I'd like to:
- Drop all incoming connections from the external Web except 80 and 443
- Allow internal machines on
192.168.0.0/16to connect to :9000 :8080
Here's what I did to setup my drop zone via firewall-cmd:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
systemctl start firewalld.service
systemctl enable firewalld
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-port=80/tcp
firewall-cmd --permanent --zone=drop --add-port=443/tcp
firewall-cmd --zone=drop --permanent --add-rich-rule='rule source address="192.168.0.0/16" port port="9000" protocol="tcp" accept'
firewall-cmd --zone=drop --permanent --add-rich-rule='rule source address="192.168.0.0/16" port port="8080" protocol="tcp" accept'
firewall-cmd --reload
Here's what the active drop zone looks like:
[root@machine ~]# firewall-cmd --zone=drop --list-all
drop (default, active)
interfaces: eth0 vethadc7c41 vethaef84e2 vethd53fa38
sources:
services: ssh
ports: 443/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.0.0/16" port port="9000" protocol="tcp" accept
rule family="ipv4" source address="192.168.0.0/16" port port="8080" protocol="tcp" accept
This appears OK; however, I run into issues after reload:
[root@machine ~]# systemctl status firewalld -l
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sun 2014-12-21 19:48:53 UTC; 2s ago
Main PID: 21689 (firewalld)
CGroup: /system.slice/firewalld.service
└─21689 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Dec 21 19:48:53 machine.hostname systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: COMMAND_FAILED: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
Dec 21 19:48:56 machine.hostname firewalld[21689]: 2014-12-21 19:48:56 ERROR: COMMAND_FAILED: '/sbin/iptables -t filter -A DROP_allow -s 192.168.0.0/16 -m tcp -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name.
I'm a bit confused as I believed firewall-cmd to be an abstraction and sort of mutually exclusive with iptables, the latter being something I shouldn't mess with.
Here are my version vitals:
[machine@douglasii ~]# firewall-cmd -V
0.3.9
[machine@douglasii ~]# cat /proc/version
Linux version 3.16.7-x86_64-linode49 (maker@build) (gcc version 4.7.2 (Debian 4.7.2-5) ) #3 SMP Fri Nov 14 16:55:37 EST 2014
[machine@douglasii ~]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
[machine@douglasii ~]# iptables -v
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
The Linode kernel you are using doesn't have the modules your firewall wants. This is why you get the error "No chain/target/match by that name."
(And firewalld is a front-end to iptables.)
To resolve the problem, you need to run the kernel provided by the virtual machine, rather than the Linode kernel. Do this by setting the Linode to boot
pv-grub-x86_64and then installing a kernel withyum install kernelif one isn't already installed.