The other day, I wrote an article "Allow ssh only for specific IP addresses with firewalld" (https://qiita.com/kimisyo/items/553d8879808834077fb1), but using the option -add-rich-rule Correspondence by the special rule of Gorigori was caught. Firewalld is a relatively new library that succeeds iptables, and there should be a more sophisticated and better way to do it.
As a result of various investigations there, there was. Its name is ** multi-zone ** function. By using this function, I found that it can be set quite flexibly and efficiently, so I would like to share what I investigated this time.
First, let's review what Firewalld is good for. According to reference , the advantages of Firewall over iptables are:
--Rules such as deny and allow can be defined for each zone defined by the source IP and network interface. --Syntax simplification because you can specify the name of the service instead of the port or protocol --You don't have to worry about the order of statements like iptables. --The reload function allows you to change settings interactively, such as temporarily changing them.
Indeed, it seems important to make good use of ** zones **. By the way, my last article forced a rule to be added to the public zone.
Next, let's look at zones. Again, reference  shows that ** Intarface ** and ** Source ** are important concepts in understanding zones.
Interface --Intaface is the system name for hardware and virtual network adapters. --All active Intafaces are assigned to either the default zone or the user-specified zone. --Intaface cannot be assigned to multiple zones **. --By default, firewalld associates all Interfaces with public zones and does not set Source in any zone. As a result, the public zone is ** the only ** active zone.
--Source is the source IP address range, which can also be assigned to a zone. --Source cannot be assigned to multiple zones **. This is because once this is done, it is not possible to know which rule should be applied to that Source. --There is not always a zone with a Source that matches a Source. In that case, it is processed according to some priority, but details will be described later.
I haven't explained the zone itself, but did you understand it somehow?
Multi-Zone is a term used in reference , but in short, it is good to use ** multiple active zones ** instead of just one zone. ** Think of it as a way to set rules.
Often taken care of, according to reference , the rules for applying Firewalld in the case of multi-zone are roughly as follows. (Note) It's written quite a bit, so if you want to understand it exactly, see Reference  or the Firewalld manual.
--The active zone has different roles depending on whether it is a zone associated with Intaface or a zone associated with Source. However, it is possible to play both roles. --Firewalld processes packets in the following order:
The important thing is that the Source zone takes precedence over the Interface zone. Therefore, a common design pattern for multi-zone configurations is to allow a specific IP to access a specific service in the Source zone and restrict access to all other users in the Interface zone. become.
Now, let's try based on an example from the next.
This time, I would like to proceed with this configuration.
Let me give you an overview.
--The colored WEB server is the server that sets Firwalld this time. --The WEB server provides services on the Internet via http / https. --The backup server is a server that backs up the system of the WEB server, and accesses the MySQL server and NFS server on the WEB server. --The maintenance terminal is a terminal that performs maintenance on the WEB server, and connects to the WEB server with ssh. ――I think there are some rumors that you shouldn't connect to the DMZ or that the global IP address is wrong, but this time I'd like to keep it simple.
So, if you write it in sentences, it will be ambiguous, so let's make a table of the rules that allow packets on the WEB server.
|sender||protocol||Zone name||Zone role|
|ANY||https, http||public||Interface zone|
|192.168.11.24||mysql, nfs||share||Source zone|
It is a rule to reject everything except the above. In addition, there are already "zone name" and "zone role" columns in the table, and there are descriptions of zones with names such as public, share, mainte, but from now on, ** these multi-zones ** will actually apply the above rules. Let's set it.
The public zone feels like modifying the default one.
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=cockpit firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --set-target=DROP firewall-cmd --reload
--First of all, the above three lines were included in the public zone as a service from the beginning, so they have been deleted (if they are not included, please ignore them). --The 4th and 5th lines are the settings to allow https and http for all users. ――The 6th line is ssh measures. It seems that it is safer to do DROP instead of DENY when trying to SSH into the server from an IP outside the internal zone. (This will prevent pinging, but see reference  for a workaround.)
Since the mainte zone does not exist originally, create it newly and set it.
firewall-cmd --permanent --new-zone=mainte firewall-cmd --permanent --zone=mainte --add-service=ssh firewall-cmd --permanent --zone=mainte --add-source=192.168.11.29 firewall-cmd --reload
The second line specifies ssh as the service allowed, and the third line specifies the maintenance terminal IP as the source IP allowed.
Since the share zone does not exist originally, it is set after creating a new one.
firewall-cmd --permanent --new-zone=share firewall-cmd --permanent --zone=share --add-port=2049/tcp firewall-cmd --permanent --zone=share --add-port=3306/tcp firewall-cmd --permanent --zone=share --add-source=192.168.11.24 firewall-cmd --reload
The 2nd and 3rd lines specify the nfs and mysql ports as the permitted ports, and the 4th line specifies the backup server IP as the permitted source IP.
First, let's run nmap from the maintenance terminal.
[[email protected] ~]$ nmap 192.168.11.26 Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-25 20:59 JST Nmap scan report for 192.168.11.26 Host is up (0.00063s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
Certainly you can see ssh in addition to the http / https port. (On the contrary, nfs and mysql are not visible)
Next, let's run nmap from the backup server.
(base) [email protected]:~$ nmap 192.168.11.26 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-25 11:59 UTC Nmap scan report for 192.168.11.26 Host is up (0.0011s latency). Not shown: 996 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 2049/tcp open nfs 3306/tcp open mysql
In addition to the http / https ports, you can see 2049 / tcp and 3306 / tcp. (On the contrary, ssh is not visible)
Finally, I will summarize the merits of multi-zone that I actually felt.
――In one zone, if there are many combinations of protocol (service) and source IP address, the effect of changing the service or source IP is large, but in multi-zone, only add-service or add-source is added to the zone. It's enough. For example, if you want to add another terminal to the maintenance terminal in this example, just add a rule like
firewall-cmd --permanent --zone = mainte --add-source = 192.168.11.19 It's done.
--As mentioned in reference , you can easily exclude specific IPs that are accessed illegally. Specifically, all you have to do is create a DROP zone that DROPs all connections, and add the IP you want to exclude with add-source to that zone.
--It is possible to add or remove permitted services to the source IP group included in a certain zone at once.
――The flexibility is infinite. If you want to know more, please see the references and the Firewalld documentation.