FIREWALL & IPTABLES

NETFILTER
The Linux kernel includes a powerful network filtering subsystem called
net-filter, which allows kernel modules to inspect every packet traversing the
system. This means any incoming or outgoing or forwarded network packet cab
be inspected ,modified, dropped or rejected in a programmatic way before
reaching components in user space. The programs used to interact with net-filter
are IPTABLES (service) and FIREWALLD (daemon).

Firewall
A firewall is a way to protect machines from any unwanted traffic from
outside. It enables users to control incoming network traffic on host machines
by defining a set of firewall rules. These rules are used to sort the incoming
traffic and either block it or allow through.

firewalld
firewalld is a firewall service daemon that provides a dynamic
customizable host-based firewall with a D-Bus interface. Being dynamic, it
enables creating, changing, and deleting the rules without the necessity to restart
the firewall daemon each time the rules are changed.

firewalld zones
firewalld uses the concepts of zones and services, that simplify the traffic
management. Zones are predefined sets of rules. Network interfaces and sources
can be assigned to a zone. The traffic allowed depends on the network your
computer is connected to and the security level this network is assigned.
Firewall services are predefined rules that cover all necessary settings to allow
incoming traffic for a specific service and they apply within a zone.
firewalld can be used to separate networks into different zones according
to the level of trust that the user has decided to place on the interfaces and
traffic within that network. A connection can only be part of one zone, but a
zone can be used for many network connections.
The predefined zones are stored in the /usr/lib/firewalld/zones/ directory
and can be instantly applied to any available network interface. These files are
copied to the /etc/firewalld/zones/ directory only after they are modified.
The following table describes the default settings of the predefined zones:

trusted: - All network connections are accepted.

home: - For use at home when you mostly trust the other computers on the network.
Only selected incoming connections are accepted.

internal: - For use on internal networks when you mostly trust the other computers on the
network. Only selected incoming connections are accepted.

work: - For use at work where you mostly trust the other computers on the network.
Only selected incoming connections are accepted.

public: - For use in public areas where you do not trust other computers on the network.
Only selected incoming connections are accepted.

external: - For use on external networks with masquerading enabled, especially for
routers. You do not trust the other computers on the network to not harm your
computer. Only selected incoming connections are accepted.

dmz: - For computers in your demilitarized zone that are publicly-accessible with
limited access to your internal network. Only selected incoming connections
are accepted.

In computer networks, a DMZ (demilitarized zone) is a physical or

logical sub-network that separates an internal local area network (LAN) from
other UN-trusted networks, usually the Internet. External-facing servers,
resources and services are located in the DMZ so they are accessible from the
Internet but the rest of the internal LAN remains unreachable. This provides
an additional layer of security to the LAN as it restricts the ability of hackers
to directly access internal servers and data via the Internet.

block: - Any incoming network connections are rejected with an icmp-host-

prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only
network connections initiated from within the system are possible.

drop: - Any incoming network packets are dropped without any notification. Only
outgoing network connections are possible.

One of these zones is set as the default zone. When interface connections are
added to NetworkManager, they are assigned to the default zone. On
installation, the default zone in firewalld is set to be the public zone. The
default zone can be changed.
FirewallD configuration
To view the manual page of firewall
# man firewalld.richlanguage
To start and enable the firewalld process
# systemctl start firewalld
# systemctl enable firewalld

To verify the firewalld status

# firewall-cmd --state
To verify all zones information
# firewall-cmd --list-all-zones

To display default zone of firewalld

# firewall-cmd --get-default-zone
To list all the relevant information for the default zone
# firewall-cmd --list-all

To set the new default zone

# firewall-cmd --set-default-zone=<zone-name>
Eg: - # firewall-cmd --set-default-zone=internal
# firewall-cmd --get-default-zone

To verify zone implementation on LAN interface

# firewall-cmd --get-active-zones
To verify specific zone information
# firewall-cmd --zone=public --list-all
To add the SSH service for 15 minutes
# firewall-cmd --add-service=ssh - -timeout 15m
# firewall-cmd --reload

To modify the firewall setting in the --permanent mode, use the - -permanent
option with the firewall-cmd command.
# firewall-cmd --permanent<other option>

To reload the permanent setting in to runtime mode

# firewall-cmd --reload
To add a service permanently into a specific zone
# firewall-cmd --permanent --zone=internal --add-service=https
# firewall-cmd --reload
To add a specific port number permanently into a zone
# firewall-cmd --permanent --zone=internal --add-port=443/tcp
# firewall-cmd --reload
# firewall-cmd --list-all

FirewallD Rich Rules

Rich rules are additional features of firewalld that provide greater level of
control through more custom granular options and create custom firewall rule.

Rich Rules Options

There are four options that firewall-cmd has to work with rich rules. All
of these options can be used in combination with the regular - -permanent or
- -zone= options.

Options Explanations
Add a rule to the specified zone. If zone is not
– – add-rich-rule='<RULE>’
specified, the rule is set to default zone.

– – remove-rich- Remove a rule from specified zone. If zone is not

rule='<RULE>’ specified, the rule is removed from default zone.
This will return whether a rich language
rule rule has been added for the zone zone. The
– – query-rich-rule='<RULE>’ command prints yes with exit status 0 if enabled.
It prints no with exit status 1 otherwise. If the
zone is omitted, the default zone is used.
Outputs all rich rules for the specified zone. If
- -list -rich-rules
zone is not specified, list the rule of default zone.
To deny ipv4 traffic from a specific host
# firewall-cmd --permanent –zone=public --add-rich-rule 'rule family="ipv4"
source address="x.x.x.x" reject'

(OR)

# firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4"

source address="x.x.x.x" drop’

(OR)
# firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4"
source address="x.x.x.x" reject type=”icmp-admin-prohibited”'
# firewall-cmd –reload

For removing a specific rich rule from firewalld

# firewall-cmd --permanent --zone=public --remove-rich-rule 'rule
family="ipv4" source address="x.x.x.x" drop'

# firewall-cmd –reload

To deny service for a specific host

# firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4"
source address="x.x.x.x" port port=22 protocol=tcp drop'

(OR)
# firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4"
source address="x.x.x.x" port port=22 protocol=tcp reject'

# firewall-cmd –reload

For removing specific service from firewalld

# firewall-cmd --permanent --zone=public --remove-rich-rule 'rule
family="ipv4" source address="x.x.x.x" port port=22 protocol=tcp drop'

To list rich rules

# firewall-cmd --list-rich-rules
IPTABLES
iptables is a command-line firewall utility built for Linux operating
systems and it is used to set up, maintain, and inspect the table of IP packet
filter rules in the Linux kernel.

To use the iptables and ip6tables services instead of firewalld, first

disable firewalld by running the following command as root:

To disable and stop the firewalld process

# systemctl disable firewalld Options
# systemctl stop firewalld  -D :- Delete
 -I :- Insert one or more rules
To install the IPtable services packages  -L :- List all rules
# yum install iptables-services  -d :- Destination specification
 -p :- protocol of the rule
Check all IPtables Firewall Rules  -s :- Source specification
# iptables –L  -v :- Verbose

To start and enable IPtable and IPtable6 services

# systemctl start iptables
# systemctl start ip6tables
# systemctl enables iptables
# systemctl enables ip6tables
Target
Kernel performs the action on the data packet.
Types of targets
 ACCEPT :- Allow the packet to reach the destination socket
 DROP :- Drop the packet but don’t send any error back to the client
 REJECT :- Drop the packet and send an error back to the client

Block Specific IP Address in IPtables Firewall

# iptables -I INPUT -s 1.1.1.1 -j DROP
Unblock IP Address in IPtables Firewall
# iptables -I INPUT -s 1.1.1.1 -j ACCEPT
Block Specific Port on IPtables Firewall
To block outgoing connections on a specific port use
# iptables -I OUTPUT -p tcp --sport 22 -j DROP
To block incoming connections on a specific port use
# iptables -I INPUT -p tcp --dport 22 -j DROP
Unblock Specific Port on IPtables Firewall
To allow outgoing connections use
# iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT
To allow incoming connections use
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
Block incoming and outgoing multiple Ports on IP tables
# iptables -I INPUT -p tcp -m multiport --dports 22,80,443 -j DROP
# iptables -I OUTPUT -p tcp -m multiport --sports 22,80,443 -j DROP
Allow incoming and outgoing multiple Ports on IP tables
# iptables -I INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
# iptables -I OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
Block Incoming Ping Requests on Iptables
# iptables -I INPUT -p icmp -j DROP
Block Access to Specific MAC Address on IPtables
# nmap -sP 192.168.10.0/24 (for finding MAC address)
# iptables -I INPUT -m mac --mac-source <x:x:x:x:x:x> -j DROP
Block Access to Specific MAC Address on IPtables
# iptables -I INPUT -m mac --mac-source <x:x:x:x:x:x> -j ACCEPT
To block a specific site
#host –t a www.facebook.com
#iptables –I OUTPUT –d 157.240.7.35 -j DROP
#iptables –I OUTPUT –p tcp –d www.facebook.com –j DROP