Practical Examples: Firewall on Red Hat Linux

-
Firewall On Red Hat Linux
To list all services available on the system:

[root@linux ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client cups dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

To list all zones available on the system:

[root@linux ~]# firewall-cmd --get-zones
block dmz drop external Home internal public trusted work.
 
To list the default zone of your system:
[root@linux ~]# firewall-cmd --get-default-zone
public


To list all the zones:
[root@linux ~]# firewall-cmd --list-all-zones
block
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
dmz
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
drop
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
external
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
home
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
internal
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
public (default, active)
  interfaces: eno16777984
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: echo-reply echo-request
  rich rules: 
 rule family="ipv4" source address="172.17.7.0/24" port port="513" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="23" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="20048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="631" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="21" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="513" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="53048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="20" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="23" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="631" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="111" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="22" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="53048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="53" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="20048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="20" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="53" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="21" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="111" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="22" protocol="tcp" accept
trusted
  interfaces: 
  sources: 172.0.0.0/8
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
 
work
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

To set a Default Zone:
[root@linux ~]# firewall-cmd --set-default-zone=internal
Success

Verify the default zone.

[root@linux ~]# firewall-cmd --get-default-zone
internal


To open port 8080 on TCP not persistent on DMZ zone:

[root@linux ~]# firewall-cmd --zone=dmz --add-port=8080/tcp

To open port 8080 on TCP with persistent on DMZ zone:

[root@linux ~]# firewall-cmd --zone=dmz --add-port=8080/tcp --permanent

To open ports with udp in the same step on zone public: 

[root@linux ~]# firewall-cmd --zone=public -add-port=5060-5061/udp

List all ports opening on zone public:

[root@linux ~]# firewall-cmd --zone=public --list-all       
public (default, active)
  interfaces: eno16777984
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: echo-reply echo-request
  rich rules: 
 rule family="ipv4" source address="172.17.7.0/24" port port="513" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="23" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="20048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="631" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="21" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="513" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="53048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="20" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="23" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="631" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="111" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="22" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="53048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="53" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="20048" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="20" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="53" protocol="tcp" accept
 rule family="ipv4" source address="172.17.7.0/24" port port="21" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="111" protocol="tcp" accept
 rule family="ipv4" source address="172.17.82.0/24" port port="22" protocol="tcp" accept

To open port 80 for public zone permanent: 

[root@linux ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp


To remove added port, just use the ‘–remove‘ option with firewalld command:

[root@linux ~]# firewall-cmd --zone=public --remove-port=80/tcp

To block Incoming and Outgoing Packets (Panic Mode):

If you wish to block any incoming or outgoing connections, you need to use a ‘panic-on‘ mode to block such requests. For example, the following rule will drop any existing established connection on the system.

[root@linux ~]# firewall-cmd --panic-on


[root@linux ~]# ping  google.com  -c 1
Failure

[root@linux ~]# firewall-cmd --query-panic
yes

To allow Incoming and Outgoing Packets (Panic Mode)

[root@linux ~]# firewall-cmd --panic-off
[root@linux ~]# ping google.com  -c 1
Success

To block without any messages use DROP as Jump to target.

[root@linux ~]# firewall-cmd -A INPUT -p icmp --icmp-type echo-request -j DROP
[root@linux ~]# firewall-cmd -A OUTPUT -p icmp --icmp-type echo-replay -j DROP

To  using iptables zones by firewalld:

allow incoming port 80 on tcp and deny other.


[root@linux ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
[rrot@linux ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP

------------------------------------------------------------------------------------------------------------
Good Luck https://www.linkedin.com/in/ahmedms/

Comments

Post a Comment

Popular posts from this blog

Kubernetes 104: Create a 2-node k3s cluster with k3sup

-
Image
Create a 2-node k3s cluster with k3sup Kubenetes-Master   = 192.168.17.5 Kubenetes-Worker  = 192.168.17.6 k3sup machine        = 192.168.1.131 !!!  Allow ssh access between k3sup  & two nodes of kubernetes       and between two nodes of kubernetes. !!!  Install K3SUP: [root@devops ~]# curl -sLSf https://get.k3sup.dev | sh which: no k3sup in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) x86_64 Downloading package https://github.com/alexellis/k3sup/releases/download/0.3.0/k3sup as /tmp/k3sup Download complete. Running as root - Attempting to move k3sup to /usr/local/bin New version of k3sup installed to /usr/local/bin _ _____ | | _|___ / ___ _ _ _ __ | |/ / |_ \/ __| | | | '_ \ | < ___) \__ \ |_| | |_) | |_|\_\____/|___/\__,_| .__/ |_| Version: 0.3.0 Git Commit: 7d954414def98c52ae1f6de08ac5317e4260e673 [root@devops ~]# !!! Install kubernetes master: [root@devops ~]# export SERVE
Read more

Cisco Nexus: Configuration VXLAN.

-
Image
Configuration VXLAN on Cisco Nexus !!! First: Legacy Method: Connect between two servers by Trunk VLAN: Second: VXLAN Method: Connect between two servers by VXLAN Tunnel. First Method:          NXOS-L:  vlan 2  interface Ethernet1/2     switchport access vlan 2     spanning-tree port type edge     no shutdown interface Ethernet1/1    switchport mode trunk    spanning-tree port type network    no shutdown NXOS-R: vlan 2 interface Ethernet1/2    switchport access vlan 2    spanning-tree port type edge    no shutdown interface Ethernet1/1    switchport mode trunk    spanning-tree port type network    no shutdown  Result: ------------------------------------------------------------------------------------------------- Second Method: VXLAN !! NXOS-L: feature ospf  interface Ethernet1/1     no switchport     ip address 10.3.4.3/24     ip router ospf 1 area 0.0.0.0     ip ospf network point-to
Read more

How to configure OSPF on Palo Alto Networks Firewall?

-
Image
How to configure OSPF on Palo Alto Networks Firewall !! Steps: 1- Create Virtual Router. 2- Create three Zones (Site A – Site B – Site C). 3- Create security rule allow (ping) between Site A & Site C. 4- Create OSPF routing protocol on two firewalls. -------------------------------------------------------------------------------------------                                                                     PaloAlto - 1 1- Create Virtual Router (VR-1) PaloAlto-1 2- Create Zones PaloAlto-1: 3- Assign Interfaces PaloAlto-1: 4- Create rule allow (ping) and deny other 5- Apply OSPF between two interfaces (eth ½ - eth 1/1) Show routing table on Palo-Alto-1: ====================================================================                                                                PaloAlto - 2 1- Create Virtual Router (VR-1) PaloAlto-2 2- Create Zones PaloAlto-2: 3- Assign Interfac
Read more