Difference between revisions of "Firewalld"
(→Port forwarding) |
(→Port forwarding) |
||
| Line 1: | Line 1: | ||
| + | == IPv6 as a 'public' interface == | ||
| + | |||
| + | firewall-cmd --zone=public --add-interface=sit1 | ||
| + | |||
| + | == Setting specific source IPs to a zone == | ||
| + | |||
| + | This should make any traffic from 10.0.0.0/24 be associated with a zone called 'work'. This would allow (for example) http, https and ssh to be accepted, but not other services - even if they came in on an interface that was linked to a different zone. | ||
| + | |||
| + | firewall-cmd --zone=work --add-source="10.0.0.0/24" | ||
| + | firewall-cmd --zone=work --add-service=ssh | ||
| + | firewall-cmd --zone=work --add-service=http | ||
| + | firewall-cmd --zone=work --add-service=https | ||
| + | |||
== Port forwarding == | == Port forwarding == | ||
Latest revision as of 23:53, 1 May 2022
IPv6 as a 'public' interface
firewall-cmd --zone=public --add-interface=sit1
Setting specific source IPs to a zone
This should make any traffic from 10.0.0.0/24 be associated with a zone called 'work'. This would allow (for example) http, https and ssh to be accepted, but not other services - even if they came in on an interface that was linked to a different zone.
firewall-cmd --zone=work --add-source="10.0.0.0/24" firewall-cmd --zone=work --add-service=ssh firewall-cmd --zone=work --add-service=http firewall-cmd --zone=work --add-service=https
Port forwarding
firewalld is configured on host12 with two zones: public and dmz
- Public network is configured as 192.168.1.12/24 (would normally be a public IP)
- DMZ network is configured as 172.16.4.12/24
ssh to 192.168.1.12 gets access to host12 as expected because of the default CentOS7 config.
firewall-cmd --zone=public --add-service=ssh
firewalld is configured on host14 with one zone: public - even though the actual interface is connected to the DMZ network.
- Public network is configured as 172.16.4.14/24
Ideally, we want to connect to port 22 on a host12 IP alias and be forwarded to port 22 on host14. This principle can be extended to other services such as http/https so that there's no proxying required.
Add another IP to host12 as an IP alias on the public network (e.g ens33:0), we'll use 192.168.1.14/24 to make it obvious.
ip address add 192.168.1.14/24 dev ens33:0
Now this IP pings but if you ssh to it you'll end up on host12. Add the following two commands and ssh to 192.168.1.14 connects you to host14 instead. ssh to 192.168.1.12 still goes to host12 as expected.
firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' destination address='192.168.1.14' forward-port port='22' protocol='tcp' to-addr='172.16.4.14'" firewall-cmd --zone=dmz --add-masquerade
The masquerading is added to the dmz zone because anything going out to network addresses in the dmz needs to be masqueraded.
