932
edits
Changes
m
→Investigation 2: Advanced uses of FirewallD: - fixing formatting issue
Having removed the default network, you have also removed the firewall settings it was providing for you that allowed your machines to communicate with the outside world. Perform the following steps on your host.
<ol><li>Set the virtual interface that is assigned to your new virtual network to be part of the ‘external’ zone. Make sure the change will be permanent.</li>
<li>Ensure Masquerading is set to off for this zone.</li><ul><li>While masquerading would allow our machines to reach the network outside by hiding their internal addresses behind the host machine’s address, it would not help us allow new connections to be made to the servers inside our network. We will have to set that up ourselves.</li></ul></li>
<li>Remove all services from this zone except for ssh and dns (which you may need to add yourself).</li>
<li>Now that you have removed the excess clutter from the zone, examine it using firewall-cmd --zone=external --list-all (assuming you have not already done so).</li><ul><li>You may also wish to use the old iptables commands to list individual chains. Pay particular attention to FORWARD and POSTROUTING.</li></ul></li><li>Using the --direct option, add a rule to the FORWARD chain that will allow traffic addressed to machines in your 192.168.X.0/24 network.</li><ul><li>While this (and the next step) should also work with the incoming/outgoing interface options, it does not seem to. Use the destination address only.</li></ul></li>
<li>Using the --direct option, add a rule to the FORWARD chain that will allow traffic from machines in your 192.168.X.0/24 network addressed to anywhere else.</li>
<li>The previous two steps will allow traffic between your virtual machines and the outside world, however most machines will not currently respond to them, as they are using addresses in one of the private address ranges.<!-- This is not an issue for the other machines in the lab, as they will be expecting these addresses but anyone outside (e.g. when you try to get updates) will not respond.--></li>
<li>Using the --direct option, add a rule to the POSTROUTING chain of the nat table to masquerade all traffic coming from your virtual network. Use a priority value of 3 (we will need to add a few rules before this one shortly).</li><ul><li>This will cause traffic coming from your network to use your host’s external facing address. Unfortunately, this puts us right back where we started; any traffic your virtual machines send out will have the actual address hidden. We will need to add some rules before this to allow us to communicate with the other machines in the lab without being masqueraded.</li></ul></li>
<!--<li>Using the --direct option, add a rule to the POSTROUTING chain of the nat table to ACCEPT all traffic coming from your virtual network that has a destination in 172.16.0.0/16. Use a priority value of 2 so that this rule will happen before the one you just added.</li>
<li>Using the --direct option, add a rule to the POSTROUTING chain of the nat table to ACCEPT all traffic coming from your virtual network that has a destination in 192.168.0.0/16. Use a priority value of 2 so that this rule will happen before the masquerading one.</li>--><ul><li>This rule will allow you to communicate with machines in other students’ own networks. We have lumped all of them into one /16 rule instead of having to add a separate rule for each student you wish to communicate with.</li></ul>--><li>Use firewall-cmd and iptables -L to examine your firewall again. You should see the rules you added in the FORWARD chain of the filter table, and in the POSTROUTING_direct chain of the nat table.</li>
<!--<ul><li>Make sure the two rules you added to POSTROUTING that ACCEPT traffic addressed to 172.16.0.0/16 and 192.168.0.0/16 appear before the masquerade rule you added.</li>
<li>Once you are satisfied with your firewall, use firewall-cmd --runtime-to-permanent to save it.</li></ul>-->
<ul><li>Make sure the two rule rules you added to POSTROUTING that ACCEPTs traffic addressed to 192.168.0.0/16 appears before the masquerade rule you added.</li><li>Once you are satisfied with your firewall, use firewall-cmd --runtime-to-permanent to save it.</li></ul></li>
<li>Now that your VMs can be reached by the outside world, it is important to differentiate the traffic that is on their internal network from traffic with the outside world. Boot each of your VMs and set the interface that is connected to your internal network to be in the zone called internal, while the interface connected to the open network you just created should be set in the zone called external.</li>
<ul><li>Make the same changes to the external zone you did on the host (i.e. no masquerading, and delete the unneeded services).</li>