clearlinux/clear-linux-documentation
2
0
Fork 0
mirror of https://github.com/clearlinux/clear-linux-documentation.git synced 2026-05-13 18:33:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
developmentHTML
clear-linux-documentation/guides/network/firewall.html
alexjch b16b933983 latest html output
2024-11-04 18:48:51 +00:00

307 lines
18 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html lang="en" data-content_root="../../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Firewall &#8212; Documentation for Clear Linux* project</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../../_static/bizstyle.css?v=5283bb3d" />
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
<script src="../../_static/documentation_options.js?v=5929fcd5"></script>
<script src="../../_static/doctools.js?v=9bcbadda"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../../_static/copybutton.js?v=a56c686a"></script>
<script src="../../_static/bizstyle.js"></script>
<link rel="canonical" href="https://clearlinux.github.io/clear-linux-documentation/guides/network/firewall.html" />
<link rel="icon" href="../../_static/favicon.ico"/>
<link rel="author" title="About these documents" href="../../about.html" />
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="next" title="Combine multiple interfaces with network bonding" href="network-bonding.html" />
<link rel="prev" title="Use DPDK to send packets between platforms" href="dpdk.html" />
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
<!--[if lt IE 9]>
<script src="_static/css3-mediaqueries.js"></script>
<![endif]-->
</head><body>
<div class="related" role="navigation" aria-label="Related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="network-bonding.html" title="Combine multiple interfaces with network bonding"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="dpdk.html" title="Use DPDK to send packets between platforms"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="../index.html" accesskey="U">Guides</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">Firewall</a></li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="firewall">
<span id="id1"></span><h1>Firewall<a class="headerlink" href="#firewall" title="Link to this heading"></a></h1>
<p>Firewalls control access to and from systems based on network packet
attributes like IP address, port, payload and more.</p>
<p>The <a class="reference external" href="https://netfilter.org/">Netfilter</a> framework in the Linux kernel
performs packet filtering and provides the means for implementing a software
firewall in Linux. Clear Linux* OS has a couple different firewall front-end options
for managing the Linux firewall.</p>
<nav class="contents local" id="contents">
<ul class="simple">
<li><p><a class="reference internal" href="#default-ruleset" id="id4">Default ruleset</a></p></li>
<li><p><a class="reference internal" href="#firewall-software" id="id5">Firewall software</a></p>
<ul>
<li><p><a class="reference internal" href="#iptables" id="id6">iptables</a></p></li>
<li><p><a class="reference internal" href="#ipset" id="id7">ipset</a></p></li>
<li><p><a class="reference internal" href="#firewalld" id="id8">firewalld</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#troubleshooting" id="id9">Troubleshooting</a></p></li>
</ul>
</nav>
<section id="default-ruleset">
<h2><a class="toc-backref" href="#id4" role="doc-backlink">Default ruleset</a><a class="headerlink" href="#default-ruleset" title="Link to this heading"></a></h2>
<p>Clear Linux OS does not impose a firewall policy out of the box. All traffic is allowed
inbound and all traffic is allowed outbound. However, <a class="reference external" href="https://github.com/clearlinux/tallow">tallow</a> is installed
by default and may dynamically create a rule temporarily restricting access
from external hosts.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Changing firewall configuration can cause abrupt network disconnection. If
this happens on a remote host, local recovery may be required.</p>
<p>Be sure to test your firewall configuration before committing it
permanently to ensure your system will remain accessible remotely, if
required.</p>
</div>
</section>
<section id="firewall-software">
<h2><a class="toc-backref" href="#id5" role="doc-backlink">Firewall software</a><a class="headerlink" href="#firewall-software" title="Link to this heading"></a></h2>
<section id="iptables">
<h3><a class="toc-backref" href="#id6" role="doc-backlink">iptables</a><a class="headerlink" href="#iptables" title="Link to this heading"></a></h3>
<p><strong class="command">iptables</strong> is a well-known user-space administration tool for
configuring IPv4 Linux firewall rules. <strong class="command">ip6tables</strong> is the
complimentary tool for configuring IPv6 Linux firewall rules.</p>
<p>Below is information on using <strong class="command">iptables</strong> on Clear Linux OS:</p>
<ol class="arabic">
<li><p>Make sure the <em>iptables</em> bundle is installed</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>swupd<span class="w"> </span>bundle-add<span class="w"> </span>iptables
</pre></div>
</div>
</li>
<li><p>Define new iptables rules/chains for the running configuration using the
<strong class="command">iptables</strong> command. See <strong class="command">man iptables</strong> for iptables
concepts and configuration options.</p>
<p>Below is a common restrictive firewall configuration which denies all
incoming connections, unless the connection was initiated by the host.</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># Set default chain policies</span>
sudo<span class="w"> </span>iptables<span class="w"> </span>-P<span class="w"> </span>INPUT<span class="w"> </span>DROP
sudo<span class="w"> </span>iptables<span class="w"> </span>-P<span class="w"> </span>FORWARD<span class="w"> </span>DROP
sudo<span class="w"> </span>iptables<span class="w"> </span>-P<span class="w"> </span>OUTPUT<span class="w"> </span>ACCEPT
<span class="c1"># Accept on localhost loopback device</span>
sudo<span class="w"> </span>iptables<span class="w"> </span>-A<span class="w"> </span>INPUT<span class="w"> </span>-i<span class="w"> </span>lo<span class="w"> </span>-j<span class="w"> </span>ACCEPT
sudo<span class="w"> </span>iptables<span class="w"> </span>-A<span class="w"> </span>OUTPUT<span class="w"> </span>-o<span class="w"> </span>lo<span class="w"> </span>-j<span class="w"> </span>ACCEPT
<span class="c1"># Allow established sessions to receive traffic</span>
sudo<span class="w"> </span>iptables<span class="w"> </span>-A<span class="w"> </span>INPUT<span class="w"> </span>-m<span class="w"> </span>conntrack<span class="w"> </span>--ctstate<span class="w"> </span>ESTABLISHED,RELATED<span class="w"> </span>-j<span class="w"> </span>ACCEPT
</pre></div>
</div>
</li>
<li><p>Test the running firewall configuration to make sure it behaving as
you expect.</p></li>
<li><p>Run the <em>iptables-save</em> service to make the running configuration
persistent. This will perform a one-time save of the running configuration
to <code class="file docutils literal notranslate"><span class="pre">/etc/iptables.rules</span></code> :</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>systemctl<span class="w"> </span>start<span class="w"> </span>iptables-save
</pre></div>
</div>
</li>
<li><p>Enable the <em>iptables-resolve</em> service the iptables rules to be
automatically applied at boot from the <code class="file docutils literal notranslate"><span class="pre">/etc/iptables.rules</span></code> file:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>systemctl<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>iptables-restore.service
</pre></div>
</div>
</li>
</ol>
</section>
<section id="ipset">
<h3><a class="toc-backref" href="#id7" role="doc-backlink">ipset</a><a class="headerlink" href="#ipset" title="Link to this heading"></a></h3>
<p><a class="reference external" href="http://ipset.netfilter.org/">ipset</a> is a framework in the Linux kernel for
storing and efficiently indexing combinations of IP addresses, networks,
(TCP/UDP) port numbers, MAC addresses, and interface names.</p>
<p>IP sets makes writing network policy rules simpler and processing them against
a large and/or changing sets of hosts more efficient.</p>
<p>By themselves, IP sets do not enforce network traffic rules but can be used to
extend iptables rules for matching. It is important to note that the ipset
must be defined before a netfilter rule can match against it.</p>
<ul class="simple">
<li><p>Running IP sets can be manipulated with the <strong class="command">ipset</strong> utility.</p></li>
<li><p>Custom IP sets can be stored in the <code class="file docutils literal notranslate"><span class="pre">/etc/ipset.conf</span></code> file</p></li>
<li><p>IP sets in <code class="file docutils literal notranslate"><span class="pre">/etc/ipset.conf</span></code> can be automatically applied at boot by
enabling the <em>ipset</em> service with the command <strong class="command">sudo systemctl
enable ipset</strong>.</p></li>
</ul>
<p>See <strong class="command">man ipset</strong> to learn more about using ipsets.</p>
</section>
<section id="firewalld">
<h3><a class="toc-backref" href="#id8" role="doc-backlink">firewalld</a><a class="headerlink" href="#firewalld" title="Link to this heading"></a></h3>
<p><a class="reference external" href="https://firewalld.org/">firewalld</a> is based on nftables, the successor to
iptables and parts of the netfilter framework. The description of firewalld
helps highlight some of the differences compared to iptables:</p>
<blockquote>
<div><p>firewalld provides a dynamically managed firewall with support for
network/firewall zones to define the trust level of network connections or
interfaces. It has support for IPv4, IPv6 firewall settings and for
ethernet bridges and has a separation of runtime and permanent
configuration options. It also supports an interface for services or
applications to add firewall rules directly.</p>
</div></blockquote>
<p>See <strong class="command">man firewalld</strong> for more information.</p>
<p>Below is information on using <strong class="command">firewalld</strong> on Clear Linux OS:</p>
<ol class="arabic">
<li><p>Install he <em>firewalld</em> bundle:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>swupd<span class="w"> </span>bundle-add<span class="w"> </span>firewalld
</pre></div>
</div>
</li>
<li><p>Disable <em>iptables</em> and <em>ipset</em> services as they conflict with firewalld:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">systemctl</span> <span class="n">mask</span> <span class="n">iptables</span><span class="o">-</span><span class="n">restore</span> <span class="n">ipset</span>
</pre></div>
</div>
</li>
<li><p><strong class="command">firewall-cmd</strong> can be used to configure the running or permanent
firewall configuration. See the <a class="reference external" href="https://firewalld.org/documentation/">firewalld documentation</a> to learn more about
firewalld concepts and configuration options.</p>
<p>Below is a common example to allow HTTPS traffic in public zones:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">permanent</span> <span class="o">--</span><span class="n">zone</span><span class="o">=</span><span class="n">public</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">https</span>
</pre></div>
</div>
</li>
<li><p>Enable the <em>firewalld</em> service the so that the firewalld daemon is
automatically started and rules applied at boot from the
<code class="file docutils literal notranslate"><span class="pre">/etc/firewalld/*</span></code> file:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>systemctl<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>--now<span class="w"> </span>firewalld.service
</pre></div>
</div>
</li>
<li><p>Verify that firewalld is running:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>sudo<span class="w"> </span>firewall-cmd<span class="w"> </span>--state
</pre></div>
</div>
</li>
</ol>
</section>
</section>
<section id="troubleshooting">
<h2><a class="toc-backref" href="#id9" role="doc-backlink">Troubleshooting</a><a class="headerlink" href="#troubleshooting" title="Link to this heading"></a></h2>
<p>When troubleshooting connectivity issues that may be related to firewall
rules.</p>
<ul class="simple">
<li><p>Consider restrictions at the physical network level.</p></li>
<li><p>For inbound connections, make sure your application is listening on the
network port youre expecting with <strong class="command">lsof</strong> or <strong class="command">netstat</strong>.</p></li>
<li><p>For outbound connections, make sure the destination host is responding to
the network port youre expecting with <strong class="command">nc</strong>. If the connection is
refused, then there may be a problem with the destination server.</p></li>
<li><p>If youre using firewalld, check the daemon status with the command:
<strong class="command">systemctl status firewalld</strong>.</p></li>
</ul>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="Main">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="../../index.html">
<img class="logo" src="../../_static/clearlinux.png" alt="Logo of Clear Linux* Project Docs"/>
</a></p>
<div>
<h3><a href="../../index.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Firewall</a><ul>
<li><a class="reference internal" href="#default-ruleset">Default ruleset</a></li>
<li><a class="reference internal" href="#firewall-software">Firewall software</a><ul>
<li><a class="reference internal" href="#iptables">iptables</a></li>
<li><a class="reference internal" href="#ipset">ipset</a></li>
<li><a class="reference internal" href="#firewalld">firewalld</a></li>
</ul>
</li>
<li><a class="reference internal" href="#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
</ul>
</div>
<div>
<h4>Previous topic</h4>
<p class="topless"><a href="dpdk.html"
title="previous chapter">Use DPDK to send packets between platforms</a></p>
</div>
<div>
<h4>Next topic</h4>
<p class="topless"><a href="network-bonding.html"
title="next chapter">Combine multiple interfaces with network bonding</a></p>
</div>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../_sources/guides/network/firewall.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<search id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
<input type="submit" value="Go" />
</form>
</div>
</search>
<script>document.getElementById('searchbox').style.display = "block"</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="Related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="network-bonding.html" title="Combine multiple interfaces with network bonding"
>next</a> |</li>
<li class="right" >
<a href="dpdk.html" title="Use DPDK to send packets between platforms"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="../index.html" >Guides</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">Firewall</a></li>
</ul>
</div>
<div class="footer" role="contentinfo">
&#169; Copyright 2022 Intel Corporation. All Rights Reserved..
Last updated on Nov 04, 2024.
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 8.1.3.
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink