Chapter 3 – Networking and Firewalls – LinuxWheel

Find our network configuration
Examples of using IP suite
Adding and configuring network interfaces
DNS on Linux
Configuring NTP
Listing firewall rules
Adding firewall rules
See running services and ports
Debuggine with iftop

Introduction:

Firewall administration was handled by iptables.
firewall–cmd (centos) and ufw (ubuntu) are installed by default.

iptables are used for IPv4
ip6tables are used for IPv6
ebtables are used for Ethernet frames
arptables are used for ARP

Install net-tools:

$ yum install net-tools

Show IP address:

# ip address show dev enp33

# ifconfig

Show gateway IP address:

# ip route

default is the route traffic uses when going out of your box.
default via 192.168.100.1 – Translates to goes out via 192.168.100.1

To find our default route out:

# route

ip is more than just one command, its a suite of tools

Checking connectivity:

Ping the gateway first
If says Destination Host Unreachable, there is something wrong

Check the status of interface:

$ ip address show dev ens33

UP value is if the interface is physically up. (physical state)

LOWER_UP is shown if a cable is physically connected and up (physical state)

state UP value tells if the interface is administratively up (logical state)

Checking what route our box will take:

Maybe your machine is trying to talk out of the wrong interface, thus failing to connect.

Add secondary IP address to an interface:

# ip address add 192.168.100.200/24 dev ens33

Upon a reboot, this change will be lost.

Removing secondary IP address from an interface:

# ip address del 192.168.100.200/24 dev eth1

Shutting down and bringing up an interface administratively:

# ip link set eth1 down

# ip link set eth1 up

Adding a new route to our routing table:

# ip route add 192.168.100.0/24 via 192.168.100.181 dev ens33

192.168.100.181 is centos2’s IP address

Command basically says: Add this route and communicate to any address on the 192.168.100.0/24 network, and send traffic via ens33 and gateway 192.168.100.181, which centos2 IP address)

Configuring a new interface:

# nano /etc/sysconfig/network-scripts/ifcfg-intname

Add the following:

BOOTPROTO=none

Stands for boot-time protocol
Options are dhcp or bootp
In a DHCP environment, we want address assigned automatically by DHCP server. Here, we are setting static address with BOOTPROTO=none

ONBOOT=yes

The default behaviour of an interface is to not initialize at boot.
With “yes” we ensure it gets up with the system

IPADDR and NETMASK

Self explanatory

DEVICE=ens33 or whatever

Specify which hardware interface our configuration will appy to.

PEERDNS=no

By setting “no” we ensure that our system does not modify /etc/resolv.conf when the interface gets up.

NM_CONTROLLED=no

IMPORTANT
If we do not want network manager to interfere, add this!

3. Restart the interface

# ifdown ens33

# ifup ens33

4. Restart networking in general:

# systemctl restart network

Which interfaces are managed by network manager:

DNS

Modern domain name resolution on Linux:

Look at software installed on CentOS for domain name resolution
Look at /etc/resolv.conf
Domain name resolution methods (such as network manager)
Test connection to our DNS server
Run DNS queries to see if it works

Checking if DNS works:

# ping google.com

Success, it resolved domain name into IP and it works

Install dig:

# yum install -y bind-utils

Query DNS with dig:

ANSWER SECTION:

We can reach google at 172.217.20.14
It resolved domain name to IP address

SERVER: 8.8.8.8#53(8.8.8.8)

Last paragraph shows the IP that CentOS uses for domain name resolution.

Checking the domain resolution settings:

Resolv.conf file is managed by network manager
On other distros, it is managed by systemd-resolved

search stands for search list for hostname lookup

hostname centos1.example.com – search would be example

Nameserver stands for DNS

List the DNS server it knows about:

# nmcli -f ipv4.dns,ipv4.ignore-auto-dns connection show ens33

ipv4.dns value from the results is set to 8.8.8.8

Ipv4.ignore-auto-dns is set to yes. Meaning yes ignore the auto DNS allocation from the DHCP server.

Changing the domain resolution settings:

We are setting our own DNS server value (1.1.1.1)
Setting the ipv4.ignore-auto-dns from no to yes

# nmcli connection modify ens33 ipv4.dns “1.1.1.1” ipv4.ignore-auto-dns “yes”

Reload the interface:

# nmcli connection up ens33

Look at resolv.conf to confirm:

# cat /etc/resolv.conf

Stop Network Manager from controlling your DNS:

# nano /etc/NetworkManager/NetworkManager.conf

Set dns=none under main section of NetworkManager.conf file.

Restart Network Manager:

# systemctl restart NetworkManager

DNS is usually done in pairs, it is good idea to have a backup DNS server.

NTP

Configuring NTP and the problems we face:

NTP runs on port 123
The protocol used for keeping time in computers in sync.
Unconfigured time presents a host a lot of problems

Centos1 – client

Centos2 – server

Two components:

Chronyc (command-line tool)
Chronyd (daemon, can act as a client or server)

Checking if NTP is running:

# date

# systemctl status chronyd

Check if NTP traffic is flowing:

Check the port with tcpdump

# tcpdump port 123 -i ens33

# chronyc sources

# chronyc tracking

Enabling NTP client:

When system is not using chronyd
Date is not in sync

Configuration file for chronyd: /etc/chrony.conf

Enabling an NTP server:

centos2# nano /etc/chrony.conf

allow 192.168.100.0/24

Allow those clients, from this network

# systemctl restart chronyd

centos1# nano /etc/chrony.conf

Comment out servers

centos1# server 192.168.100.102 iburst

centos1# allow 192.168.100.102

iburst makes the first few requests faster (for faster syncing)

# systemctl restart chronyd

Listing firewall rules on the command line

Firewall-cmd and ufw to list firewall rules
Iptables are used here too
In centos7, firewall-cmd is common way to interact with firewalls
In ubuntu, ufw is common way to interact with firewalls
Iptables shoud work across distributions.

FIREWALL-CMD

Firewalld introduces the concept of zones
Zones are assigned to specific interfaces
Each zone has specific rules configured to it
When we list rules on cmd, we actually query what kernel knows about security rules for that machine

Enabling firewall:

# systemctl enable --now firewalld

Check if firewall is running:

# firewall-cmd --state

Check for installed packages:

# rpm -qa | grep firewalld

Find config files:

# rpm -qc firewalld

Check available zones:

# firewall-cmd --get-zones

Check zone currently in use:

# firewall-cmd --get-active-zones

Check current zone:

# firewall-cmd --list-all

Check default zone:

# firewall-cmd --get-default-zone

Set default zone:

# firewall-cmd --set-default-zone=internal or any zone

Add port:

# firewall-cmd --add-port=3306/tcp

Add permanent port:

# firewall-cmd --permanent --zone=public --add-port=5000/tcp

Port will be added after firewalld restart

# firewall-cmd --zone=public --add-port=5000/tcp

Port is added for this session

Add multiple ports:

# firewall-cmd --add-port={3306/tcp,6000/tcp,3000/tcp}

Add range of ports:

# firewall-cmd --add-port=5000-5010/tcp

Remove port:

# firewall-cmd --remove-port=3306/tcp

Port 3306 is now open in firewall

Add service:

# firewall-cmd --add-service=mysql

MySQL is now open in firewall, under services.

Add multiple services:

# firewall-cmd --add-service={mysql,http,https,ldap}

Remove service:

# firewall-cmd --remove-service=mysql

Remove multiple services:

# firewall-cmd --remove-service={mysql,http,ldap}

# firewall-cmd --reload

It will delete all settings, and set them to default because we did not save the changes in configuration files.
If we want to add service/port permanently, use –permanent option when adding service/port. Then, we must RELOAD the firewall using firewall-cmd –reload

Port forwarding in firewalld:

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80

Forward 8080 traffic to port 80

    # yum install httpd

    # systelctl start httpd

    # netstat -ntlp

Add port forwarding

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80

Add port forwarding to another host:

# firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=192.168.100.102

Remove port forwarding:

# firewall-cmd --remove-forward-port=port=8080:proto=tcp:toport=80

Firewall-cmd Rich Rules:

Allow all traffic from centos2:

# firewall-cmd --add-rich-rule=’rule family=”ipv4” source address=”192.168.100.102” accept’

Accept all traffic from 192.168.100.102

Deny all traffic from centos3:

# firewall-cmd --add-rich-rule=’rule family=”ipv4” source address=”192.168.100.103” drop

Denies all traffic from centos3
Centos3 cant even ping to centos1

# firewall-cmd --list-alll

# firewall-cmd --list-rich-rules

Rich rules will be shown at the button

Add custom service:

# cp /usr/lib/firewalld/services/mysql.xml services/

# nano mysql.xml

Change the title, description, and port options to your custom.

# firewall-cmd --reload

# firewall-cmd --get-services

# firewall-cmd --get-services | grep yourservice --color

Shows that service is added

# firewall-cmd --add-service=myapp

Firewall Panic Mode:

# firewall-cmd --query-panic

Check if panic mode is on

# firewall-cmd --pani-on

Drop all connections. Used in case of hack!

ss:

ss stands for socket statistics
Older program, netstat, might be installed sometimes too


# ss -tua

To check for TCP and UDP sockets (IP + Port number)

# ss -tua state established

Show only established connections

# ss -tl

Show sockets that are listening for TCP connections

# ss -ul

Show sockets that are listening for UDP connections

lsof:

# lsof -i :22

What process isusing port 22

iftop:

iftop is member of top family of tools (atp, iotop, htop…)
iftop is made for network traffic statistics and debugging
iftop listens to the traffic on the interface we specify
It then prints bandwidth usage by the host, gives the visual representation of the network on that machine

# yum install -y epel-release

# yum install -y iftop

# iftop -i ens33