Firewall Introduction in RedHat-7





Iptables:

Linux kernel includes a powerful network filtering subsystem called netfilter. It allows kernel module to inspect every packet traversing the system both (incoming and outgoing) or forwarded packets can be inspected, modified or dropped in a programmatic way.

In previous red hat version's one of most popular program is used called iptables. It will interact with kernel netfilter. Iptables is a low level tool to correctly manage firewall with this tool. It only usable for IPV4 firewall rules.IPV6 usable to handle IPV6, ebtables is used for software bridges.

Firewall:
RedHat introduced new method for interacting with netfilter called firewalld.Firewalld is a system daemon that can configure and monitor the system firewall rules. It covers IPV4, IPV6 and ebtables.

Firewalld simplifies firewall management by classifying all network traffic into zones. Based on criteria such as the source IP address of a packet or the incoming network interface, traffic is then diverted into firewall rules for the appropriate zone. Each zone has its own list of ports and services to be opened or closed.

Firewall can be managed in three ways:
A) firewall-cmd  - Command line interface
B) firewall-config - Graphical tool
C) /etc/firewalld/ - Configuration file

Zones:
  1.  Trusted - Allow all incoming traffic.
  2.  Home - Reject incoming traffic unless related to outgoing traffic or match the predefined  services or ssh, mdns, ipp-client, samba-client or dhcpv6-client.
  3. Internal - Reject incoming traffic unless related to outgoing traffic or matching the predefined services or ssh, mdns, ipp-client, samba-client or dhcpv6-client.
  4. Work - Reject incoming traffic unless related to outgoing traffic or matching the ssh, ipp-client or dhcpv6-client.
  5. Public - Reject incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6-client. It is the default zone for newly added network interfaces. 
  6. External - Reject incoming traffic unless related to outgoing traffic or matching the predefined service or ssh. Outgoing IPV4 traffic forwarded through this zone is masqueraded to look like it originated from the IPV4 address of the outgoing network interface.
  7.  Dmz - Reject incoming traffic unless related to outgoing traffic or matching the ssh or predefined services.
  8.  Block - Reject all incoming traffic unless related to outgoing traffic. 
  9. Drop - Drop all incoming traffic unless related to outgoing traffic.


Pre-defined services:
Firewalld also ship with a number of pre-defined services. These service definitions can be used to easily permit traffic for particular network services to pass through the firewall. Configuration of predefined services used in default configuration of firewall zones.

Note:
If you plan to use firewalld service insted of iptable services, We should mask the iptables because both firewalld and iptables services conflict with each other. In RedHat 7 firewalld is the default method for managing host-level firewalls.


 Commands used to mask iptables, ip6tables and ebtables.


Confirming the status



Previous
Next Post »