====== Gateway ======
==== Cenário ====
+----------------+ +----------------+
Zone esternal | Gateway | | |
Internet -- > | enp0s3 | Zone internal | Rede Interna |
| enp0s8 | <--100.100.200.0/24 --> | |
+----------------+ +----------------+
==== Regras default ====
Primeiro vamos listar as regras default:
# firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
drop
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
external
interfaces:
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
internal
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
public (default, active)
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
trusted
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Como podemos observar, algumas zonas já vem com regras aplicadas, são elas:
# firewall-cmd --list-all --zone=dmz
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=external
external
interfaces:
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=home
home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=internal
internal
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=work
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
==== Removendo asregras default ====
Agora iremos remove-la pois iremos criar nossas prórias regras
# firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
# firewall-cmd --permanent --zone=home --remove-service=ipp-client
# firewall-cmd --permanent --zone=home --remove-service=mdns
# firewall-cmd --permanent --zone=home --remove-service=samba-client
# firewall-cmd --permanent --zone=home --remove-service=ssh
# firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
# firewall-cmd --permanent --zone=internal --remove-service=ipp-client
# firewall-cmd --permanent --zone=internal --remove-service=mdns
# firewall-cmd --permanent --zone=internal --remove-service=samba-client
# firewall-cmd --permanent --zone=internal --remove-service=ssh
# firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
# firewall-cmd --permanent --zone=work --remove-service=ipp-client
# firewall-cmd --permanent --zone=work --remove-service=ssh
# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
# firewall-cmd --permanent --zone=public --remove-service=ssh
# firewall-cmd --permanent --zone=external --remove-service=ssh
# firewall-cmd --permanent --zone=external --remove-masquerade
# firewall-cmd --permanent --zone=dmz --remove-service=ssh
# firewall-cmd --reload
success
==== Configuraçãode rede ====
Listando as interfaces
# nmcli connection show
NOME UUID TIPO DISPOSITIVO
enp0s3 3c36b8c2-334b-57c7-91b6-4401f3489c69 802-3-ethernet enp0s3
enp0s8 ab608dc7-afc8-4f77-8cae-5d030ff147b3 802-3-ethernet enp0s8
# ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:71:22:b3 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 81353sec preferred_lft 81353sec
inet6 fe80::a00:27ff:fe71:22b3/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:62:50:58 brd ff:ff:ff:ff:ff:ff
inet 100.100.200.254/24 brd 100.100.200.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe62:5058/64 scope link
valid_lft forever preferred_lft forever
==== Alterando as zonas default ====
A zona que vem ativa por padrão é public
# firewall-cmd --get-default-zone
public
Vamos deixar a interface enp0s3 na zona external coma mascaramento (masquerade) e a interface enp0s8 na zona internal que colocaremos como default.
# nmcli c m enp0s8 connection.zone internal
# firewall-cmd --set-default-zone=internal
success
# firewall-cmd --reload
success
# firewall-cmd --list-all --zone=internal
internal (active)
interfaces: enp0s8
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# nmcli c m enp0s3 connection.zone external
]# firewall-cmd --permanent --zone=external --add-masquerade
success
# firewall-cmd --reload
success
# firewall-cmd --list-all --zone=external
external (active)
interfaces: enp0s3
sources:
services:
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
==== Aplicando regras ====
Com a remoção dessas regras naturalmente perdemos o acesso aonosso firewall. Então vamos liberar o acesso por ssh.
# firewall-cmd --permanent --zone=internal --add-service=ssh
success
# firewall-cmd --permanent --zone=external --add-service=ssh
success
# firewall-cmd --reload
success