Chapter 3 – Networking and Firewalls

  • Find our network configuration
  • Examples of using IP suite
  • Adding and configuring network interfaces
  • DNS on Linux
  • Configuring NTP 
  • Listing firewall rules
  • Adding firewall rules
  • See running services and ports
  • Debuggine with iftop

Introduction:

  • Firewall administration was handled by iptables.
  • firewallcmd (centos) and ufw (ubuntu) are installed by default.
  • iptables are used for IPv4
  • ip6tables are used for IPv6
  • ebtables are used for Ethernet frames
  • arptables are used for ARP

Install net-tools:

$ yum install net-tools

Show IP address:

# ip address show dev enp33
# ifconfig

Show gateway IP address:

# ip route
  • default is the route traffic uses when going out of your box.
  • default via 192.168.100.1 – Translates to goes out via 192.168.100.1

To find our default route out:

# route
  • ip is more than just one command, its a suite of tools

Checking connectivity:

  • Ping the gateway first
  • If says Destination Host Unreachable, there is something wrong

Check the status of interface:

$ ip address show dev ens33

UP value is if the interface is physically up. (physical state)

LOWER_UP is shown if a cable is physically connected and up (physical state)

state UP value tells if the interface is administratively up (logical state)


Checking what route our box will take:

  • Maybe your machine is trying to talk out of the wrong interface, thus failing to connect.

Add secondary IP address to an interface:

# ip address add 192.168.100.200/24 dev ens33
  • Upon a reboot, this change will be lost.

Removing secondary IP address from an interface:

# ip address del 192.168.100.200/24 dev eth1

Shutting down and bringing up an interface administratively:

# ip link set eth1 down
# ip link set eth1 up

Adding a new route to our routing table:

# ip route add 192.168.100.0/24 via 192.168.100.181 dev ens33
  • 192.168.100.181 is centos2’s IP address

Command basically says: Add this route and communicate to any address on the 192.168.100.0/24 network, and send traffic via ens33 and gateway 192.168.100.181, which centos2 IP address)


Configuring a new interface:

# nano /etc/sysconfig/network-scripts/ifcfg-intname
  1. Add the following:

BOOTPROTO=none

  • Stands for boot-time protocol
  • Options are dhcp or bootp
  • In a DHCP environment, we want address assigned automatically by DHCP server. Here, we are setting static address with BOOTPROTO=none

ONBOOT=yes

  • The default behaviour of an interface is to not initialize at boot.
  • With “yes” we ensure it gets up with the system

IPADDR and NETMASK

  • Self explanatory

DEVICE=ens33 or whatever

  • Specify which hardware interface our configuration will appy to.

PEERDNS=no

  • By setting “no” we ensure that our system does not modify /etc/resolv.conf when the interface gets up.

NM_CONTROLLED=no

  • IMPORTANT
  • If we do not want network manager to interfere, add this!

3. Restart the interface

# ifdown ens33
# ifup ens33

4. Restart networking in general:

# systemctl restart network

Which interfaces are managed by network manager:


DNS

Modern domain name resolution on Linux:

  • Look at software installed on CentOS for domain name resolution
  • Look at /etc/resolv.conf
  • Domain name resolution methods (such as network manager)
  • Test connection to our DNS server
  • Run DNS queries to see if it works

Checking if DNS works:

# ping google.com
  • Success, it resolved domain name into IP and it works

Install dig:

# yum install -y bind-utils

Query DNS with dig:

ANSWER SECTION:

  • We can reach google at 172.217.20.14
  • It resolved domain name to IP address

SERVER: 8.8.8.8#53(8.8.8.8)

  • Last paragraph shows the IP that CentOS uses for domain name resolution.

Checking the domain resolution settings:

  • Resolv.conf file is managed by network manager
  • On other distros, it is managed by systemd-resolved

search stands for search list for hostname lookup

hostname centos1.example.com – search would be example

Nameserver stands for DNS 


List the DNS server it knows about:

# nmcli -f ipv4.dns,ipv4.ignore-auto-dns connection show ens33

ipv4.dns value from the results is set to 8.8.8.8

Ipv4.ignore-auto-dns is set to yes. Meaning yes ignore the auto DNS allocation from the DHCP server.


Changing the domain resolution settings:

  • We are setting our own DNS server value (1.1.1.1)
  • Setting the ipv4.ignore-auto-dns from no to yes
# nmcli connection modify ens33 ipv4.dns “1.1.1.1” ipv4.ignore-auto-dns “yes”

Reload the interface:

# nmcli connection up ens33

Look at resolv.conf to confirm:

# cat /etc/resolv.conf

Stop Network Manager from controlling your DNS:

# nano /etc/NetworkManager/NetworkManager.conf

Set dns=none under main section of NetworkManager.conf file.

Restart Network Manager:

# systemctl restart NetworkManager

DNS is usually done in pairs, it is good idea to have a backup DNS server.


NTP

Configuring NTP and the problems we face:

  • NTP runs on port 123
  • The protocol used for keeping time in computers in sync.
  • Unconfigured time presents a host a lot of problems

Centos1 – client

Centos2 – server

Two components:

  • Chronyc (command-line tool)
  • Chronyd (daemon, can act as a client or server)

Checking if NTP is running:

# date
# systemctl status chronyd

Check if NTP traffic is flowing:

  • Check the port with tcpdump
# tcpdump port 123 -i ens33
# chronyc sources
# chronyc tracking

Enabling NTP client:

  • When system is not using chronyd
  • Date is not in sync 

Configuration file for chronyd: /etc/chrony.conf


Enabling an NTP server:

centos2# nano /etc/chrony.conf

allow 192.168.100.0/24

  • Allow those clients, from this network
# systemctl restart chronyd
centos1# nano /etc/chrony.conf
  • Comment out servers
centos1# server 192.168.100.102 iburst
centos1# allow 192.168.100.102
  • iburst makes the first few requests faster (for faster syncing)
# systemctl restart chronyd

Listing firewall rules on the command line

  • Firewall-cmd and ufw to list firewall rules
  • Iptables are used here too
  • In centos7, firewall-cmd is common way to interact with firewalls
  • In ubuntu, ufw is common way to interact with firewalls
  • Iptables shoud work across distributions.

FIREWALL-CMD

  • Firewalld introduces the concept of zones
  • Zones are assigned to specific interfaces
  • Each zone has specific rules configured to it
  • When we list rules on cmd, we actually query what kernel knows about security rules for that machine

Enabling firewall:

# systemctl enable --now firewalld

Check if firewall is running:

# firewall-cmd --state

Check for installed packages:

# rpm -qa | grep firewalld

Find config files:

# rpm -qc firewalld

Check available zones:

# firewall-cmd --get-zones

Check zone currently in use:

# firewall-cmd --get-active-zones

Check current zone:

# firewall-cmd --list-all 

Check default zone:

# firewall-cmd --get-default-zone

Set default zone:

# firewall-cmd --set-default-zone=internal or any zone

Add port:

# firewall-cmd --add-port=3306/tcp

Add permanent port:

# firewall-cmd --permanent --zone=public --add-port=5000/tcp
  • Port will be added after firewalld restart
# firewall-cmd --zone=public --add-port=5000/tcp
  • Port is added for this session

Add multiple ports:

# firewall-cmd --add-port={3306/tcp,6000/tcp,3000/tcp}

Add range of ports:

# firewall-cmd --add-port=5000-5010/tcp

Remove port:

# firewall-cmd --remove-port=3306/tcp
  • Port 3306 is now open in firewall

Add service:

# firewall-cmd --add-service=mysql
  • MySQL is now open in firewall, under services.

Add multiple services:

# firewall-cmd --add-service={mysql,http,https,ldap}

Remove service:

# firewall-cmd --remove-service=mysql

Remove multiple services:

# firewall-cmd --remove-service={mysql,http,ldap}

# firewall-cmd --reload
  • It will delete all settings, and set them to default because we did not save the changes in configuration files.
  • If we want to add service/port permanently, use –permanent option when adding service/port. Then, we must RELOAD the firewall using firewall-cmd –reload

Port forwarding in firewalld:

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80
  • Forward 8080 traffic to port 80
    # yum install httpd
    # systelctl start httpd
    # netstat -ntlp

Add port forwarding

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80

Add port forwarding to another host:

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.100.102

Remove port forwarding:

# firewall-cmd --remove-forward-port=port=8080:proto=tcp:toport=80

Firewall-cmd Rich Rules:

Allow all traffic from centos2:

# firewall-cmd --add-rich-rule=’rule family=”ipv4” source address=”192.168.100.102” accept’
  • Accept all traffic from 192.168.100.102

Deny all traffic from centos3:

# firewall-cmd --add-rich-rule=’rule family=”ipv4” source address=”192.168.100.103” drop
  • Denies all traffic from centos3
  • Centos3 cant even ping to centos1
# firewall-cmd --list-alll
# firewall-cmd --list-rich-rules
  • Rich rules will be shown at the button

Add custom service:

# cp /usr/lib/firewalld/services/mysql.xml services/
# nano mysql.xml
  • Change the title, description, and port options to your custom.
# firewall-cmd --reload
# firewall-cmd --get-services
# firewall-cmd --get-services | grep yourservice --color
  • Shows that service is added
# firewall-cmd --add-service=myapp

Firewall Panic Mode:

# firewall-cmd --query-panic
  • Check if panic mode is on
# firewall-cmd --pani-on
  • Drop all connections. Used in case of hack!

ss:

  • ss stands for socket statistics
  • Older program, netstat, might be installed sometimes too

# ss -tua
  • To check for TCP and UDP sockets (IP + Port number)
# ss -tua state established
  • Show only established connections
# ss -tl
  • Show sockets that are listening for TCP connections
# ss -ul
  • Show sockets that are listening for UDP connections

lsof:

# lsof -i :22
  • What process isusing port 22

iftop:

  • iftop is member of top family of tools (atp, iotop, htop…)
  • iftop is made for network traffic statistics and debugging
  • iftop listens to the traffic on the interface we specify
  • It then prints bandwidth usage by the host, gives the visual representation of the network on that machine
# yum install -y epel-release
# yum install -y iftop
# iftop -i ens33

This Post Has One Comment

Leave a Reply