp drop'

# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.17.10.0/24 service name=ssh reject'

# firewall-cmd --permanent --zone=public  --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 port port=7900-7905 protocol=tcp accept'

# firewall-cmd --permanent --zone=work --add-rich-rule='rule service name=ssh log prefix="ssh " level=notice limit value="3/m" accept'

#  firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 service name=ssh reject' --timeout=300 

         用于调试，规则在300秒后失效，防止规则设定错误导致网络连接断开

Experiment: httpd service deployed on server0, by adding rich rules, allowing only 172.25.0.10/32 access, and logging, log level for the notice, the log prefix "NEW HTTP", up to three concurrent limit per second, requires persistence the entry into force of

1. On server0 execution:

# yum install httpd

# systemctl start httpd

# systemctl enable httpd

# firewall-cmd --list-all-zones  查看当前防火墙的zones和规则

# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.0.10/32 service name=http log level=notice prefix="NEW HTTP " limit value="3/s" accept'

# firewall-cmd --reload

# tailf /var/log/messages

2. Use the desktop to access the test

# curl http://server0.example.com

Third, configure address mapping and port forwarding

1. Source IP Address Mapping

Generally used to make machine within the network can access the external network through a firewall

# firewall-cmd --permanent --zone=public --add-masquerade 

All customers from public area transmitting side to the firewall a data packet, destination IP packet is not IP firewall itself, are mapped to the IP firewall

or

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'

2. Port Forwarding

In fact, here it refers to the traditional target address mapping to achieve external network access to internal network resources
 

# firewall-cmd --permanent --zone=public --add-forward-port=port513:proto=tcp:toport:132:toaddr=192.168.0.254

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 forward-port port=80 protocol=tcp to-port=8080'

Example: Add a port forwarding rules on server0, and the access port from the 172.25.0.10/32 tcp packets to port 443 of port forwarding, tcp port 22 to the machine

On server0 define rules:

# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source 172.25.0.10/32 forward-port port=443 protocol=tcp to-port=22'

# firewall-cmd --reload

在desktop0上测试：

# ssh -p 443 server0.example.com

Fourth, the management port labeled SELinux

Selinux in addition can mark files and processes, but also marks the network connection, including port network connections are marked. For example, in the targeted policy, the port 22 is flag ssh_port_t.

At any time, a process to listen on a port, SELinux will detect this type of process is allowed to listen to the port.

Check the policy marked a common port

# semanage port -l

SELinux port type protocol port

...

afs3_callback_port_t           tcp      7001

afs3_callback_port_t           udp      7001

afs_bos_port_t                 udp      7007

...

Adding a port tag definitions

# semanage port -a -t http_port_t -p tcp 8080

To delete a port tag definitions

# semanage port -d -t http_port_t -p tcp 8080

Modify the definition of a port marker

# semanage port -m -t gopher_port_t -p tcp 8080