+----------------+ +----------------+ Zone esternal | Gateway | | | Internet -- > | enp0s3 | Zone internal | Rede Interna | | enp0s8 | <--100.100.200.0/24 --> | | +----------------+ +----------------+
Primeiro vamos listar as regras default:
# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: drop interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: internal interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: public (default, active) interfaces: enp0s3 enp0s8 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: trusted interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Como podemos observar, algumas zonas já vem com regras aplicadas, são elas:
# firewall-cmd --list-all --zone=dmz dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
# firewall-cmd --list-all --zone=external external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules:
# firewall-cmd --list-all --zone=home home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
# firewall-cmd --list-all --zone=internal internal interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
# firewall-cmd --list-all --zone=public public (default, active) interfaces: enp0s3 enp0s8 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
# firewall-cmd --list-all --zone=work work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Agora iremos remove-la pois iremos criar nossas prórias regras
# firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client # firewall-cmd --permanent --zone=home --remove-service=ipp-client # firewall-cmd --permanent --zone=home --remove-service=mdns # firewall-cmd --permanent --zone=home --remove-service=samba-client # firewall-cmd --permanent --zone=home --remove-service=ssh
# firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client # firewall-cmd --permanent --zone=internal --remove-service=ipp-client # firewall-cmd --permanent --zone=internal --remove-service=mdns # firewall-cmd --permanent --zone=internal --remove-service=samba-client # firewall-cmd --permanent --zone=internal --remove-service=ssh
# firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client # firewall-cmd --permanent --zone=work --remove-service=ipp-client # firewall-cmd --permanent --zone=work --remove-service=ssh
# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client # firewall-cmd --permanent --zone=public --remove-service=ssh
# firewall-cmd --permanent --zone=external --remove-service=ssh # firewall-cmd --permanent --zone=external --remove-masquerade
# firewall-cmd --permanent --zone=dmz --remove-service=ssh
# firewall-cmd --reload
success
Listando as interfaces
# nmcli connection show NOME UUID TIPO DISPOSITIVO enp0s3 3c36b8c2-334b-57c7-91b6-4401f3489c69 802-3-ethernet enp0s3 enp0s8 ab608dc7-afc8-4f77-8cae-5d030ff147b3 802-3-ethernet enp0s8
# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:71:22:b3 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3 valid_lft 81353sec preferred_lft 81353sec inet6 fe80::a00:27ff:fe71:22b3/64 scope link valid_lft forever preferred_lft forever 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:62:50:58 brd ff:ff:ff:ff:ff:ff inet 100.100.200.254/24 brd 100.100.200.255 scope global enp0s8 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe62:5058/64 scope link valid_lft forever preferred_lft forever
A zona que vem ativa por padrão é public
# firewall-cmd --get-default-zone
public
Vamos deixar a interface enp0s3 na zona external coma mascaramento (masquerade) e a interface enp0s8 na zona internal que colocaremos como default.
# nmcli c m enp0s8 connection.zone internal
# firewall-cmd --set-default-zone=internal success # firewall-cmd --reload success
# firewall-cmd --list-all --zone=internal internal (active) interfaces: enp0s8 sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules:
# nmcli c m enp0s3 connection.zone external
]# firewall-cmd --permanent --zone=external --add-masquerade success # firewall-cmd --reload success
# firewall-cmd --list-all --zone=external external (active) interfaces: enp0s3 sources: services: ports: masquerade: yes forward-ports: icmp-blocks: rich rules:
Com a remoção dessas regras naturalmente perdemos o acesso aonosso firewall. Então vamos liberar o acesso por ssh.
# firewall-cmd --permanent --zone=internal --add-service=ssh success # firewall-cmd --permanent --zone=external --add-service=ssh success # firewall-cmd --reload success