Linux Iptables Firewall Automation
-
@travisdh1 said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.
I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.
I can get it to work, but commands instead of just editing the config file.... how barbaric. That's way too wanna be PowerShell cmdlet for me.
-
Even the VyOS firewall I edit by hand!
-
@scottalanmiller said in Linux Iptables Firewall Automation:
Even the VyOS firewall I edit by hand!
It's just that much easier. No hassle to fix something if you screw it up (copy the .bak you made before starting), normally all the examples you could possibly want right by what you're working on. Should I go on?
-
Having a firewall manager to automate policies can save you a lot of time and nerves. When it comes to automation tools, the spectrum can be fairly wide, but having a firewall manager is always a good idea.
I’m using Elastic Firewall https://www.efw.io/firewall/manager …worked like a breeze so far! -
I think somebody mentioned this already... but why not use a GitLab repo and set up a cron job to pull down the file every xx minutes.
-
@JulianJulian have not seen that before, thanks.
-
@dafyre said in Linux Iptables Firewall Automation:
I think somebody mentioned this already... but why not use a GitLab repo and set up a cron job to pull down the file every xx minutes.
The discussion moved on to firewalld which is different than iptables
-
@JaredBusch As usual, I'm behind the times, ha ha.
-
@JulianJulian Thanks mate! I just downloaded the agent. I'll let you guys know how it works.
-
@RobLewisss said in Linux Iptables Firewall Automation:
@JulianJulian Thanks mate! I just downloaded the agent. I'll let you guys know how it works.
Cool, thanks.
-
hi,
It may be easier using a tool such as www.efw.io, is user-frendly, easy to understand -
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.
I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.
You can do zones with FirewallD pretty easily. When typing in your command just use --zone=zone to tell it what zone to work with.
And separate zones on different interfaces is super easy.
firewall-cmd --zone=trusted --change-interface=eth1Can't get much easier than that.And the zones are permanently set in the ifcfg file under /etc/sysconfig/network-scripts
-
@travisdh1 said in Linux Iptables Firewall Automation:
@wirestyle22 said in Linux Iptables Firewall Automation:
@scottalanmiller said in Linux Iptables Firewall Automation:
@wirestyle22 said in Linux Iptables Firewall Automation:
@scottalanmiller said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
That's the command, but where is the text file it is altering?
/etc/sysconfig/iptables right?
That's the one we were saying was so easy, the IPTables one. What one is FirewallD using, though?
/usr/lib/firewalld/ or /etc/firewalld are the only things I know of.
Found my current config in /etc/firewalld/zones/public.xml. If you have any sort of complex firewall, you'd need to move the entirety of /etc/firewalld
You should only need to move the .xml files in /etc/firewalld/zones and /etc/firewalld/services (if you have any custom services).
-
@scottalanmiller said in Linux Iptables Firewall Automation:
but commands instead of just editing the config file.... how barbaric
iptables has commands also? Who's going to each system and typing this in anyway? Use Ansible to push the xml configs or their firewalld module.
-
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="cockpit"/> <port protocol="tcp" port="4000"/> <port protocol="udp" port="4000"/> </zone>That's the default zone on my laptop. That's just as easy as
/etc/sysconfig/iptables-configor/etc/sysconfig/system-config-firewall -
@stacksofplates said in Linux Iptables Firewall Automation:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="cockpit"/> <port protocol="tcp" port="4000"/> <port protocol="udp" port="4000"/> </zone>That's the default zone on my laptop. That's just as easy as
/etc/sysconfig/iptables-configor/etc/sysconfig/system-config-firewallAll right, now we're getting somewhere. /etc/sysconfig/system-config-firewall now just have to remember service names.
-
@travisdh1 said in Linux Iptables Firewall Automation:
@stacksofplates said in Linux Iptables Firewall Automation:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="cockpit"/> <port protocol="tcp" port="4000"/> <port protocol="udp" port="4000"/> </zone>That's the default zone on my laptop. That's just as easy as
/etc/sysconfig/iptables-configor/etc/sysconfig/system-config-firewallAll right, now we're getting somewhere. /etc/sysconfig/system-config-firewall now just have to remember service names.
That's for RHEL 6. The XML was from /etc/firewalld/zones/public.xml
-
For a list of all available services just use
firewall-cmd --get-service. Here's my output:RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon cockpit dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server -
@RobLewisss said in Linux Iptables Firewall Automation:
@JulianJulian Thanks mate! I just downloaded the agent. I'll let you guys know how it works.
I also downloaded the agent to one of my Linux systems. It was very quick and simple.
The cloud interface picked up the installed agent imediately and I was able to manage it right there.
There are different groups that you can place each agent for different rules.
Definitely worth testing. Up to 5 servers for free!
