Linux CentOS/Ubuntu Firewall and SELinux - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, March 24, 2020

Linux CentOS/Ubuntu Firewall and SELinux

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.

This post summarizes how to configure a basic usage for Firewall and SElinux on two most popular linux distribution : CentOS and Ubuntu.

Check Network Interface Commands:
  • ip a
  • ip l
  • nmcli d
  • nmtti

1. CentOS 7

FirewallD is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables:
  1. FirewallD uses zones and services instead of chain and rules.
  2. It manages rulesets dynamically, allowing updates without breaking existing sessions and connections.
FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD.


Iptables (CentOS 7 not installed it by default)
Here are some commands to install it to replace default firewall :
  • yum install policycoreutils iptables-services -y
  • systemctl stop firewalld.service
  • systemctl disable firewalld.service
  • service iptables restart
Firewalld Commands (CentOS 7 default installed and activated)
  • systemctl stop firewalld  //Turn off the firewall
  • systemctl start firewalld  //Turn on the firewall
  • systemctl status firewalld //Check firewall status
  • systemctl stop firewalld.service  #停止firewall
  • systemctl disable firewalld.service  #禁止firewall开机启动
  • firewall-cmd --state   #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
Mask the FirewallD service which will prevent the firewall from being started by other services:
sudo systemctl mask --now firewalld
Disable Firewalld
To disable firewalld, run the following command as root:
systemctl disable firewalld

Stop Firewalld

To stop firewalld, run the following command as root:

systemctl stop firewalld

Check the Status of Firewalld

And finally, to check the status of firewalld, run the following command as root:
systemctl status firewalld

Open XRDP tcp 3389 port.
$ sudo firewall-cmd --add-port=3389/tcp --permanent
$ sudo firewall-cmd --reload

[root@centos7-docker-portainer ~]# firewall-cmd --list-all
  target: default
  icmp-block-inversion: no
  services: dhcpv6-client ssh
  ports: 2222/tcp 3389/tcp
  masquerade: no
  rich rules:

To view the current SELinux status and the SELinux policy that is being used on your system, use the sestatus command:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
You can see from the output above that SELinux is enabled and set to enforcing mode.

Disable SELinux

You can temporarily change the SELinux mode from  targeted  to  permissive  with the following command:
sudo setenforce 0
However, this change is valid for the current runtime session only.
To permanently disable SELinux on your CentOS 7 system, follow the steps below:

To change SELinux permanently, we will need to edit /etc/sysconfig/selinux.

vi /etc/sysconfig/selinux
 # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.12 SELINUXTYPE=targeted

#CentOS 6 iptables -I INPUT -p tcp --dport 3000 -j ACCEPT service iptables save service iptables restart #CentOS 7 firewall-cmd --zone=public --add-port=3000/tcp --permanent firewall-cmd --reload

2. Ubuntu 18.04

To configure a static IP address on your Ubuntu 18.04 server you need to modify a relevant netplan network configuration file within /etc/netplan/ directory.

For example you might find there a default netplan configuration file called 50-cloud-init.yaml(default file) or01-netcfg.yaml with a following content instructing the networkd deamon to configure your network interface via DHCP:
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
  version: 2
  renderer: networkd
      dhcp4: yes
To set your network interface enp0s3 to static IP address with gateway and DNS server as and replace the above configuration with the one below.
You must adhere to a correct code indent for each line of the block. In other words the prefix number of spaces for each line is important. Othersiwe you may end up with an error message similar to: Invalid YAML at //etc/netplan/01-netcfg.yaml line 7 column 6: did not find expected key. Also, it can not have tab key in the file. You will have to use space. 
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
  version: 2
  renderer: networkd
     dhcp4: no
     addresses: []
       addresses: [,]
Once ready apply changes with:
$ sudo netplan apply
In case you run into some issues execute:
$ sudo netplan --debug apply

Ubuntu includes its own firewall, known as ufw – short for “uncomplicated firewall.” Ufw is an easier-to-use frontend for the standard Linux iptables commands. You can even control ufw from a graphical interface.

Ubuntu’s firewall is designed as an easy way to perform basic firewall tasks without learning iptables. It doesn’t offer all the power of the standard iptables commands, but it’s less complex.

The firewall is disabled by default. To enable the firewall, run the following command from a terminal:
sudo ufw enable

Let’s say you want to allow SSH traffic on port 22. To do so, you can run one of several commands:
sudo ufw allow 22 (Allows both TCP and UDP traffic – not ideal if UDP isn’t necessary.)
sudo ufw allow 22/tcp  (Allows only TCP traffic on this port.)
sudo ufw allow ssh (Checks the /etc/services file on your system for the port that SSH requires and allows it. Many common services are listed in this file.)
Ufw assumes you want to set the rule for incoming traffic, but you can also specify a direction. For example, to block outgoing SSH traffic, run the following command:
sudo ufw reject out ssh
You can view the rules you’ve created with the following command:
sudo ufw status

To delete a rule, add the word delete before the rule. For example, to stop rejecting outgoing ssh traffic, run the following command:
sudo ufw delete reject out ssh
Ufw’s syntax allows for fairly complex rules. For example, this rule denies TCP traffic from the IP to port 22 on the local system:
sudo ufw deny proto tcp from to any port 22
To reset the firewall to its default state, run the following command:
sudo ufw reset

3. References

No comments:

Post a Comment