Firewall-Cmd

# Show all zones
firewall-cmd --get-zones

# Show Active Zones
firewall-cmd --get-active-zones

# Show Trusted Zone
firewall-cmd --list-all --zone=trusted

# Set Docker default bridge into the Trusted zone
firewall-cmd --permanent --zone=trusted --add-source=172.x.x.x/16

# Add service to trusted zone
firewall-cmd --permanent --zone=trusted --add-service=ssh

# List Sources of Trusted zone
firewall-cmd --permanent --zone=trusted --list-sources

# Set default zone
firewall-cmd --set-default-zone=public

# Assign Interface to a Zone
firewall-cmd --permanent --zone=public --change-interface=eth0
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=public --remove-interface=docker0

# Open a port
firewall-cmd --zone=public --permanent --add-port=PORTNUMBER/tcp

# Close a port
firewall-cmd --zone=public --permanent --remove-port=PORTNUMBER/tcp

# Port forwarding same server
firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

# Port forwarding to different server
sudo firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

# Remove forwarding to different server
firewall-cmd --zone=public --remove-masquerade

# Set default zone
firewall-cmd --set-default-zone=public
firewall-cmd --zone=public --add-interface=eth0

# Add HTTP & HTTPS to Public zone
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

# Reload
firewall-cmd --reload


IPTABLES:
iptables is the previous universal standard interface controlling the same firewall engine. Uses Chains and Rules.

#!/bin/bash
# Kiosh mode iptables script
iptables -A OUTPUT -p tcp -d kimconnect.com -j ACCEPT #This allows outgoing connections to a specific site
iptables -A OUTPUT -p tcp --dport 80 -j DROP #This drops all outgoing connetions to port 80
iptables -A OUTPUT -p tcp --dport 443 -j DROP #This drops all outgoing connetions to port 443
iptables -A INPUT -p tcp -s kimconnect.com --dport 22 -j ACCEPT #This allows SSH from a specific domain
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP #This blocks all other SSH connections

# Flush all rules (use with caution)
# iptables -F

# Block null packets (DoD attacks)
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Limit HTTP DoS
iptables -A INPUT -p tcp --dport 80 -m limit --limit 20/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m limit --limit 20/minute --limit-burst 100 -j ACCEPT

# Block syn-flood attacks
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Block scans
iptables -N block-scan
iptables -A block-scan -p tcp —tcp-flags SYN,ACK,FIN,RST RST -m limit —limit 1/s -j RETURN
iptables -A block-scan -j DROP

# Allow HTTP Traffic
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Find who is connected from external
w

# Allow Outgoing Connections from Established Flows
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Only Allow outgoing
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

# Secure system with these standards
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog

badports="135,136,137,138,139,445"
iptables -A INPUT -p tcp -m multiport --dport $badports -j DROP
iptables -A INPUT -p udp -m multiport --dport $badports -j DROP

# List the rules
iptables -L -n

# Save configs
iptables-save | sudo tee /etc/sysconfig/iptables

# Restart iptables
service iptables restart

#########################

FirewallD:
firewalld is part of systemd. Uses Zones and Services.

# Install
yum install firewalld firewall-config -y

# Check Zones
firewall-cmd --get-zones

# Check Services
firewall-cmd --get-services

# Add HTTP ports
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=8443/tcp --permanent
firewall-cmd --reload

# check port daemon
netstat -lnp | grep 443

Leave a Reply

Your email address will not be published. Required fields are marked *