11/29/2017

Direct Rules for Firewalld

Direct Rules for Firewalld

Why Firewalld Direct Rules?

  1. You need more power than what's available with simply adding or removing services
  2. You want to make exceptions for certain hosts.
  3. You want to make exceptions for certain networks.
  4. You have experience with iptables, ip6tables, or ebtables commands needed for direct rules.
The documentation for Direct Rules can be found with:

man firewalld.direct

The basic structure of a rule is:

ipv - "ipv4|ipv6|eb" # If rule is iptables, ip6tables or ebtables based
table -"table" # Location of rule in filter, mangle, nat, etc. table
chain - "chain" # Location of rule in INPUT, OUTPUT, FORWARD, etc. chain
priority - "priority" # Lower priority value rules take precedence over higher priority values
rule

If you have with the iptables command, then you should feel comfortable with basic Direct Rules.  Instead of starting with "iptables", the command will start with "firewall-cmd --permanent --direct --add-rule" followed by the rule that follows the basic structure above. These rules must be added with the  --permanent option and the firewalld daemon reloaded or restarted.

One simple firewall scenario

The web server service should only be available to one host and reject all others. Both actions should be logged.

Whitelist one host for one service

In this scenario, the host 10.0.0.107 would be allowed access to the http service, but any other host (the 0.0.0.0/0 network) would be rejected. The number following INPUT determines the priority of the rule. The priority ranges from 0 as the highest and on down as the number increases. Beware, any reject or drop rules are evaluated before accept rules.

firewall-cmd --permanent --direct --add-rule \
ipv4 \
filter \
INPUT 0 \
-p tcp --dport 80 -s 10.0.0.107 \
-j LOG --log-prefix "DIRECT HTTP ACCEPT"  


firewall-cmd --permanent --direct --add-rule \
ipv4 \
filter \
INPUT 1 \
-p tcp --dport 80 -s 10.0.0.107 \
-j ACCEPT


firewall-cmd --permanent --direct --add-rule \
ipv4 \
filter \
INPUT 2 \
-p tcp --dport 80 \
-j LOG --log-prefix "DIRECT HTTP REJECT"    

firewall-cmd --permanent --direct --add-rule \
ipv4 \
filter \
INPUT 3 \
-p tcp --dport 80 -s 10.0.0.107 \
-j REJECT --reject-with icmp-host-unreachable

Since these rules were added with the --permanent option, they are not active in the runtime rules, yet. So, to make the permanent rules active, use the --reload option.

firewall-cmd --reload
I discovered that you have to "get" the rules instead of querying for a "list" of them:

firewall-cmd --direct --get-all-rules

ipv4 filter INPUT 0 -p tcp --dport 80 -s 10.0.0.107 -j LOG --log-prefix 'DIRECT HTTP ACCEPT'
ipv4 filter INPUT 1 -p tcp --dport 80 -s 10.0.0.107 -j ACCEPT
ipv4 filter INPUT 2 -p tcp --dport 80 -j LOG --log-prefix 'DIRECT HTTP REJECT'
ipv4 filter INPUT 3 -p tcp --dport 80 -s 10.0.0.107 -j REJECT --reject-with icmp-host-unreachable


No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.