932
edits
Changes
m
→Investigation 2: Advanced uses of FirewallD: - updating instructions for online delivery
<ul><li>While this (and the next step) should also work with the incoming/outgoing interface options, it does not seem to. Use the destination address only.</li></ul>
<li>Using the --direct option, add a rule to the FORWARD chain that will allow traffic from machines in your 192.168.X.0/24 network addressed to anywhere else.</li>
<li>The previous two steps will allow traffic between your virtual machines and the outside world, however most machines will not currently respond to them, as they are using addresses in one of the private address ranges. <!-- This is not an issue for the other machines in the lab, as they will be expecting these addresses but anyone outside (e.g. when you try to get updates) will not respond.--></li>
<li>Using the --direct option, add a rule to the POSTROUTING chain of the nat table to masquerade all traffic coming from your virtual network. Use a priority value of 3 (we will need to add a few rules before this one shortly).</li>
<ul><li>This will cause traffic coming from your network to use your host’s external facing address. Unfortunately, this puts us right back where we started; any traffic your virtual machines send out will have the actual address hidden. We will need to add some rules before this to allow us to communicate with the other machines in the lab without being masqueraded.</li></ul>
<!--<li>Using the --direct option, add a rule to the POSTROUTING chain of the nat table to ACCEPT all traffic coming from your virtual network that has a destination in 172.16.0.0/16. Use a priority value of 2 so that this rule will happen before the one you just added.</li><li>Using the --direct option, add a rule to the POSTROUTING chain of the nat table to ACCEPT all traffic coming from your virtual network that has a destination in 192.168.0.0/16. Use a priority value of 2 so that this rule will happen before the masquerading one.</li>-->
<ul><li>This rule will allow you to communicate with machines in other students’ own networks. We have lumped all of them into one /16 rule instead of having to add a separate rule for each student you wish to communicate with.</li></ul>
<li>Use firewall-cmd and iptables -L to examine your firewall again. You should see the rules you added in the FORWARD chain of the filter table, and in the POSTROUTING_direct chain of the nat table.</li>
<!--<ul><li>Make sure the two rules you added to POSTROUTING that ACCEPT traffic addressed to 172.16.0.0/16 and 192.168.0.0/16 appear before the masquerade rule you added.</li><li>Once you are satisfied with your firewall, use firewall-cmd --runtime-to-permanent to save it.</li></ul>--><ul><li>Make sure the two rule you added to POSTROUTING that ACCEPTs traffic addressed to 192.168.0.0/16 appears before the masquerade rule you added.</li>
<li>Once you are satisfied with your firewall, use firewall-cmd --runtime-to-permanent to save it.</li></ul>
<li>Now that your VMs can be reached by the outside world, it is important to differentiate the traffic that is on their internal network from traffic with the outside world. Boot each of your VMs and set the interface that is connected to your internal network to be in the zone called internal, while the interface connected to the open network you just created should be set in the zone called external.</li>