Table of Contents

Gateway com FirewallD no Debian 8

Cenário 

hostname - gateway.exemplo.org
eth0 - rede externa - nat/dhcp - virtual box
eth1 - 192.0.2.1 - rede interna

Configurando hostname 

root@debian:~# hostnamectl set-hostname gateway.exemplo.org

Arquivo hosts 

root@debian:~# vim /etc/hosts
[...]
192.0.2.1       gateway.exemplo.org     gateway
[...]

Configuração de rede 

root@debian:~# vim /etc/network/interfaces
 
source /etc/network/interfaces.d/*
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# REDE PÚBLICA - NAT VIRTUAL BOX
allow-hotplug eth0
iface eth0 inet dhcp
 
# REDE INTERNA
allow-hotplug eth1
iface eth1 inet static
        address 192.0.2.1
        netmask 255.255.255.0

Reiniciando para que as alterações sejam aplicadas 

root@debian:~# systemctl reboot

Instalando o FirewallD

root@gateway:~# apt-get install firewalld

Colhendo informações do pacote instalado 

root@gateway:~# dpkg -L firewalld
/.
/etc
/etc/init.d
/etc/init.d/firewalld
/etc/firewalld
/etc/firewalld/services
/etc/firewalld/lockdown-whitelist.xml
/etc/firewalld/zones
/etc/firewalld/firewalld.conf
/etc/firewalld/icmptypes
/etc/dbus-1
/etc/dbus-1/system.d
/etc/dbus-1/system.d/FirewallD.conf
/usr
/usr/share
/usr/share/locale
/usr/share/locale/hu
/usr/share/locale/hu/LC_MESSAGES
/usr/share/locale/hu/LC_MESSAGES/firewalld.mo
/usr/share/locale/ru
/usr/share/locale/ru/LC_MESSAGES
/usr/share/locale/ru/LC_MESSAGES/firewalld.mo
/usr/share/locale/en_GB
/usr/share/locale/en_GB/LC_MESSAGES
/usr/share/locale/en_GB/LC_MESSAGES/firewalld.mo
/usr/share/locale/fi
/usr/share/locale/fi/LC_MESSAGES
/usr/share/locale/fi/LC_MESSAGES/firewalld.mo
/usr/share/locale/or
/usr/share/locale/or/LC_MESSAGES
/usr/share/locale/or/LC_MESSAGES/firewalld.mo
/usr/share/locale/hi
/usr/share/locale/hi/LC_MESSAGES
/usr/share/locale/hi/LC_MESSAGES/firewalld.mo
/usr/share/locale/it
/usr/share/locale/it/LC_MESSAGES
/usr/share/locale/it/LC_MESSAGES/firewalld.mo
/usr/share/locale/pa
/usr/share/locale/pa/LC_MESSAGES
/usr/share/locale/pa/LC_MESSAGES/firewalld.mo
/usr/share/locale/pt_BR
/usr/share/locale/pt_BR/LC_MESSAGES
/usr/share/locale/pt_BR/LC_MESSAGES/firewalld.mo
/usr/share/locale/pt
/usr/share/locale/pt/LC_MESSAGES
/usr/share/locale/pt/LC_MESSAGES/firewalld.mo
/usr/share/locale/pl
/usr/share/locale/pl/LC_MESSAGES
/usr/share/locale/pl/LC_MESSAGES/firewalld.mo
/usr/share/locale/ar
/usr/share/locale/ar/LC_MESSAGES
/usr/share/locale/ar/LC_MESSAGES/firewalld.mo
/usr/share/locale/ja
/usr/share/locale/ja/LC_MESSAGES
/usr/share/locale/ja/LC_MESSAGES/firewalld.mo
/usr/share/locale/kn
/usr/share/locale/kn/LC_MESSAGES
/usr/share/locale/kn/LC_MESSAGES/firewalld.mo
/usr/share/locale/ko
/usr/share/locale/ko/LC_MESSAGES
/usr/share/locale/ko/LC_MESSAGES/firewalld.mo
/usr/share/locale/es
/usr/share/locale/es/LC_MESSAGES
/usr/share/locale/es/LC_MESSAGES/firewalld.mo
/usr/share/locale/mr
/usr/share/locale/mr/LC_MESSAGES
/usr/share/locale/mr/LC_MESSAGES/firewalld.mo
/usr/share/locale/as
/usr/share/locale/as/LC_MESSAGES
/usr/share/locale/as/LC_MESSAGES/firewalld.mo
/usr/share/locale/ta
/usr/share/locale/ta/LC_MESSAGES
/usr/share/locale/ta/LC_MESSAGES/firewalld.mo
/usr/share/locale/bn_IN
/usr/share/locale/bn_IN/LC_MESSAGES
/usr/share/locale/bn_IN/LC_MESSAGES/firewalld.mo
/usr/share/locale/da
/usr/share/locale/da/LC_MESSAGES
/usr/share/locale/da/LC_MESSAGES/firewalld.mo
/usr/share/locale/tr
/usr/share/locale/tr/LC_MESSAGES
/usr/share/locale/tr/LC_MESSAGES/firewalld.mo
/usr/share/locale/sv
/usr/share/locale/sv/LC_MESSAGES
/usr/share/locale/sv/LC_MESSAGES/firewalld.mo
/usr/share/locale/ml
/usr/share/locale/ml/LC_MESSAGES
/usr/share/locale/ml/LC_MESSAGES/firewalld.mo
/usr/share/locale/nl
/usr/share/locale/nl/LC_MESSAGES
/usr/share/locale/nl/LC_MESSAGES/firewalld.mo
/usr/share/locale/sr
/usr/share/locale/sr/LC_MESSAGES
/usr/share/locale/sr/LC_MESSAGES/firewalld.mo
/usr/share/locale/zh_TW
/usr/share/locale/zh_TW/LC_MESSAGES
/usr/share/locale/zh_TW/LC_MESSAGES/firewalld.mo
/usr/share/locale/sr@latin
/usr/share/locale/sr@latin/LC_MESSAGES
/usr/share/locale/sr@latin/LC_MESSAGES/firewalld.mo
/usr/share/locale/fr
/usr/share/locale/fr/LC_MESSAGES
/usr/share/locale/fr/LC_MESSAGES/firewalld.mo
/usr/share/locale/gu
/usr/share/locale/gu/LC_MESSAGES
/usr/share/locale/gu/LC_MESSAGES/firewalld.mo
/usr/share/locale/cs
/usr/share/locale/cs/LC_MESSAGES
/usr/share/locale/cs/LC_MESSAGES/firewalld.mo
/usr/share/locale/te
/usr/share/locale/te/LC_MESSAGES
/usr/share/locale/te/LC_MESSAGES/firewalld.mo
/usr/share/locale/ca
/usr/share/locale/ca/LC_MESSAGES
/usr/share/locale/ca/LC_MESSAGES/firewalld.mo
/usr/share/locale/zh_CN
/usr/share/locale/zh_CN/LC_MESSAGES
/usr/share/locale/zh_CN/LC_MESSAGES/firewalld.mo
/usr/share/locale/de
/usr/share/locale/de/LC_MESSAGES
/usr/share/locale/de/LC_MESSAGES/firewalld.mo
/usr/share/locale/sk
/usr/share/locale/sk/LC_MESSAGES
/usr/share/locale/sk/LC_MESSAGES/firewalld.mo
/usr/share/locale/uk
/usr/share/locale/uk/LC_MESSAGES
/usr/share/locale/uk/LC_MESSAGES/firewalld.mo
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/firewall-cmd
/usr/share/doc
/usr/share/doc/firewalld
/usr/share/doc/firewalld/copyright
/usr/share/doc/firewalld/changelog.Debian.gz
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/firewall-cmd.1.gz
/usr/share/man/man1/firewall-offline-cmd.1.gz
/usr/share/man/man1/firewalld.1.gz
/usr/share/man/man1/firewall-config.1.gz
/usr/share/man/man1/firewall-applet.1.gz
/usr/share/man/man5
/usr/share/man/man5/firewalld.richlanguage.5.gz
/usr/share/man/man5/firewalld.dbus.5.gz
/usr/share/man/man5/firewalld.zones.5.gz
/usr/share/man/man5/firewalld.conf.5.gz
/usr/share/man/man5/firewalld.service.5.gz
/usr/share/man/man5/firewalld.lockdown-whitelist.5.gz
/usr/share/man/man5/firewalld.zone.5.gz
/usr/share/man/man5/firewalld.icmptype.5.gz
/usr/share/man/man5/firewalld.direct.5.gz
/usr/share/polkit-1
/usr/share/polkit-1/actions
/usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy
/usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy
/usr/lib
/usr/lib/firewalld
/usr/lib/firewalld/services
/usr/lib/firewalld/services/radius.xml
/usr/lib/firewalld/services/privoxy.xml
/usr/lib/firewalld/services/kpasswd.xml
/usr/lib/firewalld/services/dhcpv6.xml
/usr/lib/firewalld/services/sane.xml
/usr/lib/firewalld/services/ms-wbt.xml
/usr/lib/firewalld/services/bacula.xml
/usr/lib/firewalld/services/samba-client.xml
/usr/lib/firewalld/services/kerberos.xml
/usr/lib/firewalld/services/bacula-client.xml
/usr/lib/firewalld/services/libvirt-tls.xml
/usr/lib/firewalld/services/pmcd.xml
/usr/lib/firewalld/services/squid.xml
/usr/lib/firewalld/services/kadmin.xml
/usr/lib/firewalld/services/synergy.xml
/usr/lib/firewalld/services/ftp.xml
/usr/lib/firewalld/services/ldaps.xml
/usr/lib/firewalld/services/freeipa-ldap.xml
/usr/lib/firewalld/services/vnc-server.xml
/usr/lib/firewalld/services/pop3s.xml
/usr/lib/firewalld/services/ipp.xml
/usr/lib/firewalld/services/ldap.xml
/usr/lib/firewalld/services/transmission-client.xml
/usr/lib/firewalld/services/freeipa-replication.xml
/usr/lib/firewalld/services/ssh.xml
/usr/lib/firewalld/services/dhcp.xml
/usr/lib/firewalld/services/wbem-https.xml
/usr/lib/firewalld/services/tor-socks.xml
/usr/lib/firewalld/services/openvpn.xml
/usr/lib/firewalld/services/dns.xml
/usr/lib/firewalld/services/amanda-client.xml
/usr/lib/firewalld/services/amanda-k5-client.xml
/usr/lib/firewalld/services/xmpp-server.xml
/usr/lib/firewalld/services/ntp.xml
/usr/lib/firewalld/services/pmproxy.xml
/usr/lib/firewalld/services/pmwebapis.xml
/usr/lib/firewalld/services/mountd.xml
/usr/lib/firewalld/services/mysql.xml
/usr/lib/firewalld/services/http.xml
/usr/lib/firewalld/services/dhcpv6-client.xml
/usr/lib/firewalld/services/postgresql.xml
/usr/lib/firewalld/services/rpc-bind.xml
/usr/lib/firewalld/services/tftp-client.xml
/usr/lib/firewalld/services/xmpp-client.xml
/usr/lib/firewalld/services/smtp.xml
/usr/lib/firewalld/services/tftp.xml
/usr/lib/firewalld/services/libvirt.xml
/usr/lib/firewalld/services/puppetmaster.xml
/usr/lib/firewalld/services/ipp-client.xml
/usr/lib/firewalld/services/ipsec.xml
/usr/lib/firewalld/services/freeipa-ldaps.xml
/usr/lib/firewalld/services/pmwebapi.xml
/usr/lib/firewalld/services/samba.xml
/usr/lib/firewalld/services/imaps.xml
/usr/lib/firewalld/services/telnet.xml
/usr/lib/firewalld/services/proxy-dhcp.xml
/usr/lib/firewalld/services/xmpp-bosh.xml
/usr/lib/firewalld/services/nfs.xml
/usr/lib/firewalld/services/xmpp-local.xml
/usr/lib/firewalld/services/https.xml
/usr/lib/firewalld/services/mdns.xml
/usr/lib/firewalld/services/high-availability.xml
/usr/lib/firewalld/zones
/usr/lib/firewalld/zones/drop.xml
/usr/lib/firewalld/zones/public.xml
/usr/lib/firewalld/zones/block.xml
/usr/lib/firewalld/zones/trusted.xml
/usr/lib/firewalld/zones/internal.xml
/usr/lib/firewalld/zones/work.xml
/usr/lib/firewalld/zones/external.xml
/usr/lib/firewalld/zones/home.xml
/usr/lib/firewalld/zones/dmz.xml
/usr/lib/firewalld/icmptypes
/usr/lib/firewalld/icmptypes/router-solicitation.xml
/usr/lib/firewalld/icmptypes/time-exceeded.xml
/usr/lib/firewalld/icmptypes/destination-unreachable.xml
/usr/lib/firewalld/icmptypes/parameter-problem.xml
/usr/lib/firewalld/icmptypes/router-advertisement.xml
/usr/lib/firewalld/icmptypes/source-quench.xml
/usr/lib/firewalld/icmptypes/redirect.xml
/usr/lib/firewalld/icmptypes/echo-request.xml
/usr/lib/firewalld/icmptypes/echo-reply.xml
/usr/lib/python2.7
/usr/lib/python2.7/dist-packages
/usr/lib/python2.7/dist-packages/firewall
/usr/lib/python2.7/dist-packages/firewall/__init__.py
/usr/lib/python2.7/dist-packages/firewall/errors.py
/usr/lib/python2.7/dist-packages/firewall/client.py
/usr/lib/python2.7/dist-packages/firewall/dbus_utils.py
/usr/lib/python2.7/dist-packages/firewall/server
/usr/lib/python2.7/dist-packages/firewall/server/config_service.py
/usr/lib/python2.7/dist-packages/firewall/server/config.py
/usr/lib/python2.7/dist-packages/firewall/server/__init__.py
/usr/lib/python2.7/dist-packages/firewall/server/firewalld.py
/usr/lib/python2.7/dist-packages/firewall/server/config_icmptype.py
/usr/lib/python2.7/dist-packages/firewall/server/config_zone.py
/usr/lib/python2.7/dist-packages/firewall/server/decorators.py
/usr/lib/python2.7/dist-packages/firewall/server/server.py
/usr/lib/python2.7/dist-packages/firewall/functions.py
/usr/lib/python2.7/dist-packages/firewall/fw_types.py
/usr/lib/python2.7/dist-packages/firewall/core
/usr/lib/python2.7/dist-packages/firewall/core/__init__.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_service.py
/usr/lib/python2.7/dist-packages/firewall/core/fw.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_zone.py
/usr/lib/python2.7/dist-packages/firewall/core/ebtables.py
/usr/lib/python2.7/dist-packages/firewall/core/base.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_policies.py
/usr/lib/python2.7/dist-packages/firewall/core/modules.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_icmptype.py
/usr/lib/python2.7/dist-packages/firewall/core/rich.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_config.py
/usr/lib/python2.7/dist-packages/firewall/core/ipXtables.py
/usr/lib/python2.7/dist-packages/firewall/core/prog.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_test.py
/usr/lib/python2.7/dist-packages/firewall/core/io
/usr/lib/python2.7/dist-packages/firewall/core/io/__init__.py
/usr/lib/python2.7/dist-packages/firewall/core/io/firewalld_conf.py
/usr/lib/python2.7/dist-packages/firewall/core/io/icmptype.py
/usr/lib/python2.7/dist-packages/firewall/core/io/lockdown_whitelist.py
/usr/lib/python2.7/dist-packages/firewall/core/io/direct.py
/usr/lib/python2.7/dist-packages/firewall/core/io/io_object.py
/usr/lib/python2.7/dist-packages/firewall/core/io/zone.py
/usr/lib/python2.7/dist-packages/firewall/core/io/service.py
/usr/lib/python2.7/dist-packages/firewall/core/watcher.py
/usr/lib/python2.7/dist-packages/firewall/core/fw_direct.py
/usr/lib/python2.7/dist-packages/firewall/core/logger.py
/usr/lib/python2.7/dist-packages/firewall/config
/usr/lib/python2.7/dist-packages/firewall/config/__init__.py
/usr/lib/python2.7/dist-packages/firewall/config/dbus.py
/usr/bin
/usr/bin/firewall-offline-cmd
/usr/bin/firewall-cmd
/usr/sbin
/usr/sbin/firewalld
/lib
/lib/systemd
/lib/systemd/system
/lib/systemd/system/firewalld.service
/usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.policy

Status 

root@gateway:~# systemctl status firewalld 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sex 2016-03-18 15:26:31 BRT; 17min ago
 Main PID: 1934 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1934 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Listando os processos 

root@gateway:~# ps -ef | grep firewalld
root      1934     1  0 15:26 ?        00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root      2368   501  0 15:44 pts/0    00:00:00 grep firewalld

Listando as zonas e regras existentes

Zonas existentes 

root@gateway:~# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

Regras existentes em cada zona 

root@gateway:~# firewall-cmd --zone=block --list-all
block
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=dmz --list-all
dmz
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=drop --list-all
drop
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=external --list-all
external
  interfaces: 
  sources: 
  services: ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=home --list-all
home
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=internal --list-all
internal
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=public --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=trusted --list-all
trusted
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
root@gateway:~# firewall-cmd --zone=work --list-all
work
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

Removendo as regras existentes

Vamos remover todas essas regras e aplicar nossas proprias regras

dmz 

firewall-cmd --permanent --zone=dmz --remove-service=ssh

external 

firewall-cmd --permanent --zone=external --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-masquerade

home 

firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client

internal 

firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client

public 

firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client

work 

firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client

Relendo as configurações 

root@gateway:~# firewall-cmd --reload

Listando a zona padrão 

root@gateway:~# firewall-cmd --get-default-zone
public

Colocando a zona internal como zona padrão 

root@gateway:~# firewall-cmd --set-default-zone=internal
success
root@gateway:~# firewall-cmd --reload
success
root@gateway:~# firewall-cmd --get-default-zone
internal

Atrelando a interface eth1 à zona internal 

root@gateway:~# firewall-cmd --zone=internal --change-interface=eth1
success
root@gateway:~# firewall-cmd --get-zone-of-interface=eth1
internal

Atrelando a interface eth0 à zona external 

root@gateway:~# firewall-cmd --zone=external --change-interface=eth0
success
root@gateway:~# firewall-cmd --get-zone-of-interface=eth0
external

Inserindo regas

Liberando o ssh nas zonas external e internal 

root@gateway:~# firewall-cmd --reload
success
root@gateway:~# firewall-cmd --permanent --zone=internal --add-service=ssh
success
root@gateway:~# firewall-cmd --permanent --zone=external --add-service=ssh
success
root@gateway:~# firewall-cmd --reload
success

Compartilhando a internet - NAT 

root@gateway:~# firewall-cmd --permanent --zone=external --add-masquerade
success
root@gateway:~# firewall-cmd --reload
success

Testando no cliente

root@dhcp:~# ip add show | grep inet | grep eth0
    inet 192.0.2.254/24 brd 192.0.2.255 scope global eth0
root@dhcp:~# ip route | grep default
default via 192.0.2.1 dev eth0 
root@dhcp:~# ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=33.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=33.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=61 time=33.8 ms
 
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 33.441/33.633/33.814/0.213 ms