- Find our network configuration
- Examples of using IP suite
- Adding and configuring network interfaces
- DNS on Linux
- Configuring NTP
- Listing firewall rules
- Adding firewall rules
- See running services and ports
- Debuggine with iftop
Introduction:
- Firewall administration was handled by iptables.
- firewall–cmd (centos) and ufw (ubuntu) are installed by default.
- iptables are used for IPv4
- ip6tables are used for IPv6
- ebtables are used for Ethernet frames
- arptables are used for ARP
Install net-tools:
$ yum install net-tools
Show IP address:
# ip address show dev enp33
# ifconfig
Show gateway IP address:
# ip route
- default is the route traffic uses when going out of your box.
- default via 192.168.100.1 – Translates to goes out via 192.168.100.1
To find our default route out:
# route
- ip is more than just one command, its a suite of tools
Checking connectivity:
- Ping the gateway first
- If says Destination Host Unreachable, there is something wrong
Check the status of interface:
$ ip address show dev ens33
UP value is if the interface is physically up. (physical state)
LOWER_UP is shown if a cable is physically connected and up (physical state)
state UP value tells if the interface is administratively up (logical state)
Checking what route our box will take:
- Maybe your machine is trying to talk out of the wrong interface, thus failing to connect.
Add secondary IP address to an interface:
# ip address add 192.168.100.200/24 dev ens33
- Upon a reboot, this change will be lost.
Removing secondary IP address from an interface:
# ip address del 192.168.100.200/24 dev eth1
Shutting down and bringing up an interface administratively:
# ip link set eth1 down
# ip link set eth1 up
Adding a new route to our routing table:
# ip route add 192.168.100.0/24 via 192.168.100.181 dev ens33
- 192.168.100.181 is centos2’s IP address
Command basically says: Add this route and communicate to any address on the 192.168.100.0/24 network, and send traffic via ens33 and gateway 192.168.100.181, which centos2 IP address)
Configuring a new interface:
# nano /etc/sysconfig/network-scripts/ifcfg-intname
- Add the following:
BOOTPROTO=none
- Stands for boot-time protocol
- Options are dhcp or bootp
- In a DHCP environment, we want address assigned automatically by DHCP server. Here, we are setting static address with BOOTPROTO=none
ONBOOT=yes
- The default behaviour of an interface is to not initialize at boot.
- With “yes” we ensure it gets up with the system
IPADDR and NETMASK
- Self explanatory
DEVICE=ens33 or whatever
- Specify which hardware interface our configuration will appy to.
PEERDNS=no
- By setting “no” we ensure that our system does not modify /etc/resolv.conf when the interface gets up.
NM_CONTROLLED=no
- IMPORTANT
- If we do not want network manager to interfere, add this!
3. Restart the interface
# ifdown ens33
# ifup ens33
4. Restart networking in general:
# systemctl restart network
Which interfaces are managed by network manager:
DNS
Modern domain name resolution on Linux:
- Look at software installed on CentOS for domain name resolution
- Look at /etc/resolv.conf
- Domain name resolution methods (such as network manager)
- Test connection to our DNS server
- Run DNS queries to see if it works
Checking if DNS works:
# ping google.com
- Success, it resolved domain name into IP and it works
Install dig:
# yum install -y bind-utils
Query DNS with dig:
ANSWER SECTION:
- We can reach google at 172.217.20.14
- It resolved domain name to IP address
SERVER: 8.8.8.8#53(8.8.8.8)
- Last paragraph shows the IP that CentOS uses for domain name resolution.
Checking the domain resolution settings:
- Resolv.conf file is managed by network manager
- On other distros, it is managed by systemd-resolved
search stands for search list for hostname lookup
hostname centos1.example.com – search would be example
Nameserver stands for DNS
List the DNS server it knows about:
# nmcli -f ipv4.dns,ipv4.ignore-auto-dns connection show ens33
ipv4.dns value from the results is set to 8.8.8.8
Ipv4.ignore-auto-dns is set to yes. Meaning yes ignore the auto DNS allocation from the DHCP server.
Changing the domain resolution settings:
- We are setting our own DNS server value (1.1.1.1)
- Setting the ipv4.ignore-auto-dns from no to yes
# nmcli connection modify ens33 ipv4.dns “1.1.1.1” ipv4.ignore-auto-dns “yes”
Reload the interface:
# nmcli connection up ens33
Look at resolv.conf to confirm:
# cat /etc/resolv.conf
Stop Network Manager from controlling your DNS:
# nano /etc/NetworkManager/NetworkManager.conf
Set dns=none under main section of NetworkManager.conf file.
Restart Network Manager:
# systemctl restart NetworkManager
DNS is usually done in pairs, it is good idea to have a backup DNS server.
NTP
Configuring NTP and the problems we face:
- NTP runs on port 123
- The protocol used for keeping time in computers in sync.
- Unconfigured time presents a host a lot of problems
Centos1 – client
Centos2 – server
Two components:
- Chronyc (command-line tool)
- Chronyd (daemon, can act as a client or server)
Checking if NTP is running:
# date
# systemctl status chronyd
Check if NTP traffic is flowing:
- Check the port with tcpdump
# tcpdump port 123 -i ens33
# chronyc sources
# chronyc tracking
Enabling NTP client:
- When system is not using chronyd
- Date is not in sync
Configuration file for chronyd: /etc/chrony.conf
Enabling an NTP server:
centos2# nano /etc/chrony.conf
allow 192.168.100.0/24
- Allow those clients, from this network
# systemctl restart chronyd
centos1# nano /etc/chrony.conf
- Comment out servers
centos1# server 192.168.100.102 iburst
centos1# allow 192.168.100.102
- iburst makes the first few requests faster (for faster syncing)
# systemctl restart chronyd
Listing firewall rules on the command line
- Firewall-cmd and ufw to list firewall rules
- Iptables are used here too
- In centos7, firewall-cmd is common way to interact with firewalls
- In ubuntu, ufw is common way to interact with firewalls
- Iptables shoud work across distributions.
FIREWALL-CMD
- Firewalld introduces the concept of zones
- Zones are assigned to specific interfaces
- Each zone has specific rules configured to it
- When we list rules on cmd, we actually query what kernel knows about security rules for that machine
Enabling firewall:
# systemctl enable --now firewalld
Check if firewall is running:
# firewall-cmd --state
Check for installed packages:
# rpm -qa | grep firewalld
Find config files:
# rpm -qc firewalld
Check available zones:
# firewall-cmd --get-zones
Check zone currently in use:
# firewall-cmd --get-active-zones
Check current zone:
# firewall-cmd --list-all
Check default zone:
# firewall-cmd --get-default-zone
Set default zone:
# firewall-cmd --set-default-zone=internal or any zone
Add port:
# firewall-cmd --add-port=3306/tcp
Add permanent port:
# firewall-cmd --permanent --zone=public --add-port=5000/tcp
- Port will be added after firewalld restart
# firewall-cmd --zone=public --add-port=5000/tcp
- Port is added for this session
Add multiple ports:
# firewall-cmd --add-port={3306/tcp,6000/tcp,3000/tcp}
Add range of ports:
# firewall-cmd --add-port=5000-5010/tcp
Remove port:
# firewall-cmd --remove-port=3306/tcp
- Port 3306 is now open in firewall
Add service:
# firewall-cmd --add-service=mysql
- MySQL is now open in firewall, under services.
Add multiple services:
# firewall-cmd --add-service={mysql,http,https,ldap}
Remove service:
# firewall-cmd --remove-service=mysql
Remove multiple services:
# firewall-cmd --remove-service={mysql,http,ldap}
# firewall-cmd --reload
- It will delete all settings, and set them to default because we did not save the changes in configuration files.
- If we want to add service/port permanently, use –permanent option when adding service/port. Then, we must RELOAD the firewall using firewall-cmd –reload
Port forwarding in firewalld:
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80
- Forward 8080 traffic to port 80
# yum install httpd
# systelctl start httpd
# netstat -ntlp
Add port forwarding
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80
Add port forwarding to another host:
# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.100.102
Remove port forwarding:
# firewall-cmd --remove-forward-port=port=8080:proto=tcp:toport=80
Firewall-cmd Rich Rules:
Allow all traffic from centos2:
# firewall-cmd --add-rich-rule=’rule family=”ipv4” source address=”192.168.100.102” accept’
- Accept all traffic from 192.168.100.102
Deny all traffic from centos3:
# firewall-cmd --add-rich-rule=’rule family=”ipv4” source address=”192.168.100.103” drop
- Denies all traffic from centos3
- Centos3 cant even ping to centos1
# firewall-cmd --list-alll
# firewall-cmd --list-rich-rules
- Rich rules will be shown at the button
Add custom service:
# cp /usr/lib/firewalld/services/mysql.xml services/
# nano mysql.xml
- Change the title, description, and port options to your custom.
# firewall-cmd --reload
# firewall-cmd --get-services
# firewall-cmd --get-services | grep yourservice --color
- Shows that service is added
# firewall-cmd --add-service=myapp
Firewall Panic Mode:
# firewall-cmd --query-panic
- Check if panic mode is on
# firewall-cmd --pani-on
- Drop all connections. Used in case of hack!
ss:
- ss stands for socket statistics
- Older program, netstat, might be installed sometimes too
# ss -tua
- To check for TCP and UDP sockets (IP + Port number)
# ss -tua state established
- Show only established connections
# ss -tl
- Show sockets that are listening for TCP connections
# ss -ul
- Show sockets that are listening for UDP connections
lsof:
# lsof -i :22
- What process isusing port 22
iftop:
- iftop is member of top family of tools (atp, iotop, htop…)
- iftop is made for network traffic statistics and debugging
- iftop listens to the traffic on the interface we specify
- It then prints bandwidth usage by the host, gives the visual representation of the network on that machine
# yum install -y epel-release
# yum install -y iftop
# iftop -i ens33
One thought on “Chapter 3 – Networking and Firewalls”