Linux firewall and connectivity issues

Src: Todd Hammer, Microsoft

All Linux Distributions have a firewall in place, just because it comes with the kernel, but it’s inactive by default.  If we’re having connectivity issues, then, the firewall is something we should check. Netfilter is the name for firewall in the Linux kernel, and we can talk with it using a command-line utility called iptables. 

List currently configured iptables	iptables -L
List main tables	iptables -t security -L iptables -t mangle -L iptables -t filter -L iptables -t nat -L
Clear all currently configured rules	iptables -F
Block connection to specific ip address	iptables -A INPUT -s <ip_address> -j DROP
Block connection to a ip addresses range	iptables -A INPUT -s <ip>/<netmask> -j DROP
Block connection to a specific port and ip address	iptables -A INPUT -p tcp –dport <port> -s <ip_address> -j DROP
Block connections to a specific port from any ip address	iptables -A INPUT -p tcp –dport <port> -j DROP
Add port in firewall(22 in example)	/sbin/iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
Save changes you made	Ubuntu: sudo /sbin/iptables-save Red Hat/CentOS:  sudo /sbin/service iptables save Others:  /etc/init.d/iptables save
Listen open ports	sudo lsof -i -P -n | grep LISTEN sudo lsof -i:22 ## see a specific port such as 22 ## sudo ss -tulpn

Now, some people’s distributions has their firewall in place so, you can use these commands (of course there are more options you can apply, read the manuals please) to check on them:

Red Hat/CentOS/SuSE

Get current firewall status:	sudo systemctl status firewalld
Start/Stop Firewalld	sudo systemctl start firewalld/sudo systemctl stop firewalld
Enable/disable firewalld at system startup	sudo systemctl enable firewalld/sudo systemctl disable firewalld
List zones	firewall-cmd –get-zones
Check active zones	firewall-cmd –get-active-zones
List configuration	firewall-cmd –list-all
List allowed services	firewall-cmd –list-services
List allowed ports	firewall-cmd –list-ports
Allow a service	firewall-cmd –add-service=<servicename> –zone=<zonename> –permanent
Allow a port	firewall-cmd –add-port=<portnumber/protocol> –zone=<zonename> –permanent
Reload the firewall	firewall-cmd –reload

Ubuntu

Firewall status	sudo ufw status [verbose]
Enable/Disable firewall	sudo ufw enable/sudo ufw disable
Allow port for tcp/udp	sudo ufw allow <port_number>
Allow port for tcp	sudo ufw allow <port_number>/tcp
Allow port by service name (will check in /etc/services file)	sudo ufw allow <service>
Block outgoing traffic	sudo ufw reject out <service/port>
Delete a rule	sudo ufw delete reject out <service/port>
Deny tcp traffic from specific ip on specific port	sudo ufw deny proto tcp from <ip> to any port <port_number>
Reset firewall to its default state	sudo ufw reset
See application profiles available	sudo ufw app list
View information about a profile and its included rules	sudo ufw app info <app_name>
Allow an application profile	sudo ufw allow <app_name>
Enable logging to print firewall messages to -system log	sudo ufw logging on

There is something called Security-enhanced Linux(SELinux) that can also block connections,

More information: 

• iptables manual: https://man7.org/linux/man-pages/man8/iptables.8.html
• firewall-cmd manual: https://firewalld.org/documentation/man-pages/firewall-cmd.html
• Ufw manual: http://manpages.ubuntu.com/manpages/bionic/man8/ufw.8.html

2022-05-27 - Posted by //Cloud notes from my desk | Linux, Open Source | Linux