Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 9 months
Re: firewalld and ipsets
by John Griffiths
I implemented the use of ipsets for a direct rule in firewalld in 2013.
The direct.xml is:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
I have several ipsets that are modified outside of firewalld.
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
These are members of ipset blacklist:
Name: blacklist
Type: list:set
Revision: 3
Header: size 8
Size in memory: 368
References: 0
Number of entries: 6
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
This was working until I upgraded to Fedora 26 from Fedora 24. Now, even
though an IP is in one of the member iplists,
blacklist_ipv4_semipermanent or one of the others, firewalld does not
block the IP.
I do not know if this is an issue with ipsets or firewalld, nor do I
know whether this is a "feature" or a bug.
Since these ipsets are modified dynamically and need to be accessed from
bash scripts, using the internal ipset functionality of firewalld is not
my desired choice.
Any insight or help in getting the ipsets working again with firewalld
would be greatly appreciated.
Thanks.
John
6 years, 3 months
Host in source range of two zones being rejected
by Andrew Culver
I'm trying to define 2 zones, one being a subset of another. I'd like to
allow a range of ports to the wider zone, and then some additional ports to
the narrower zone. When I try to do this, I get "Unable to connect to
remote host: No route to host". If I look at the underlying iptables, it
seems to follow the wider chain, but never goes back to try the narrower
chain.
Here's what I did. I'm just using port 111/tcp as a test, since this is a
brand new host and 111 and 22 are the only listening ports.
To start, verify that I can't connect to 111:
aculver@aculver ~ $ telnet jiradev.its.uwo.ca 111
Trying 129.100.58.223...
telnet: Unable to connect to remote host: No route to host
Create the wider zone for our network and allow 111
[root@jiradev aculver]# firewall-cmd --permanent --new-zone=uwo
success
[root@jiradev aculver]# firewall-cmd --permanent --zone=uwo --add-source=
129.100.0.0/16
success
[root@jiradev aculver]# firewall-cmd --permanent --zone=uwo
--add-port=111/tcp
success
[root@jiradev aculver]# firewall-cmd --reload
success
aculver@aculver ~ $ telnet jiradev.its.uwo.ca 111
Trying 129.100.58.223...
Connected to jiradev.its.uwo.ca.
Escape character is '^]'.
Now add a narrower zone, which will represent our department's
administrative workstations
[root@jiradev aculver]# firewall-cmd --permanent --new-zone=net6
success
[root@jiradev aculver]# firewall-cmd --permanent --zone=net6 --add-source=
129.100.6.0/24
success
[root@jiradev aculver]# firewall-cmd --reload
aculver@aculver ~ $ telnet jiradev.its.uwo.ca 111
Trying 129.100.58.223...
telnet: Unable to connect to remote host: No route to host
I would think that the uwo zone should still apply, since I'm still
connecting from a host defined in the source of that zone. But as soon as I
create this second zone and give it a (narrower) source that also matches
the IP that I'm connecting from, it seems to use only that zone, ignoring
the first zone with the broader source.
Am I doing something wrong? How can I make this work?
I've tried to search for a solution to this, but without any error messages
or having any keywords to search on, it's hard to even find others who have
run into this problem. A coworker of mine has also run into this same
problem, so I can't be the first.
Here's the resulting config (the rich rules are from our default build
scripts. We'd like to replace them with zones if we can solve this current
problem):
[root@jiradev aculver]# firewall-cmd --zone=uwo --list-all
uwo (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 129.100.0.0/16
services:
ports: 111/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@jiradev aculver]# firewall-cmd --zone=net6 --list-all
net6 (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 129.100.6.0/24
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@jiradev aculver]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_net6
-N FWDI_net6_allow
-N FWDI_net6_deny
-N FWDI_net6_log
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDI_uwo
-N FWDI_uwo_allow
-N FWDI_uwo_deny
-N FWDI_uwo_log
-N FWDO_net6
-N FWDO_net6_allow
-N FWDO_net6_deny
-N FWDO_net6_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N FWDO_uwo
-N FWDO_uwo_allow
-N FWDO_uwo_deny
-N FWDO_uwo_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_net6
-N IN_net6_allow
-N IN_net6_deny
-N IN_net6_log
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N IN_uwo
-N IN_uwo_allow
-N IN_uwo_deny
-N IN_uwo_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens160 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_IN_ZONES_SOURCE -s 129.100.6.0/24 -g FWDI_net6
-A FORWARD_IN_ZONES_SOURCE -s 129.100.0.0/16 -g FWDI_uwo
-A FORWARD_OUT_ZONES -o ens160 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FORWARD_OUT_ZONES_SOURCE -d 129.100.6.0/24 -g FWDO_net6
-A FORWARD_OUT_ZONES_SOURCE -d 129.100.0.0/16 -g FWDO_uwo
-A FWDI_net6 -j FWDI_net6_log
-A FWDI_net6 -j FWDI_net6_deny
-A FWDI_net6 -j FWDI_net6_allow
-A FWDI_net6 -p icmp -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDI_uwo -j FWDI_uwo_log
-A FWDI_uwo -j FWDI_uwo_deny
-A FWDI_uwo -j FWDI_uwo_allow
-A FWDI_uwo -p icmp -j ACCEPT
-A FWDO_net6 -j FWDO_net6_log
-A FWDO_net6 -j FWDO_net6_deny
-A FWDO_net6 -j FWDO_net6_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_uwo -j FWDO_uwo_log
-A FWDO_uwo -j FWDO_uwo_deny
-A FWDO_uwo -j FWDO_uwo_allow
-A INPUT_ZONES -i ens160 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_ZONES_SOURCE -s 129.100.6.0/24 -g IN_net6
-A INPUT_ZONES_SOURCE -s 129.100.0.0/16 -g IN_uwo
-A IN_net6 -j IN_net6_log
-A IN_net6 -j IN_net6_deny
-A IN_net6 -j IN_net6_allow
-A IN_net6 -p icmp -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -s 172.20.0.0/22 -p tcp -m tcp --dport 22 -m conntrack
--ctstate NEW -j ACCEPT
-A IN_public_allow -s 172.29.17.38/32 -p udp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 129.100.3.110/32 -p udp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 129.100.254.11/32 -p udp -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -s 129.100.254.10/32 -p udp -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -s 172.29.17.38/32 -p icmp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 129.100.3.116/32 -p tcp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 129.100.6.0/26 -p tcp -m tcp --dport 22 -m conntrack
--ctstate NEW -j ACCEPT
-A IN_public_allow -s 129.100.254.233/32 -p tcp -m tcp --dport 22 -m
conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -s 129.100.254.10/32 -p tcp -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -s 129.100.254.11/32 -p tcp -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -s 129.100.6.192/27 -p tcp -m tcp --dport 22 -m
conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -s 172.29.17.37/32 -p icmp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 129.100.3.116/32 -p udp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 129.100.254.11/32 -p icmp -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -s 129.100.254.10/32 -p icmp -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public_allow -s 129.100.3.110/32 -p tcp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 172.29.17.37/32 -p tcp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 172.29.17.37/32 -p udp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -s 172.29.17.38/32 -p tcp -m conntrack --ctstate NEW -j
ACCEPT
-A IN_uwo -j IN_uwo_log
-A IN_uwo -j IN_uwo_deny
-A IN_uwo -j IN_uwo_allow
-A IN_uwo -p icmp -j ACCEPT
-A IN_uwo_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j
ACCEPT
Thanks,
Andrew
6 years, 3 months