Scribd Logo
Upload

Welcome to Scribd!

  • Firewall D

    Uploaded by

    paul andrade
    47 views6 pages
    The document provides examples of configuring masquerading, port forwarding, and a transparent proxy with Firewalld. Example 1 shows enabling masquerading on the public zone's eth0 interface. Example 2 demonstrates DNAT of port 80 traffic to an HTTP server at 192.168.199.10. Example 3 sets up a transparent Squid proxy on port 3128 in the internal zone, forwarding port 80 traffic to the proxy.

    Original Description:

    Configuracion de firewall

    Original Title

    Firewall d

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides examples of configuring masquerading, port forwarding, and a transparent proxy with Firewalld. Example 1 shows enabling masquerading on the public zone's eth0 interface. Example 2 demonstrates DNAT of port 80 traffic to an HTTP server at 192.168.199.10. Example 3 sets up a transparent Squid proxy on port 3128 in the internal zone, forwarding port 80 traffic to the proxy.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    47 views6 pages

    Firewall D

    Uploaded by

    paul andrade
    The document provides examples of configuring masquerading, port forwarding, and a transparent proxy with Firewalld. Example 1 shows enabling masquerading on the public zone's eth0 interface. Example 2 demonstrates DNAT of port 80 traffic to an HTTP server at 192.168.199.10. Example 3 sets up a transparent Squid proxy on port 3128 in the internal zone, forwarding port 80 traffic to the proxy.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Firewalld examples: masquerade, port forwarding and transparent proxy

    Example 1: One-to-many NAT (MASQUERADE on eth0)


    # firewall-cmd --get-active-zones
    internal
    interfaces: eth1
    public
    interfaces: eth0
    # firewall-cmd --list-all --zone=public
    public (default, active)
    interfaces: eth0
    sources:
    services: dhcpv6-client ssh
    ports:
    masquerade: no
    forward-ports:
    icmp-blocks:
    rich rules:
    # firewall-cmd --add-masquerade --zone=public --permanent
    # firewall-cmd --reload
    # firewall-cmd --list-all --zone=public
    public (default, active)
    interfaces: eth0
    sources:
    services: dhcpv6-client ssh
    ports:
    masquerade: yes
    forward-ports:
    icmp-blocks:
    rich rules:

    Example 2: DNAT to HTTP server in DMZ

    # firewall-cmd --permanent --zone=public --add-masquerade


    # firewall-cmd --permanent --zone=public --add-service=http

    # firewall-cmd --permanent --zone=public --add-forwardport=port=80:proto=tcp:toport=80:toaddr=192.168.199.10


    # firewall-cmd --reload
    # firewall-cmd --list-all --zone=public
    public (default, active)
    interfaces: eth0
    sources:
    services: http
    ports:
    masquerade: yes
    forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.199.10
    icmp-blocks:
    rich rules:

    Example 3: Transparent HTTP proxy with Firewalld and SQUID

    # yum -y install squid


    # vi /etc/squid/squid.conf
    http_port 3128 intercept
    # systemctl start squid
    # systemctl enable squid
    # firewall-cmd --permanent --zone=internal --add-forwardport=port=80:proto=tcp:toport=3128:toaddr=192.168.199.1
    # firewall-cmd --permanent --zone=internal --add-port=3128/tcp
    # firewall-cmd --reload
    # firewall-cmd --zone=internal --list-all
    internal (active)
    interfaces: eth1
    sources:
    services: ssh
    ports: 3128/tcp
    masquerade: no
    forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.199.1
    icmp-blocks:
    rich rules:

    Firewalld

    Zonas
    Podemos crear nuestras propias zonas simplemente copiando las predefinidas en
    /etc/firewalld/zones o va comandos, existe tambin la posibilidad de utilizar las que
    vienen por default:
    Listado de zonas por default
    DROP: Solo permite conexiones salientes.
    BLOCK: Solo permite conexiones que se inician desde adentro de la zona hacia afuera.
    Las siguientes zonas solo permiten el trfico IN que nosotros indiquemos:
    PUBLIC:
    DMZ: Ya todos sabemos de qu se trata una DMZ. Solo permite cierto trfico IN.
    WORK
    HOME
    INTERNAL
    EXTERNAL: Se utiliza para redes externas con masquerade activo. Solo permite cierto
    trfico IN.
    TRUSTED: Completamente abierta, acepta todo.

    Comandos!
    Cuando utilizamos el parmetro --permanent ser necesario reiniciar el servicio
    (systemctl restart firewalld).
    Ej: firewall-cmd -permanent --zone=work --remove-service=smtp
    firewall-cmd --reload

    Comandos bsicos
    Lista de servicios por default:
    ls /usr/lib/firewalld/services/
    Lista de servicios creados por usuarios:
    ls /etc/firewalld/services/
    Verificar si firewalld est instalado:
    yum install firewalld firewall-config
    Iniciar firewalld
    systemctl start firewalld
    Verificar si firewalld est corriendo
    systemctl status firewalldfirewall-cmd state
    Reiniciar Firewalld
    systemctl restart firewalld || firewall-cmd reload
    Reiniciar Firewalld e interrumpir todas la conexiones
    firewall-cmd complete-reload
    Deshabilitar firewalld:
    systemctl disable firewalld
    systemctl stop firewalld
    Habilitar IPTABLES:
    systemctl disable firewalld
    systemctl stop firewalld
    yum install iptables-services
    systemctl start iptables
    systemctl start ip6tables
    systemctl enable iptables
    systemctl enable ip6tables
    Activar ip forwarding
    vim /etc/sysctl.conf
    net.ipv4.ip_forward=1
    sysctl -p
    Panic Mode (Dropea todas la conexiones IN y OUT)
    firewall-cmd panic-on
    firewall-cmd panic-off
    Mostrar el estado de Panic Mode
    firewall-cmd query-panic
    Comandos para zonas
    Mostrar zonas activas
    firewall-cmd get-active-zones
    Mostrar todas las zonas disponibles
    firewall-cmd get-zones
    Mostrar la zona asociada a una interfaz
    firewall-cmd get-zone-of-interface=em1
    Mostrar todas las interfaces asociadas a una zona

    firewall-cmd zone=public list-interfaces


    Mostrar toda la configuracion de una zona
    firewall-cmd zone=public list-all
    Agregar una interfaz a una zona
    firewall-cmd zone=public add-interface=em1
    Mostrar la zona default
    firewall-cmd get-default-zone
    Configurar la zona default
    firewall-cmd set-default-zone=public
    Crear una nueva zona
    firewall-cmd permanent new-zone=test
    firewall-cmd reload
    Comandos para administrar permisos
    Permitir servicio hacia una zona
    firewall-cmd zone=work add-service=smtp
    Eliminar servicio permitido hacia una zona
    firewall-cmd zone=work remove-service=smtp
    Permitir un puerto hacia una zona
    firewall-cmd zone=public add-port=6556/tcp
    Eliminar un puerto permitido hacia una zona
    firewall-cmd zone=public remove-port=6556/tcp
    Filtrar por origen
    firewall-cmd zone=trusted add-source=10.16.22.0/24
    Comandos para NAT y Port Forwarding
    Mostrar el estado de masquerade de una zona
    firewall-cmd zone=external query-masquerade
    Habilitar masquerade a una zona
    firewall-cmd zone=external add-masquerade
    Deshabilitar masquerade a una zona
    firewall-cmd zone=external remove-masquerade
    Fowardear el Puerto 3753 al 22 en una zona
    firewall-cmd zone=external add-forward-port=port=22:proto=tcp:toport=3753
    Forwardear el Puerto 22 de una zona a una IP interna
    firewall-cmd zone=external add-forward port=port=22:proto=tcp:toaddr=192.0.2.55
    Forwardeat el Puerto 2055 a 22 hacia una IP interna
    firewall-cmd zone=external add-forwardport=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55

    You might also like