Centos7 - Restore firewalld, disable ipables, confirm security

I didn't have time to spend on firewalld when I first installed a new centos7 and since then, additional machines I've installed, I have disabled firewalld and replaced with iptables.

For example, one of the commands in disabling firewalld was 'systemctl mask firewalld' and I can't find anything relating to how to undo this, if needed.

Since then, I have tried learning firewalld, just enough to be able to set it up then follow the examples but it is dauntingly frustrating because things don't work as expected when new to it.

I need to convert some iptables rules to firewalld and I need to disable iptables, then confirm that my settings are secure. Note that I always disable selinux also as I've never learned it and am usually behind firewalls. In the case of these new servers, they are in data centers directly onto the internet.

Rules I need to convert are as follows;

# a fair number of DROPs. I only need one example which I can follow from then on of each.
-A INPUT -s 142.56.72.43/32 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP

# Public IPs for normal services
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Public IPs I need to allow to various ports
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport xxxx -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport xxxx -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport xxxx -j ACCEPT (ssh access)

Open in new window


Soon, I also need to set up a KVM host on one of the servers but I think once I get the handle on this, I can at least back up the xml then do some testing.
projectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
To enable firewalld again it's simply doing "systemctl unmask firewalld" and starting it again "systemctl start firewalld"

Now, do you have multiple nics on your system? It might be important to divide the different nics into different firewalld zones.

Firewalld has different zones, the public zone is usually the default one (unless it's changed), you can find out the default zone with:

firewall-cmd --get-default-zone

Open in new window


To find out what other zones there are:

firewall-cmd --get-zones

Open in new window


To permanently set an interface to a zone:

firewall-cmd --permanent --zone=public --change-interface=eth0

Open in new window


Since your server seems to host a website the public zone would be a good choice...

But before I continue, if you are planning to use KVM in the future, you have to disable firewalld and enable/use iptables instead because for KVM networkmanager needs to be disabled and firewalld relies on networkmanager. So it might not be worth it?

To add services to firewalld:

firewall-cmd --permanent --zone=public --add-service=http

Open in new window


Or by port:

firewall-cmd --premanent --zone=public --add-port=443/tcp

Open in new window


To drop ip-addresses:

firewall-cmd --permanent --zone="public" --add-rich-rule='rule family="ipv4" source address="142.56.72.43/32" drop’

Open in new window


To allow from certain ip-address and certain port:

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="195.200.30.40/32" port protocol="tcp" port="4000" accept"

Open in new window


I think this should get you started ... If you have specific questions don't hesitate to ask.
projectsAuthor Commented:
I had re-anabled firewalld after I posted this. However, I am not sure how well it is set up or how secure it is.

Problem is, all of these things I have found on the net, including your descriptions but it explains not the steps I need to set up and secure this server. I've followed many articles and found tons to read but it all makes no sense because I am not going to be working at becoming a firewall expert, I just need enough knowledge to secure the server until someone else can take over.

I have always used iptables and centos7 is making everything so much more difficult now.

So,

Yes, public is the default zone.

The zones are all the defaults which install with centos7.
block dmz drop external home internal public trusted work

The machine has two interfaces, one used on the LAN side, one used on the WAN side.

enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 (DHCP client)
enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 (Public IP, main interface)
enp5s0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 (Alias for another public IP)
enp5s0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 (Alias for another public IP)
enp5s0:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 (Alias for another public IP)
enp5s0:4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 (Alias for another public IP)

>But before I continue, if you are planning to use KVM in the future, you have to disable firewalld and
>enable/use iptables instead because for KVM networkmanager needs to be disabled and firewalld
>relies on networkmanager. So it might not be worth it?

What might not be worth it? I need to use this server to host vms, that is the plan.
Actually, it would be nice if it can host some web sites directly AND host some vms.

I have found information on the net which talks about disabling firewalld but there are also warnings that iptables will become obsolete at some point so why would I want to set this up using iptables?

Yes, networkmanager is indeed disabled.
projectsAuthor Commented:
At the moment, there is no active zone but public is the default.

The only rules I have are;

public (default)
  interfaces:
  sources:
  services: dhcpv6-client http https
  ports: xx/tcp (custom ssh port - seems redundant to the other rule. Tried removing but broke things)
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/24" service name="ssh" accept (this has the same port as above)
        rule family="ipv4" source address="x.x.x.x/24" port port="10000" protocol="tcp" accept (this is to test webmin)

I added these rules from the command line but since I'm not yet sure what I'm doing, various things don't go as planned.
For example, saving, making them permanent, and weirder, why some of them show up in other zones when I didn't create them there.

When I nmap the server, I see only the 80/443 ports which is good at least.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Zephyr ICTCloud ArchitectCommented:
If you have 2 interfaces you should put the interface used for Internet side in the public zone and the other interface in one of the other zones like internal for example.

The public zone will accept only the ports allowed specifically and drop the rest, the internal zone will only allow private network traffic, so there is already some basic security enabled.

I'm not sure how this relates to the alias/virtual nics, you'll need to check if they default to the public zone, which they probably will.

My comment about not being worth it was meant for the fact to enable firewalld when you are going to use KVM on this server because KVM does not work well with firewalld so to speak... That's what I meant.

By the way, there's also interesting info in the MAN files, like "man firewalld.zone" to get more info on the zone feature, or "man firewalld.zones" to get info about the zones specifically.
projectsAuthor Commented:
I made some changes but still haven't made anything permanent or default.

public (default, active)
  interfaces: enp1s0f0 enp1s0f1
  sources:
  services: dhcpv6-client http https
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/24" port port="10000" protocol="tcp" accept
        rule family="ipv4" source address="x.x.x.x/24" port port="xxxx" protocol="tcp" accept
        rule family="ipv4" source address="x.x.x.x/24" port port="xxxx" protocol="tcp" accept
        rule family="ipv4" source address="x.x.x.x/24" port port="xxxx" protocol="tcp" accept

From another machine, I can only see port 80 and 443.
From the network I've allowed, I can see all of the ports.

I think I'm on the right track but need it confirmed and more importantly, need it to become my life/rebootable setup.

I posted this last night but forgot to hit Submit. I'd like to use firewalld for everything, including KVM since iptables will be done away with at some point. I need to start using it if it is now the standard.
Zephyr ICTCloud ArchitectCommented:
That part you posted seem to be ok ... To make it permanent, just add --permanent to the rules you've used.

For me one of the better resources on the Internet regarding Firewalld is the one of Fedora
projectsAuthor Commented:
You mean re-create them all over again, this time adding --permanent?
Can I just edit the xml? And if I do, how do I load my changes then? And if I want those permanent?

Also, once entered, I've read lots of things which are confusing.
Save, reload, etc, to make them live while testing I guess?

I assume adding --permanent means the rules will survive a reboot?
Zephyr ICTCloud ArchitectCommented:
All the changes you make are being written into the iptables as well, so that might also be a way to save the config for starters

The xml configs located at /usr/lib/firewalld/zones/ can be configured directly, do not directly configure the ones in /usr/lib/firewalld/zones/, those are the default ones and should not be changed.
 
I assume adding --permanent means the rules will survive a reboot?
Yes, that is correct.

When you add the rules they are in config but they come only active after reloading the firewall.
projectsAuthor Commented:
I've been editing the xml file in /etc/firewall which is what I read. That seems to work. Are you saying I should edit the ones in /usr/lib/firewalld/ instead?

Also, when manually editing, how can I use the permanent option? I don't see one in the file so assuming it cannot be done that way.
projectsAuthor Commented:
Also, are UDP ports allowed or denied by default? If I want to allow some UDP ports, do I have to create a rule for them?
Zephyr ICTCloud ArchitectCommented:
I've been editing the xml file in /etc/firewall which is what I read

Yeah, that's the one I was referring to, copy/paste mistake in my post there, you can directly edit the files in /etc/firewalld/services or /etc/firewalld/zones. Normally if you put your info in these xml files they should be permanent, it's like adding your eth0 to a zone, for instance if you type "firewall-cmd --permanent --zone=work--change-interface=eth0" the zone file work is created, making this file permanent.

Also, are UDP ports allowed or denied by default? If I want to allow some UDP ports, do I have to create a rule for them?

Some might be depending on the zone, but you should treat UDP ports the same as TCP ports and add them when needed.
projectsAuthor Commented:
Yes, I had to add the UDP ports otherwise, they were blocked.

I also logged into the machine yesterday only to find all of the rules had been deleted. None were left in the .xml file either. No one else has access to the box so I am not sure what happened as nothing seems to explain it.

I ended up rebuilding the rules.

Also, after I edit the .xml file, I usually run the reload command to save it. Is that how it's done?
Zephyr ICTCloud ArchitectCommented:
The only reason I can think of is either the xml-file is not in the correct folder or you might have forgot to save the file before closing it?? I've tried to reproduce it on my system but can't seem to get it to loose the settings.

The reload command is more for making the rules you've entered get active.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
projectsAuthor Commented:
Guess I must have messed something up then. Thanks very much for all the help.
Zephyr ICTCloud ArchitectCommented:
No problem! Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.