Wednesday, November 26, 2014

linux firewall

By HuuPV 7:43 PM Leave a Comment
In this articles, description about firewall architecture and some samples of linux firewall. Since the RedHat/Centos 7 firewall replaced with firewalld.
linux firewall

Types of firewalls

2 types filtering firewalls and proxy servers
  • filtering firewalls build to linux kernel and it works at the network level.
  • proxy servers: 2 type is Application and SOCKS Proxies

Firewall Architecture

There are many way to protect for you systems using firewall. examples below:

Dial-up Architecture

<internet>----[Firewall system]---<HUB/LAN>----[Workstation/s]
|
|
<DMZ/HUB>

 Note: this architecture, you full control over internet services.

Single Router Architecture

<internet>---[Router/cable Mdm]---<DMZ/HUB>----[Firewall system]---<LAN/HUB>--[workstation/s]
|
<Outside server>

 Note: if you own the router then set some hard filter rules in this router. else, this router is owned by ISP, then you can not controls,you ask ISP to put in filters.

Firewall and Proxy server

<internet>---[proxy/Firewall system]-----<hub/LAN>----[Wordstations]

Note: you can intergrate proxy into firewall system

OR: you can put proxy in LAN your system.
<internet>----[Firewall system]----<LAN/HUB>----[Workstations]
|
[Proxy server]

 NOTE: Redundent internet??

Differences between firewalld and iptables service:

  • iptables service stores configuration in /etc/sysconfig/iptables. firewalld stores it in XML files in /usr/lib/firewalld and /etc/firewalld/
  • iptables every single change, it flushing all the old rules and reading all the new in /etc/sysconfig/iptables

what is network zone?


 Drop: Only permit outgoing network and incoming network packets are drop

Block: Any incoming network connections are rejected

Public: default of firewalld

External: For use on external networks with masquerading enabled especially for routers

dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted: All network connections are accepted

Some command line and configuration file in linux firewall


Start firewalld
systemctl start firewalld
Checking firewalld running
systemctl status firewalld
Install firewalld
yum install firewalld
Disabling firewalld
systemctl disable firewalld
systemctl stop firewalld

Using the iptables Service
systemctl disable firewalld
systemctl stop firewalld
yum install iptables-services
Start iptables and ip6tables:
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
Configuring the firewall using command line (firewall-cmd)

To display of the state:
firewall-cmd --state
To view the list of active zones:
firewall-cmd --get-active-zones
To find out all setting of a zone:
firewall-cmd --zone=public --list-all
Drop all packets (panic mode)
firewall-cmd --panic-on
Start all packets again
firewall-cmd --panic-off
To find out panic mode enable or disable
firewall-cmd --query-panic
if yes is enables, else no then disable

Reload firewall 

Reload firewall rules and keep state information
firewall-cmd --reload
if there are state information problems that no connection can be established with correct firewall rules. the state information will be lost. 
firewall-cmd --complete-reload
Examples linux firewall use configuration file and command line:

Example 1: Configuration public.xml file accept service http pass to firewall

[root@localhost zones]# vi public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
<rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <service name="http"/>
    <accept/>
  </rule>
</zone>
Example 2: use firewall-cmmd accept service http pass to firewall
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'
Other command line:
firewall-cmd --permanent --zone=<zone> --add-service=http
firewall-cmd --permanent --zone=<zone> --add-port=80/tcp
firewall-cmd --zone=<zone> --query-port=80/tcp
firewall-cmd --zone=<zone> --query-service=http

Restart linux firewall as above to affect the configuration file. 2 examples above same, it enable ip address network 192.168.1.0/24 accept access service http.
I hope will this help you!
Copyright by: www.linuxoperatingsystem.info http://goo.gl/kMscJ4

0 comments:

Post a Comment