Linux firewall and connectivity issues
Src: Todd Hammer, Microsoft
All Linux Distributions have a firewall in place, just because it comes with the kernel, but it’s inactive by default. If we’re having connectivity issues, then, the firewall is something we should check. Netfilter is the name for firewall in the Linux kernel, and we can talk with it using a command-line utility called iptables.
List currently configured iptables | iptables -L |
List main tables | iptables -t security -L iptables -t mangle -L iptables -t filter -L iptables -t nat -L |
Clear all currently configured rules | iptables -F |
Block connection to specific ip address | iptables -A INPUT -s <ip_address> -j DROP |
Block connection to a ip addresses range | iptables -A INPUT -s <ip>/<netmask> -j DROP |
Block connection to a specific port and ip address | iptables -A INPUT -p tcp –dport <port> -s <ip_address> -j DROP |
Block connections to a specific port from any ip address | iptables -A INPUT -p tcp –dport <port> -j DROP |
Add port in firewall(22 in example) | /sbin/iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT |
Save changes you made | Ubuntu: sudo /sbin/iptables-save Red Hat/CentOS: sudo /sbin/service iptables save Others: /etc/init.d/iptables save |
Listen open ports | sudo lsof -i -P -n | grep LISTEN sudo lsof -i:22 ## see a specific port such as 22 ## sudo ss -tulpn |
Now, some people’s distributions has their firewall in place so, you can use these commands (of course there are more options you can apply, read the manuals please) to check on them:
Red Hat/CentOS/SuSE
Get current firewall status: | sudo systemctl status firewalld |
Start/Stop Firewalld | sudo systemctl start firewalld/sudo systemctl stop firewalld |
Enable/disable firewalld at system startup | sudo systemctl enable firewalld/sudo systemctl disable firewalld |
List zones | firewall-cmd –get-zones |
Check active zones | firewall-cmd –get-active-zones |
List configuration | firewall-cmd –list-all |
List allowed services | firewall-cmd –list-services |
List allowed ports | firewall-cmd –list-ports |
Allow a service | firewall-cmd –add-service=<servicename> –zone=<zonename> –permanent |
Allow a port | firewall-cmd –add-port=<portnumber/protocol> –zone=<zonename> –permanent |
Reload the firewall | firewall-cmd –reload |
Ubuntu
Firewall status | sudo ufw status [verbose] |
Enable/Disable firewall | sudo ufw enable/sudo ufw disable |
Allow port for tcp/udp | sudo ufw allow <port_number> |
Allow port for tcp | sudo ufw allow <port_number>/tcp |
Allow port by service name (will check in /etc/services file) | sudo ufw allow <service> |
Block outgoing traffic | sudo ufw reject out <service/port> |
Delete a rule | sudo ufw delete reject out <service/port> |
Deny tcp traffic from specific ip on specific port | sudo ufw deny proto tcp from <ip> to any port <port_number> |
Reset firewall to its default state | sudo ufw reset |
See application profiles available | sudo ufw app list |
View information about a profile and its included rules | sudo ufw app info <app_name> |
Allow an application profile | sudo ufw allow <app_name> |
Enable logging to print firewall messages to -system log | sudo ufw logging on |
There is something called Security-enhanced Linux(SELinux) that can also block connections,
More information:
- iptables manual: https://man7.org/linux/man-pages/man8/iptables.8.html
- firewall-cmd manual: https://firewalld.org/documentation/man-pages/firewall-cmd.html
- Ufw manual: http://manpages.ubuntu.com/manpages/bionic/man8/ufw.8.html
No comments yet.
-
Recent
- The ID token is not yet valid. Make sure your computer’s time and time zone are both correct. Current epoch = 1689517128
- .NET Core – How to create a .NET GUI app which runs across the platform
- AKS 2022 updates
- Linux firewall and connectivity issues
- Microsoft Ignite (Sep22-24) event recap & On-demand sessions
- [Linux] Steps to install and configure sysstat package for monitoring.
- Azure Security Enablement – Centralized place for all the links
- Presenting tech session with stories [linkedin learning notes]
- gRPC using .NET core notes
- .NET in 2020 (Build recap)
- #KubeCon CNCF – North America 2019 watchlist
- AKS CLI Sheetcheat for the labs
-
Links
Leave a comment