Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 9 months
Re: firewalld and ipsets
by John Griffiths
I implemented the use of ipsets for a direct rule in firewalld in 2013.
The direct.xml is:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
I have several ipsets that are modified outside of firewalld.
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
These are members of ipset blacklist:
Name: blacklist
Type: list:set
Revision: 3
Header: size 8
Size in memory: 368
References: 0
Number of entries: 6
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
This was working until I upgraded to Fedora 26 from Fedora 24. Now, even
though an IP is in one of the member iplists,
blacklist_ipv4_semipermanent or one of the others, firewalld does not
block the IP.
I do not know if this is an issue with ipsets or firewalld, nor do I
know whether this is a "feature" or a bug.
Since these ipsets are modified dynamically and need to be accessed from
bash scripts, using the internal ipset functionality of firewalld is not
my desired choice.
Any insight or help in getting the ipsets working again with firewalld
would be greatly appreciated.
Thanks.
John
6 years, 3 months
'transparent' port forwarding connundrum
by R P Herrold
I have been migrating older local sysadmin content, with a
goal of 'no more iptables' ruleset manipulation. Part of the
load is getting outgoing email redirect into a single exit
machine, so I can get logging (and identification of
compromised hosts propagating virus and such )-- working. We
take traffic counts by originating host IP, and regularly find
'phishing' compromised internal host sending large volumes of
email -- the traffic counts spike up and go 'through the roof'
The standby script from long ago which I wrote is:
[herrold@centos-7 rc.d]$ cat mailfunnel.sh
#!/bin/sh
# mailfunnel.sh
NATHOST="172.168.33.2"
INSIDE="172.168.33.105"
LOCALNET="172.168.33.0/24"
LOCALHOST="127.0.0.1"
WORLD="0.0.0.0/0"
MAILPORT="25"
IPTABLES="/sbin/iptables "
# pass content initiating on 'lo'
$IPTABLES -t nat -A PREROUTING \
-s $LOCALHOST -d $WORLD \
-j ACCEPT
$IPTABLES -t nat -A POSTROUTING \
-s $LOCALHOST -d $WORLD \
-j ACCEPT
# hand off a portforward of the backside email traffic
# to the logging host
$IPTABLES -t nat -A PREROUTING -p tcp \
-s ! $INSIDE -d $WORLD --dport $MAILPORT \
-j DNAT --to-destination $INSIDE
# I suspect this rule is never hit
$IPTABLES -t nat -A POSTROUTING -p tcp \
-s ! $INSIDE -d $WORLD --dport $MAILPORT \
-j SNAT --to $NATHOST
[herrold@centos-7 rc.d]$
looks like I've not touched the one for that site in a long
time:
-rwxr-xr-x. 1 herrold herrold 1050 Feb 2 2005 mailfunnel.sh
This was a mixture of NAT and port forwarding
It would not harm my feelings if both the NATHOST and the
INSIDE (mail destination) were on the same IP, and indeed that
that destination was the gateway. That was my first attempt,
with trying to get 'transparent redirect' into the gateway
'squid' to catch even hosts not explicitly set to use the
proxy
I had tried and failed to add to a NAT barrier host, a
'catchall' rule to feed all port 80 traffic from the
'backside' network over to port 3128 -- squid -- on the
localhost, but I am missing what is wrong with this command:
[root@router squid]# firewall-cmd --zone=internal
--add-rule-rich='rule family="ipv4" forward-port
to-port="3128" to-addr="127.0.0.1" port="80" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments:
--add-rule-rich=rule family="ipv4" forward-port to-port="3128"
to-addr="127.0.0.1" port="80" protocol="tcp"
ehh? that example was lifted right out of the 'man' page
What approach to convert this set of rules is most direct? I
suspect my answer in each case will involve reference
firewalld.richlanguage
from its man page. I tried to follow Example 5. I adjusted it
to a general rule
[root@router squid]# firewall-cmd --zone=internal
--add-rule-rich='rule family="ipv4" forward-port to-port="25"
to-addr="10.16.0.1" port="25" protocol="tcp" '
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments:
--add-rule-rich=rule family="ipv4" forward-port to-port="25"
to-addr="10.16.0.1" port="25" protocol="tcp"
So clearly I am missing something
Thoughts? Pointers? (My Google-fu does not produce useful
pointers)
-- Russ herrold
6 years, 5 months