Firewalld: improving security for your AWS EC2 server

While AWS EC2 instances should be well protected by VPC security tools, you may still need to implement protection at the OS-level, and that means firewalld.

This is the second part of our server security series. In this article, we will look at configuring firewall rules via firewalld on Red Hat Enterprise Linux. While Amazon Linux is similar to Red Hat Enterprise Linux (RHEL) in many ways, it does not yet support firewalld. So we’ll have to focus on RHEL. By the way, I will not cover iptables here, as there are many good resources out there already.
FirewalldYou might wonder why we need to configure the firewall at the operating system level in the first place, if this is already taken care of by EC2 security groups within our VPC. I can think of a few possible use cases. If, for instance, the firewall in the security group is configured incorrectly, the OS-level firewall can act as a backup to protect the instance from possible probes or compromise. Or perhaps the administrator wants to bind additional ports for future services or temporarily block certain ports, but does not have access to the EC2 dashboard. In either case, depending on the security group state, he should be able to do so at the OS-level.
Now that we have justified using firewalld, let’s learn a bit more about it. firewalld is a new way to interact with the netfilter subsystem in the Linux kernel. It simplifies the way we manage firewall rules by classifying network traffic into different firewall zones. We could choose to simply use iptables to configure the firewall rules if we wanted to, but both cannot co-exist with each other.

Getting started with firewalld

Therefore, to get started with firewalld, we first need to make sure that the iptables-related services are disabled. By default, Red Hat Enterprise Linux does not have either iptables-services or firewalld packages installed. So when you try to query for iptables-services, it will tell you that it is not there.

# rpm -q iptables-services
package iptables-services is not installed

However, if it is already installed, we’ll need to disable the service so that it does not interfere with firewalld.

# rpm -q iptables-services
iptables-services-1.4.21-13.el7.x86_64
# systemctl stop iptables.service
# systemctl stop ip6tables.service
 systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
   Active: inactive (dead)
Nov 15 21:26:47 ip-172-30-1-83.ec2.internal systemd[1]: Stopped IPv4 firewall with iptables.
# systemctl status ip6tables.service
ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
   Active: inactive (dead)
Nov 15 21:26:52 ip-172-30-1-83.ec2.internal systemd[1]: Stopped IPv6 firewall with ip6tables.
# systemctl mask iptables.service
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
# systemctl mask ip6tables.service
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'

Notice that we also disabled the IPv6 version of the iptables service. People tend to forget about that.
Now we are ready to install and start firewalld.

# yum install firewalld
# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: inactive (dead)
# systemctl start firewalld.service
# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sun 2015-11-15 21:31:53 EST; 7s ago
 Main PID: 10942 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─10942 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Nov 15 21:31:52 ip-172-30-1-83.ec2.internal systemd[1]: Starting firewalld - dynamic firewall dae.....
Nov 15 21:31:53 ip-172-30-1-83.ec2.internal systemd[1]: Started firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.

To use firewalld, we need to understand more about how network traffic is classified into different firewall zones. The firewalld.zones man pages cover this in a very clear and concise manner. I will reproduce the description here verbatim.

  • drop – Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
  • block – Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
  • public – For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • external – For use on external networks with masquerading enabled specifically for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • dmz – For computers in your demilitarised zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
  • work – For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • home – For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  • internal – For use in internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
  • trusted – All network connections are accepted.

Configure firewalld rules

We will configure firewalld using the firewall-cmd.
Instead of running systemctl status firewalld, we can also use the firewall-cmd with the --state option to confirm that it has started.

# firewall-cmd --state
running

You can list the firewall zones we discussed earlier by using the --get-zones option.

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To view the default zone, it is as simple as specifying the --get-default-zone option. If the EC2 instance is inside its own VPC subnet, and can only be accessed via a jumpbox, then we may change the default zone to internal, and add or remove the services that were allowed by default.

# firewall-cmd --get-default-zone
public
# firewall-cmd --set-default-zone=internal
success
# firewall-cmd --list-all
internal (default)
  interfaces:
  sources:
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Running firewall-cmd with the --get-services option lists all the services that can be controlled by firewalld.

# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

If a service is not on the list, we can always define our own service, or add the port to be opened via firewall-cmd directly. Let’s demonstrate that – and prepare for our next article on SELinux at the same time – by changing the default port number for the OpenSSH service to port 31337. Assuming that we will use firewalld together with SELinux, we can enable the port by using the --add-port option. Note that if we want to make our changes permanent, we need to reload the firewall rules immediately.

# firewall-cmd --permanent --add-port=31337/tcp; firewall-cmd --reload
success
success
# firewall-cmd --list-all
internal (default)
  interfaces:
  sources:
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 31337/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

If we want to remove unneeded services such as dhcpv6-client, ipp-client, etc, we can do so with the --remove-service option.

# firewall-cmd --permanent --remove-service=dhcpv6-client --remove-service=ipp-client --remove-service=mdns --remove-service=samba-client; firewall-cmd --reload
success
success
# firewall-cmd --list-all
internal (default)
  interfaces:
  sources:
  services: ssh
  ports: 31337/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

You can take a peek at the iptables rules that firewall-cmd magically generated based on the commands we just issued:

# iptables -S | tail
-A FWDI_internal -j FWDI_internal_allow
-A FWDO_internal -j FWDO_internal_log
-A FWDO_internal -j FWDO_internal_deny
-A FWDO_internal -j FWDO_internal_allow
-A INPUT_ZONES -g IN_internal
-A IN_internal -j IN_internal_log
-A IN_internal -j IN_internal_deny
-A IN_internal -j IN_internal_allow
-A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 31337 -m conntrack --ctstate NEW -j ACCEPT

If you have managed to successfully follow along so far, great work! You will find that firewalld is a lot easier to work with than trying to directly configure iptables.

In our next article, we will explore setting up SELinux on Amazon Linux, and walking through a simple SELinux example on Red Hat Enterprise Linux. For more on Cloud server security, why not take Cloud Academy’s Linux Security course?
Comments? Please join in!

Avatar

Written by

Eugene Teo

Eugene Teo is a director of security at a US-based technology company. He is interested in applying machine learning techniques to solve problems in the security domain.


Related Posts

Alisha Reyes
Alisha Reyes
— April 8, 2020

New on Cloud Academy: AWS Solutions Architect – Associate Exam Prep, Azure Courses, Google Associate Cloud Engineer Exam Prep, Programming Labs, and Much More

Free content on Cloud Academy More and more customers are relying on our technology and content to keep upskilling their people in these months, and we are doing our best to keep supporting them. While the world fights the COVID-19 pandemic, we wanted to make a small contribution to he...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • programming
Joe Nemer
Joe Nemer
— April 3, 2020

Breaking News: All AWS Certification Exams Now Available Online

Remote proctoring for all AWS certifications Cloud Academy is an Advanced AWS Technology Partner, and we are happy to announce all AWS certification exams are available online!  What does this mean for you? You can stay focused on your certification goal. Or you can start a certifica...

Read more
  • AWS
  • AWS certification
  • AWS Certifications
Connie Benton
Connie Benton
— April 1, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning