firewall.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  <link rel="stylesheet" href="psg.css" type="text/css">
  <LINK REL="SHORTCUT ICON" HREF="favicon.ico" type="image/x-icon"/>
  <META NAME="description" content="System Administrator Pocket Survival Guide -  A series of notes for Sys Admin"/>
  <META NAME="keyword" content="Sys Admin, System Administrator, Solaris, HP-UX, AIX, Linux, Note, Notes, Pocket, Survival, Guide, psg, data center, power, electrical, plug, LYS, LKS, LAPPLAPP, PSG101, sn50, tin6150"/>
  <META NAME="Robots" CONTENT="all"/>
  <META NAME="Author" CONTENT="Tin Ho"/>

  <title>Pocket Survival Guide - Linux Firewall</title>
</head>

<body> 
<div class="navheader">
<table summary="Navigation header" width="100%">
  <tbody>
    <tr>
      <th colspan="9" align="center">
	  
<A HREF="http://tin6150.github.io/psg/">Sys Admin Pocket Survival Guide - Linux Firewall</A>

      </th>
    </tr>
    <tr>
      <td align="left">  <a accesskey="h" href="psg2.html">Home</a>                     </td>
      <td align="center"><a accesskey="m" href="mrf.html">Modified RAID 5</a>           </td>
      <td align="center"><a accesskey="i" href="ipmi.html">IPMI</a>           		</td>
      <td align="center"><a accesskey="l" href="linux.html">Linux</a> 		        </td>
      <td align="center"><a accesskey="d" href="docker.html">Docker</a>                 </td>
      <td align="center"><a accesskey="a" href="aws.html">AWS</a>                       </td>
      <td align="center"><a accesskey="l" href="lsf.html">HPC/Batch System</a>          </td>
      <td align="center"><a accesskey="b" href="bigdata.html">BigData Engine</a>        </td>   
      <td align="center"><a accesskey="p" href="perl.html">Perl</a>                     </td>
      <td align="center"><a accesskey="y" href="python.html">Python</a>                 </td>
      <td align="right"> <a accesskey="c" href="blogger_container_hpc.html">Container</a>       </td>
    </tr>
  </tbody>
</table>
<hr></div>

<div class="chapter" lang="en">
<div class="titlepage">
</div>
</div>



<div align="CENTER">
<A HREF="http://rustedreality.com/firewall/"><IMG SRC="fig/rustedrealty_firewall.jpg" TITLE="rusted realty - firewall"></A><BR>
</div>

<!-- ######################################################################### -->


<H1>Linux Firewall</H1>

This page only cover firewall on Linux, mostly for use as host-based firewall.
For network-edge, dedicated firewall such as Check Point and Pix, see  
<A HREF="net.html#firewall">net.html#firewall</A>

<BR>
<BR>



<PRE>

Linux kernel 2.2  - ipchains
Linux kernel 2.4  - iptables 
Linux kernel 4.18? - nftables (rhel8 anyway)

/etc/sysconfig/iptables         # firewall rule config file

system-config-firewall          # GUI tool to set iptables firewall rules
firewall-config                 # use this instead of above in RHEL7 (since it use shorewalls)

ufw				# UI for Ubuntu-land
iptables		# CLI for RHEL6
firewall-cmd	# CLI for RHEL7

firewalld is the UI in RHEL7 and RHEL8.  But RHEL8 no longer use iptables, but instead use nftables (still netfilter at kernel level).

ufw, iptables and firewalld typically manipulate the INPUT chain.  
Docker mangle with iptables also, and typically does it at the PREROUTING chain, thus containerers could be inadvertendly open to the world, "above" firewalld control.  
DOCKER-USER chain can be used, see below.

</PRE>

<BR><BR>

Chains:
<LI>PreRouting</LI>
<LI>Forward</LI>
<LI>Input</LI>
<LI>Output</LI>
<LI>PostRouting</LI>
<BR>

Tables (not all chains has all tables):
<LI>filter</LI>
<LI>nat</LI>
<LI>mangle</LI>
<LI>contrack (connection tracking, aka security?)</LI>

<BR>
<BR>

<A ID="diagram"></A>
<A ID="iptablesDiagram"></A>
<A ID="iptablesFlowDiagram"></A>
<div align="CENTER">
<A HREF="https://www.booleanworld.com/depth-guide-iptables-linux-firewall/"><IMG SRC="fig/iptables-flow.booleanworld.png" TITLE="firewall flow diagram from booleanworld"></A><BR>
</div>
<BR>

Ref:
<OL>
<LI><A HREF="https://gist.github.com/nerdalert/a1687ae4da1cc44a437d#-4">Additional iptables diagram</A> collection by <TT>nerdalert</TT></LI>
<LI><A HREF="https://www.booleanworld.com/depth-guide-iptables-linux-firewall/">depth guide from booleanworld</A></LI>
<LI><A HREF="https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture">Digital Ocean deep dive</A></LI>
</OL>

<A ID="iptables"></A>
<H2>IPTables</H2>

As a command that front end kernel 2.4 netfileter.  Comes standard in CentOS 6/7.  <BR>

It is not a daemon, ps won't show anything.  It configure netfilter in the kernel.  <TT>lsmod</TT> will show a kernel modules. <BR>



<PRE>
systemctl enable  iptables
systemctl start   iptables		# it run /etc/sysconfig/network/iptables, configure netfileter in the kernel, and done.
					# there are no daemon left running.  don't look for iptables in 'ps'
systemctl restart iptables		# reload firewall rule.  If there are error, system auto stop and don't change existing rule.
journalct -xe				# see log message, esp if iptables config is wrong and can't be loaded.

sudo iptables -L			# show summary of configured chain.  

echo "service iptables restart" | at now + 5 minutes	# schedule a restart of firewall via atq
echo "systemctl stop iptables"  | at 18:30		# atq; atrm ... and remove it once iptables works
</PRE>

<!-- cf_bk/bofh/sl7_2018/sysconfig/iptables -->

<PRE class="cf">
# example /etc/sysconfig/iptables that get loaded at boot (CentOS 7)
# pretty much block everything.  
# allow specific ssh in
# allows for ping
# all outbound is allowed
 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED             -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type parameter-problem    -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type redirect             -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type router-advertisement -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type router-solicitation  -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type source-quench        -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type time-exceeded        -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo   -j ACCEPT
## -i lo  is for input interface loopback  
##-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT	# this will allow ALL inbound ssh
-A INPUT -s 10.11.12.88 -p tcp --dport 22 -j ACCEPT			# this allow only a list of IP to ssh in
-A INPUT -s 10.11.12.89 -p tcp --dport 22 -j ACCEPT -m comment --comment "comment that show up in iptables -L" 
-A INPUT -p tcp --dport 22 -j DROP
## default is reject, and no pkt forwarding
-A INPUT   -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

</PRE>


Config file is really a series of arguments to the <TT>iptables</TT> command.  <BR>
Commands are executed sequentially, as a chain.
<BR>

But feel like updating /etc/sysconfig/iptables and then running systemctl restart iptables is easier (and safer).
If it drops ssh, at least the rule will run and re-enable inbound ssh to log back in...
<BR>
Maybe good for some temporary testing, especially those not involving ssh :)
<BR>

Ref: <A HREF="https://wiki.centos.org/HowTos/Network/IPTables">CentOS wiki ipTables</A> (basic overview/simple example)

<PRE>


iptables -P INPUT ACCEPT			# (temp) set policy to accept (or else connected ssh will drop)

iptables -F					# flush out all existing rules.  if ssh in, that connection will be dropped (unless with above)

-A INPUT					# add/append to the INPUT chain rule.
-m state					# load the state-full inspection Module
	 --state ESTABLISHED,RELATED		# state could be NEW, ESTABLISHED or RELATED 
						# RELATED allow fw to see if it part of an already ongoing connection

-m tcp			## ??

-p tcp						# protocol tcp
--dport 22					# destination port 
--sport 6000-7000				# source ports range

-j ACCEPT					# action is to allow the packet thru

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT  			# using standard slash notation
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT 	# using a subnet mask

iptables -P FORWARD DROP					# ends with a DROP rule by default if not already allowed


iptables -L -v -n				# List the rules -n: numeric, -v:


/sbin/service iptables save			# calls /sbin/iptables-save (to /etc/sysconfig/iptables)
						# if don't do this, iptables at cli will be lost after reboot

</PRE>


<A ID="nis"></A>
<A ID="ssh"></A>
<H5>Allowing SSH, NIS</H5>
Core snipplet allowing SSH,NIS for a list of hosts.  <BR>
Other packets are rejected with ICMP message, rather silently dropped.  Log goes to syslog, at kern.6 level.

<PRE class="cf">

*filter
:INPUT DROP [0:0]	## seems like can start with DROP and still works fine (when read from file, cut-n-paste may not)
:FORWARD DROP [0:0]	## if use DROP instead of ACCEPT, the icmp msg may not happen.
:OUTPUT ACCEPT [0:0]

## log incoming traffic, for temporary debugging only.  will create massive logs!
## log to kernel.*.  0=emergency, 4=warning, 7=debug
## -A INPUT -p tcp -j LOG --log-prefix "IPTables Packet IN: " --log-level 7
## -A INPUT -p tcp -s 123.4.130.157 -j LOG --log-prefix "IPTables Packet IN: " --log-level 7

-A INPUT -i lo -j ACCEPT

# NFS.  
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/s2-nfs-nfs-firewall-config
# edit /etc/sysconfig/nfs 
#MOUNTD_PORT=2049   # Controls which TCP and UDP port mountd (rpc.mountd) uses.  # must be specified
#STATD_PORT=port    # Controls which TCP and UDP port status (rpc.statd) uses.   # can live without
#LOCKD_TCPPORT=port # Controls which TCP port nlockmgr (lockd) uses.   		# can live without
#LOCKD_UDPPORT=port # Controls which UDP port nlockmgr (lockd) uses.   		# can live without
# systemctl restart nfs-config # rhel 7 only
# rpcinfo -p nfsserver shows:
#    100005    3   udp  20048  mountd          # /etc/services specify port 20048
#    100005    3   tcp  20048  mountd
#    100003    3   tcp   2049  nfs
# 2049 was historically needed by nfs, but needed to allow 20048 for rocky 8.6, it also allows showmount  # xref exa5
-A INPUT -s 123.4.7.196          -p tcp -m multiport --dports 22,111,2049,20048  -j ACCEPT -m comment --comment "RPC and NFS for ex5"

#### Port 22 allows inbound ssh 
#### NIS uses multiple ports: 111 (portmapper), 837-837 (set YP* args in /etc/default/nis for ubuntu.  /etc/sysconfig/network for centos)
#### seems like can live with just TCP version of these ports, may not need to allow udp for newer clients.
#### https://help.ubuntu.com/community/SettingUpNISHowTo
#### NFS uses multiple ports as well (in addition to portmapper 111):  1110, 2049, 4045.  
#### /etc/sysconfig/nfs for centos5 https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-sysconfig-nfs.html
#### though this config not currently exporting NFS (yet)
#### https://superuser.com/questions/667690/iptables-rules-for-nfs
#### Can use a comma separated of source IP, or just add one host IP per line for easy removal
#### /var/yp/securenets need to list nis client ip if securenet is configured.  restart ypserv.
#### netstat -tulpn

-A INPUT -s 123.4.7.25          -p tcp -m multiport --dports 22,111,834,835,836,837  -j ACCEPT
-A INPUT -s 123.4.7.25          -p udp -m multiport --dports    111,834,835,836,837  -j ACCEPT


####
####  log dropped/rejected packets to kernel.6
####  but multicast/broadcast packets are simply dropped
####
-A INPUT -d 255.255.255.255 -j DROP 
-A INPUT -d 123.4.7.255     -j DROP 
-A INPUT -d 224.0.0.0/24    -j DROP 
-A INPUT -j LOG -m limit --limit 2/min --log-prefix "IPTables_reject/drop: " --log-level 6

###
### alt method to logging, chained rule, don't seems to be necessary
###
##?-N LOGGING
##?-A INPUT -j LOGGING
##?-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 6
##?-A LOGGING -j REJECT --reject-with icmp-host-prohibited
##--A LOGGING -j DROP

####
####  default to drop/reject packet.  No Packet forwarding.
####
-A INPUT   -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

</PRE>

<A ID="samba"></A>
<H5>Allowing Samba</H5>
<PRE class="cf">
## https://www.samba.org/~tpot/articles/firewall.html
## ports to allow samba
-A INPUT -s 192.168.1.0/24 -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 445 -j ACCEPT
## these next 2 are needed for NETBIOS browsing of computer over the network.  
## if can live without browsing, don't need to enable them
##-A INPUT -s 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
##-A INPUT -s 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
</PRE>


<A ID="port"></A>
<A ID="port_forwarding"></A>
<H5>Port Fowarding</H5>

Port forward incoming traffic hitting on port 80, sending it to port 8000.
<PRE>
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8000
</PRE>
<!-- that command came from gmail with ironman -->

This works when i use a different machine to hit port 8000, then the PREROUTING will take place and forward to port 80. <BR>

But, it will not work when I am connecting within the machine, even when IP address is used.
this is relevant sometime when you the requestor come from the same machine (eg if you are doing development work and testing on the same machine)  <BR>
[ommitting the -i eth0 may get it to forward traffic even when it is on the same host?]
<BR>

<A ID="one"></A>
<A ID="one-off"></A>
<H5>One-off manipulation</H5>

Not recommended unless in niche circumstances.

<PRE>
# allow for established connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ensure default policy is to drop (else need to explicitly define a drop rule at the end of the chain)
iptables -P INPUT   DROP
iptables -P FORWARD DROP


iptables -A INPUT -s 73.170.217.126/32  -p tcp --dport 80   -j ACCEPT -m comment --comment "-A appends as last rule of the chain"
iptables -I INPUT -s 73.170.217.126/32  -p tcp --dport 80   -j LOG    -m comment --comment "-I insert as first rule of the chain"
	# -j LOG will trigger log mechanism, and jump back when done

iptables -nvL --line-n 		# list rule with index number
iptables -D INPUT 1			# delete index 1 of INPUT chain


# custom chain to LOG and DROP connection 
iptables -N LOG_AND_DROP
iptables -A LOG_AND_DROP -j LOG --log-prefix "IPTables Source host denied " --log-level 7
iptables -A LOG_AND_DROP -j DROP		# add as last rule to default to log and then drop packet not otherwise already allowed


iptables -S         # also get custom chains (eg those created by docker, ufw, etc)

iptables -X INPUT   # remove all INPUT chain (so default to allow all; unless policy (-D) is drop?  or that get reset as well?)
iptables -F         # flush all rules (iptables still active, but largely allow all)

</PRE>

<A ID="firewalld"></A>
<H2>firewalld</H2>

RHEL7 default to <TT>firewalld</TT>.  It allows for programmatic way of configureing netfilter.  The config file is XML.  But configuration is typically done by <TT>firewall-cmd</TT> cli and there is no need to muck with the XML files directly.  Firewalld does generate IPTABLES commands, but does not use the /etc/sysconfig/iptables file.    Those who likes the iptables cli would feel very foreign with firewalld and vice versa.  <BR>
firewalld also run as a dynamic firewall service, and thus has a daemon.  The daemon works with NetworkManager, determining <TT>zones</TT> the network is and apply firewall rules accordingly (public WiFi would be in a zone with more restrictions than home network.  <BR>
For a given system, either use the iptables (service) or firewalld.  Pick one and stick to it.
<BR><BR>
<BR><BR>
firewalld out of the box comes with a number of zones pre-created.
But by and large, there is no pre-defined "pathway" on how packet travels.
It is not necessarily that "inside" zone will always go to "public" zone.
<BR>
Think of zone as grouping traffic together, and sys admin add <TT>target</TT> of what this group as a whole should do.
<TT>target: default</TT> simply means keep processin the target thru the other chain.  If no rules define that a packet should be dropped, then it would be allowed thru to the user process.  
In practice, at least on linux server, <TT>arget: default</TT> would mostly lead to ACCEPT.  If desire is to block such traffice, it tends to become <TT>target: DROP</TT> (or <TT>%%REJECT%%</TT>).
<BR>
But other target action can be done, either in the zone itself (eg accept) or later chains (eg NAT, port forward, etc).  <BR>
Refer to the <A HREF="iptables(/chains) diagram">firewall.html#tables_chains_diagram</A>
<BR>
<BR>

ref: 
<A HREF="https://firewalld.org/documentation/zone/options.html">firewalls.org zone options</A>
<BR>


<PRE>
system-config-firewall		# for static rule config of firewalld
firewall-config			# ?? gui??
systemctl status firewalld



cf in 
/usr/lib/firewallD	hold zone config, rules, etc.
/etc/firewalld/... 	system config.  bunch of xml files.


firewall-cmd --list-all-zones					# like UFW, can support zones like public, private, etc.

firewall-cmd --get-active-zones
firewall-cmd --get-default-zone

firewall-cmd --zone=public --list-all				# list all rules that is applicable to the "public" zone



firewall-cmd --get-services					# list canned service like httpd

firewall-cmd --zone=public --add-port=4000/tcp            	# allow port 4000 from anywhere, runtime
firewall-cmd --zone=public --add-port=4000/tcp --permanent	# allow port 4000 from anywhere, config

firewall-cmd --zone=public --remove-port=4000/tcp            	# undo the add above

firewall-cmd --reload						# read from config, presumably drop anything that is runtime and not in --permanent

firewall-cmd --runtime-to-permanent			# save config that were done without --permanent

firewall-cmd --direct --get-all-chains				# direct interaction with iptables
firewall-cmd --direct --get-all-rules


# eg for removing subnet or host from a specific zone
firewall-cmd --zone=internal --remove-source 128.3.0.0/16 --permanent
firewall-cmd --zone=trusted  --remove-source 128.3.7.87   --permanent
firewall-cmd --zone=trusted  --remove-source 128.3.7.87                # rm running config is more important
## ansible add it to internal


</PRE>

ref:
<A HREF="https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos">
Linode intro to firewallD on CentOS</A>
<BR>
<BR>

<H5>XML</H5>

Reading configuration of firewalld may actually be easier on the xml file than output of firewall-cmd or iptables. <BR>
For CentOS 7, config files are stored in /etc/firewalld/zones. <BR>
If using tools to insert rules into xml files, may need to delete them by hand.  afterwards, may need to run 
<TT>ptables -X ; iptables -F; iptables -Z</TT>
to truely reset/remove old entries that does not wish to be still allowed
<BR>
<BR>

Example config snipplet, which include "rich rules" (iptables rules within a firewalld zone)
<A HREF="conf/firewalld_public.xml">conf/firewalld_public.xml</A>
<BR>
<BR>

<H5>Precedence</H5>

<OL>
	<LI>Sources (list of IP) are processed first.  </LI>
	<LI>Interfaces (eg eno1, enp94s0f0) are applied second</LI>
	<LI>In a zone, <TT>target: default</TT> means kick the packet upstair (typically means ACCEPT if the service is listed, DROP/REJECT otherise?) </LI>
	<LI>the default zone is not the same as <TT>target: default</TT>   default zone is often what Network Manager assign when the network is joined.  firewalld allow explicitly defining which one is the default zone (eg set it to DMZ)</LI>
	<LI><TT>iptables -S</TT> would be good friend for debugging</LI>
	<LI>rich rules are low level iptable rules, not recommended in firewallD, unless no pre-defined service for it.  it is processed within a zone. </LI>
	<LI></LI>
</OL>

<PRE>
</PRE>


ref: 
<UL>
<LI>
<A HREF="https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations">Linux Journal Zone Config on FirewallD</A>
<LI>
	<A HREF="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-working_with_zones">RHEL7 firewallD Zones</A>

</UL>


<PRE>
tmp
public.xml firewalld direct edit of

  {rule family="ipv4"}
    {source address="10.229.192.0/24" /}
    {service name="ssh" /}
    {accept/}
  {/rule}

  {rule family="ipv4"}
    {source address="10.229.192.0/24" /}
    {to-port="104" /}
    {accept/}
  {/rule}

</PRE>

firewall-cmd --list-all-zones </TT> output, clauses are mostly AND conditions for traffic to flow.   <BR>
ie IP list, ports.  These are AND condition.  <BR>
services, ports.  These are OR coditions.  so equiv to 22 or HTTPS for below example.  <BR>
   If interfaces are listed, it will be  AND condition with IP ranges? <BR>
eg below only allow traffic to port 443 for ip of 10.15.x.x and 192.168.1.x  <BR>
*sigh* this is why I am not a huge fan of firewalld... <BR>


<PRE>
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 10.15.0.0/16 192.168.1.0/24
  services: ssh
  ports: 443/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
</PRE>



<H5>Masquerade/NAT</H5>


<PRE>

Masquerade (ie, perform NAT):
eg Simple NAT-router, route internal zone traffic with RFC 1918 private IP range to public zone (internet).
Just need to add masquerade to the public zone, ie perform NAT on all packets coming in and out.

firewall-cmd --add-masquerade --zone=public --permanent


DNAT = Destination NAT.   Think of Port forwarding.
eg Expose web server to the public world.

firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.199.10


</PRE>

ref: 
<UL>
<LI>
	<A HREF="https://myredhatcertification.wordpress.com/2015/04/26/firewalld-masquerade-forwarding-transparent-proxy/">blog</A>
</LI>

</UL>

<A ID="nftables"></A>
<H2>nftables</H2>

net filter tables
<BR><BR>
In RHEL8, iptables commands need to be translated to nftables. <BR>
ref: <A HREF="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking">RH Doc NFTables</A>

<BR><BR>

system with firewalld configured, <TT>systemctl status nftables</TT> can/should still be inactive/dead state.  config files would go to /etc/nftables . 

<BR><BR>

<TT>iptables -nvL</TT> on rhel8 machine configured with firewall-cmd will no longer show relevant info as it did in rhel7 system<BR>
could try <TT>nft list ruleset</TT>

<PRE>

iptables-translate [iptables-chain-cmd]    	# generate nft equiv cmd (not always avail)

nft list ruleset
nft list table inet firewalld		# everything?
nft list table ip   firewalld		# ipv4 only
nft list table ip6  firewalld


</PRE>

<A ID="ufw"></A>
<A ID="gufw"></A>
<H2>ufw/gufw</H2>
Uncomplicated firewall.  <BR>

This come std with Ubuntu (eg 14.04, 16.04).  There are can rules in place, but the firewall service is not enabled by default.  <BR><BR>
UFW is one of the easiest fw UI to use.  front end to iptables commands?  <BR><BR>
gufw is a GUI front end.  Comes with default profile for Home, Office, Public, which (presumably) are progressively more stringent firewall <BR>
gufw is reasonably easy to use, though it is a java thing, so kinda sluggish.  It also generate lots of rules, so result not as easy to read/manage using the CLI.  So, if use GUFW, stick to it.<BR>
<PRE>
sudo apt-get install gufw   # the gui isn't installed by default
</PRE>

<BR>


Ref: 
<A HREF="https://help.ubuntu.com/community/UFW">Ubuntu UFW page</A>

<BR><BR>

<H5>Example Barebone Config</H5>

<PRE class="code">

# reset all firewall settings.  ufw auto creates backup
# seems okay to do this when ssh in, won't be dropped.
sudo ufw reset		

# allow inbound ssh for select subnet, comma list NOT supported
sudo ufw allow from 192.168.188.0/24 to any port 22 proto tcp
sudo ufw allow from 172.3.0.0/16     to any port 22 proto tcp 

# allow inbound ssh for the whole internet, ip v4 only
sudo ufw allow from 0.0.0.0/0        to any port 22 proto tcp 

# allow specific subnet inbound access to samba (ufw app in /etc/ufw/applications.d/)
sudo ufw allow from 192.168.188.0/24  to any app samba

# allow one specific remote host full access
sudo ufw allow from 192.168.188.118  to any 
sudo ufw enable

# no explicit save command needed, rules auto update to /lib/ufw/user.rules

</PRE>

<PRE>

# get an idea of what ufw wrote
# ufw has a set of pre-defined rules that it would apply automagically
iptables -L | grep ACCEPT   

# Note: CANNOT vi /lib/usr/user.rules and hope to get ufw to re-read the update rules via
# ufw reload 
#
# NOT even: 
# ufw disable; vi users.rules; ufw enable
# 
# NOT even vi /lib/usr/user.rules and reboot
# in general, don't edit the users.rules file.  
# Not sure how to restore from the backup it makes...

</PRE>

UFW writes into iptables-restore copatible text files.  Fine tuning can be done by editing:
<OL>
<LI> /etc/default/ufw        # high level config, default rules, drop INVALID, incoming, etc.
<LI> /etc/ufw/before.rules   # these are very much like iptables command, except keyword is ufw-... ?
<LI> /etc/ufw/after.rules
<LI> /etc/ufw/sysctl.conf
<LI> /var/lib/ufw/user.rules
<LI> /lib/ufw/user.rules     # link to /etc/ufw/user.rules
<LI> ...
</OL>

More details at <A HREF="https://wiki.ubuntu.com/UncomplicatedFirewall">Ubuntu UFW wiki</A>  <BR>

<BR>

<H5>Simple Usage</H5>

<PRE>
sudo ufw allow http/tcp		# allow port 80/tcp for IPv4 and IPv6
sudo ufw logging on
sudo ufw enable
sudo ufw status
sudo ufw status numbered
sudo service ufw status
</PRE>


<H5>Random Examples of More Complex Usage</H5>

<PRE>
sudo ufw status verbose
sudo ufw status numbered

sudo ufw show raw		#
sudo ufw disable
sudo ufw --dry-run enable
sudo ufw --dry-run reload
sudo ufw reset			# ??
sudo ufw app list|info...	# ??

sudo ufw allow 80		# assume incoming, but allow both udp and tcp
sudo ufw allow 53/tcp		# specify allow tcp only

sudo ufw deny 53/udp		# deny rule
sudo ufw delete deny 53/udp	# remove deny rule


sudo ufw allow from 10.11.12.0/24 			# allow subnet, all traffic
sudo ufw allow from 10.11.12.8 to any port 22		# outbound allow traffic (any refers to host's IP [and not protocol?])

sudo ufw allow proto tcp from any to 10.11.12.8 port 22	
sudo ufw rule comment 'ssh listen on 10.11.12.8:22, allow inbound from everywhere(any)'
## comment clause don't seems to work, don't remember where i read it from

sudo ufw allow 53 comment 'allow DNS on 53 (tcp and udp)'
sudo ufw allow proto tcp from any to any port 80,443 comment 'http + https'


sudo ufw deny from 8.8.8.8				# explicity deny of a specific host (or subnet)

</PRE>


<H5> Numbered Rules </H5>

ufw, like iptables, have numbered rules (it is a netfilter thing)

<PRE>
sudo ufw status numbered
sudo ufw delete 1
sudo ufw insert 1 allow from 123.45.6.77

# rules can be deleted by number or prefix "delete" in front of the rule
sudo ufw        allow from 192.168.188.0/24 to any port 22 proto tcp
sudo ufw delete allow from 192.168.188.0/24 to any port 22 proto tcp

</PRE>

IPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols.
<BR>
<BR>


Ref: 
<A HREF="https://help.ubuntu.com/community/UFW">Ubuntu community UFW page</A> <BR>




<A ID="docker"></A>
<H1>docker</H1>

<A HREF="docker.html">Docker</A> does a lot of network stuff, and manipulate iptables directly.
<OL>
<LI>Daemon is open to everyone.  To restrict access, see <A HREF="https://docs.docker.com/network/iptables/">Docker iptables doc</A> <BR>
    <TT>iptables -I DOCKER-USER -i ext_if ! -s 10.0.22.0/24 -j DROP</TT>
</LI>
<LI>Docker add lots of iptables to route traffic from host to container.  And it does so at the <TT>PREROUTING</TT> chain, thereby bypassing most of FirewallD or UFW rules</LI>
<LI>Add custom rule to DOCKER-USER chain to regulate what flows into container.  Avail with Docker 17.06 (not in RHEL7 rpm, need to use docker-ce).  </LI>
<LI> <A HREF="https://unrouted.io/2017/08/15/docker-firewall/">Unrouted</A> describe the addition of a custom chain <TT>FILTER</TT> and feed both DOCKER and regular physical host traffic into it for centralized control.  This could be good for single host use, likely need other approach for a farm of servers running docker</LI>
<LI>Note that DOCKER-USER chain is NAT-ed, thus may need to use the IP of the container</LI>
<LI><A HREF="https://serverfault.com/questions/704643/steps-for-limiting-outside-connections-to-docker-container-with-iptables">serverfault post</A></LI>
<LI></LI>
</OL>

<A ID="router"></A>
<H1>Router</H1>

<div align="CENTER">
<A HREF="https://cloud.githubusercontent.com/assets/1711674/8742363/87fad710-2c32-11e5-8896-7adf1a4cf164.png">
<IMG SRC="fig/netfilter-traversal.png" TITLE="netfilter traversal by Martin Brown" height="100%"></A><BR>
</div>

<A ID="tables_chains_diagram"></A>

A network router almost always has firewall running these days.  <BR>
For dedicated network-edge firewall such as Check Point and Pix, see  
<A HREF="net.html#firewall">net.html#firewall</A> <BR>
This section will cover the use of IPTables on linux to make a "home-made" firewall/router.  <BR>
Shorewall maybe the way to go for such project.  But NAT rules using <TT>iptables</TT> commands is provided below.



<A ID="shorewall"></A>
<H2>Shorewall</H2>

Shoreline Firewall.  

It is a UI/front end for various kernel level netfilter.  Replaces the command line iptables.  (can produce iptables config file?).  <BR>

Kinda complicated, not sure if it makes it any easier to use that "iptables" commands for simple config.
For building a firewall appliance, then it would be the way to go.  
eg.  <A HREF="http://www.shorewall.net/samba.htm">Firewall with Samba exception</A>
<BR>
<BR>

<A HREF="http://www.shorewall.net/Introduction.html">Shorewall Intro</A>, explaining zones, interfaces/ip tuple, etc essentially to understand shorewall.  It is not anything like iptables command.



<A ID="router"></A>
<A ID="nat_router"></A>
<A ID="router_nat"></A>
<H2>Router with NAT using IPTables</H2>

To make the linux box act as a router using iptables NAT (eg HPC head node routing for compute nodes)  <BR>
First enable kernel forward:  <BR>
vi /etc/sysctl.conf  <BR>
   net.ipv4.ip_forward=1 <BR>

Then update iptables.  <BR>
eg: (ref: https://www.revsys.com/writings/quicktips/nat.html )  <BR>

<PRE>
	# enp1s0f0 = private internal network, inbound traffic to be forwarded
	# eno1     = public network, outbound traffic

	# remove any drop forward rules in /etc/sysconfig/iptables
	systemctl restart iptables
	iptables-save > iptables.save.beforeNat
    	iptables -t nat -A POSTROUTING  -o eno1                                          -j MASQUERADE
    	iptables -A FORWARD -i eno1     -o enp1s0f0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    	iptables -A FORWARD -i enp1s0f0 -o eno1                                          -j ACCEPT
        iptables-save > iptables.save.afterNat 
	cp iptables-afterNat /etc/sysconfig/iptables	# save for next reboot 

	# or update /etc/syconfig/iptablesconfig and have it save changes on stop or restart...
	# i don't like that method.
</PRE>

eg as direct edit to /etc/sysconfig/iptables. <BR>
can ignore numbers such as :PREROUTING ACCEPT [1204:124820] <BR>
at boot, they seems to be state info. <BR>
Some packet may get dropped during a restart... ?   <BR>
but works :) <BR>

<PRE class="cf">
## /etc/sysconfig/iptables direct edit so that it survive reboot ## <BR>

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] 
-A POSTROUTING -o eno1 -j MASQUERADE
COMMIT

####
#### Regular firewall settings except for some forward rule at the end
####

*filter
:INPUT DROP [0:0]  
:FORWARD DROP [0:0] 
:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo   -j ACCEPT
-A INPUT -s 10.0.0.0/8    -p tcp              --dport  22 -j ACCEPT   -m comment --comment "ALLOW ssh for internal network"
# add more rules here as desired


####
####  default to drop/reject packet.  
####
-A INPUT   -j REJECT --reject-with icmp-host-prohibited
####
####  Headnode does packet forward ie NAT router
####
##-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eno1 -o enp1s0f0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0f0 -o eno1 -j ACCEPT

COMMIT
</PRE>


<A ID="nat"></A>
<A ID="nat_iptables"></A>
<H2>NAT with IPTables</H2>


<div align="CENTER">
<A HREF="https://cloud.githubusercontent.com/assets/1711674/8742356/87e025d2-2c32-11e5-8d62-50f9baf4bc81.gif"><IMG SRC="fig/iptables-diagram-simple.gif" TITLE="simple firewall flow diagram from github"></A><BR>
</div>

<!-- see also CF_BK/perceus-00/nat.txt -->

This is a condensed version of NAT tutorial by
<A HREF="https://www.karlrupp.net/en/computer/nat_tutorial">karlrupp</A>

<PRE>
      IN   /------------\     /---------\  fwd pkt   /-------------\  OUT
    ------>| PREROUTING |---->| ROUTING |----------->| POSTROUTING |-------->
           \------------/     \---------/            \-------------/

    # Abstract structure of an iptables instruction:
    iptables [-t table] command [match pattern] [action]
    # default is "-t filter"
</PRE>

<H5>Prep</H5>
<PRE>
   # IMPORTANT: Activate IP-forwarding in the kernel!

   # Disabled by default!
   $ echo "1" > /proc/sys/net/ipv4/ip_forward

   vi /etc/sysctl.conf 
   net.ipv4.ip_forward=1
   sysctl -p /etc/sysctl.conf           # reread conf file and activate changes

   sysctl -w net.ipv4.ip_forward=1	# RHEL4 stuff?  no longer work?

   # Load various modules. Usually they are already loaded
   # (especially for newer kernels), in that case
   # the following commands are not needed.
    
   # Load iptables module:
   $ modprobe ip_tables
   
   # activate connection tracking
   # (connection's status are taken into account)
   $ modprobe ip_conntrack
</PRE>


<H5>Outbound </H5>

Connect a LAN to the internet  (ie, outbound traffic)


eg1: 
<PRE>
    	iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
</PRE>


<H5>Inbound </H5>

   <OL>
   <LI> Running a Server behind a NAT-router
   <LI> For servers running behind a NAT-router additional steps are needed since at first you cannot connect from outside to the server. 
   <LI> Let us assume that we have a HTTP-server with IP 192.168.1.2 and
   <LI> our router has the IP address 192.168.1.1 (eth0?) and is connected to the internet over its second network interface with IP 123.123.123.123 (eth1?).
   <LI> DNAT = Destination NAT
   <LI> To reach the HTTP-server from outside, type
   </OL>
 
<PRE>
    iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to 192.168.1.2
</PRE>

<H5>Multihosts Inbound NAT</H5>

# ref http://linux-ip.net/html/nat-dnat.html
# eth1 is internet connection on the router

<PRE>
# inbound nat all ports
iptables -t nat -A PREROUTING -i eth1 -d 13.24.231.10 -j DNAT --to-destination 172.0.2.8

# inbound nat for RR 12.83.7.15[1-3] (ssh only, not sure if safe)
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 12.83.7.151 --dport 22 -j DNAT --to-destination 172.0.2.0
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 12.83.7.152 --dport 22 -j DNAT --to-destination 172.0.2.1
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 12.83.7.153 --dport 22 -j DNAT --to-destination 172.0.2.2


</PRE>


<!-- -------------------------------------------------------------------------------------------- -->
<!-- -------------------------------------------------------------------------------------------- -->


<A ID="mac"></A>
<A ID="bsd"></A>
<H1>Firewall on Mac/BSD</H1>

Mac 10.5 default to a port of OpenBSD's PF.  <BR>
Older IPFW cli tool from FreeBSD is from 10.2 days.  <BR>
See <A HREF="apple.html#firewall">apple.html#firewall</A>
<BR>


<!-- #################################################################### -->
<!-- #################################################################### -->
<!-- #################################################################### -->

<!--  test area
<EM>This is EM text</EM><BR>
<STRONG>This is STRONG text</STRONG><BR>
<BR>

<font face=monospace>
someple text here
	line with tab indent	more tab		yet more tab.
</font>
<BR>
<TT>
Typewriter monospaced fonts in here.
This is another line.
</TT>
-->


<BR><HR>
<div align="CENTER">
  [Doc URL: <A HREF="http://tin6150.github.io/psg/firewall.html">
http://tin6150.github.io/psg/firewall.html
</A>] <BR>
Last Updated: 2017-06-08
  <!--[Doc URL: <A HREF="http://tin6150.github.io/psg/">http://tin6150.github.io/psg/</A>] <BR>-->
<BR>
(cc) Tin Ho. See 
<A HREF=psg.html#cc>main page</A>
 for copyright info. <BR>
<HR>
<A HREF="http://www.taos.com"><IMG SRC="banner/taos_banner1.gif" width="728" height="98"></A>
</div>
<div class="sig"><BR>
  hoti1<BR>
  sn5050<BR>
  psg101 sn50 tin6150</div>


</body>

<!-- Google analytics new tracking code ga.js.   Will actually need to add this code to every page for full tracking!    (still the case in 2011?) Using my gmail login 2011.0617 updated with code for http://tin6150.github.io/psg/psg.html -->    <script type="text/javascript">    var _gaq = _gaq || [];   _gaq.push(['_setAccount', 'UA-4515095-4']);   _gaq.push(['_trackPageview']);    (function() {     var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;     ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';     var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);   })();  </script>


<!-- vim: tabstop=8
-->
</html>