INT-firewalld konfiguration

From Datateknik
Revision as of 15:24, 10 February 2019 by Imra (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Nedanstående fungerar ej!

Contents

Skapa nya zoner

When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session. For instance, we could create the two zones we discussed above by typing:

   firewall-cmd --permanent --new-zone=kompisar
   firewall-cmd --permanent --new-zone=allihopa
   firewall-cmd --permanent --zone=drop --change-interface=ens160
 
   firewall-cmd --reload
   firewall-cmd --permanent --get-zones
   firewall-cmd --permanent --list-all-zones | grep -A 14 active

Lägg in vilka nät

 firewall-cmd --permanent --zone=kompisar --add-source="193.10.128.0/17"
 firewall-cmd --permanent --zone=kompisar --add-source="212.25.132.0/23"
 firewall-cmd --permanent --zone=kompisar --add-source="2001:0DB8::/32"
 firewall-cmd --reload
 firewall-cmd --permanent --list-all-zones | grep -A 14 active
  • Nytt kommando ?? firewallctl zone "home" --permanent add source "2001:0DB8::/32"

Lägg till tjänster

   sudo firewall-cmd --zone=kompisar --add-service=ssh
   sudo firewall-cmd --zone=allihopa --add-service=http
   sudo firewall-cmd --zone=allihopa --add-service=https
   firewall-cmd --runtime-to-permanent
  
   firewall-cmd --reload
   
   firewall-cmd --zone=kompisar --list-all
   firewall-cmd --zone=allihopa --list-all

Lägg till PING och TRACERT

  • Ändra icmp-block-inversion till YES
  • Öppna för echo-request, echo-reply och destination-unreachable ENDAST
   firewall-cmd --get-icmptypes 
   firewall-cmd --zone=kompisar --add-icmp-block-inversion
   firewall-cmd --zone=kompisar --add-icmp-block=echo-request 
   firewall-cmd --zone=kompisar --add-icmp-block=echo-reply
   firewall-cmd --zone=kompisar --add-icmp-block=destination-unreachable
   firewall-cmd --runtime-to-permanent

Resultat

firewall-cmd --list-all-zones | grep -A 14 active

kompisar (active)
 target: default
 icmp-block-inversion: yes
 interfaces:
 sources: 193.10.128.0/17 2001:1:2::0/64
 services: ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks: destination-unreachable echo-reply echo-request
 rich rules:

drop (active)
 target: default
 icmp-block-inversion: yes
 interfaces: ens160
 sources:
 services: dns http 
 ports: 8080
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks: destination-unreachable echo-reply echo-request
 rich rules:

KONTROLLERA RESULTAT

  • Kontrollera att att en port (22) inte är definierad samtidigt som en service (ssh)
    Det skall bara finnas ett "hål" i brandväggen per tjänst, inte två!
  • iptables -v -L
  • ip6tables -v -L

Överkurs

firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -m state --state NEW -j LOG '--log-prefix=RobLog '

iptables utan fail2ban

Detta fungerar, men:
det kommer även att låsa ut giltiga användare om de loggar in och ut flera gånger med *rätt* lösenord

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 6 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
Personal tools
Namespaces

Variants
Actions
Navigation
Tools