While AWS EC2 instances should be well protected by VPC security tools, you may still need to implement protection at the OS-level, and that means firewalld.
This is the second part of our server security series. In this article, we will look at configuring firewall rules via
firewalld on Red Hat Enterprise Linux. While Amazon Linux is similar to Red Hat Enterprise Linux (RHEL) in many ways, it does not yet support
firewalld. So we’ll have to focus on RHEL. By the way, I will not cover
iptables here, as there are many good resources out there already.
You might wonder why we need to configure the firewall at the operating system level in the first place, if this is already taken care of by EC2 security groups within our VPC. I can think of a few possible use cases. If, for instance, the firewall in the security group is configured incorrectly, the OS-level firewall can act as a backup to protect the instance from possible probes or compromise. Or perhaps the administrator wants to bind additional ports for future services or temporarily block certain ports, but does not have access to the EC2 dashboard. In either case, depending on the security group state, he should be able to do so at the OS-level.
Now that we have justified using
firewalld, let’s learn a bit more about it.
firewalld is a new way to interact with the netfilter subsystem in the Linux kernel. It simplifies the way we manage firewall rules by classifying network traffic into different firewall zones. We could choose to simply use
iptables to configure the firewall rules if we wanted to, but both cannot co-exist with each other.
Getting started with firewalld
Therefore, to get started with
firewalld, we first need to make sure that the
iptables-related services are disabled. By default, Red Hat Enterprise Linux does not have either
firewalld packages installed. So when you try to query for
iptables-services, it will tell you that it is not there.
# rpm -q iptables-services package iptables-services is not installed
However, if it is already installed, we’ll need to disable the service so that it does not interfere with
# rpm -q iptables-services iptables-services-1.4.21-13.el7.x86_64 # systemctl stop iptables.service # systemctl stop ip6tables.service systemctl status iptables.service iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled) Active: inactive (dead) Nov 15 21:26:47 ip-172-30-1-83.ec2.internal systemd: Stopped IPv4 firewall with iptables. # systemctl status ip6tables.service ip6tables.service - IPv6 firewall with ip6tables Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled) Active: inactive (dead) Nov 15 21:26:52 ip-172-30-1-83.ec2.internal systemd: Stopped IPv6 firewall with ip6tables. # systemctl mask iptables.service ln -s '/dev/null' '/etc/systemd/system/iptables.service' # systemctl mask ip6tables.service ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
Notice that we also disabled the IPv6 version of the
iptables service. People tend to forget about that.
Now we are ready to install and start
# yum install firewalld # systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: inactive (dead) # systemctl start firewalld.service # systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sun 2015-11-15 21:31:53 EST; 7s ago Main PID: 10942 (firewalld) CGroup: /system.slice/firewalld.service └─10942 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Nov 15 21:31:52 ip-172-30-1-83.ec2.internal systemd: Starting firewalld - dynamic firewall dae..... Nov 15 21:31:53 ip-172-30-1-83.ec2.internal systemd: Started firewalld - dynamic firewall daemon. Hint: Some lines were ellipsized, use -l to show in full.
firewalld, we need to understand more about how network traffic is classified into different firewall zones. The
firewalld.zones man pages cover this in a very clear and concise manner. I will reproduce the description here verbatim.
drop– Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block– Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public– For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external– For use on external networks with masquerading enabled specifically for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz– For computers in your demilitarised zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work– For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home– For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal– For use in internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted– All network connections are accepted.
Configure firewalld rules
We will configure
firewalld using the
Instead of running
systemctl status firewalld, we can also use the
firewall-cmd with the
--state option to confirm that it has started.
# firewall-cmd --state running
You can list the firewall zones we discussed earlier by using the
# firewall-cmd --get-zones block dmz drop external home internal public trusted work
To view the default zone, it is as simple as specifying the
--get-default-zone option. If the EC2 instance is inside its own VPC subnet, and can only be accessed via a jumpbox, then we may change the default zone to
internal, and add or remove the services that were allowed by default.
# firewall-cmd --get-default-zone public # firewall-cmd --set-default-zone=internal success # firewall-cmd --list-all internal (default) interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
firewall-cmd with the
--get-services option lists all the services that can be controlled by
# firewall-cmd --get-services RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
If a service is not on the list, we can always define our own service, or add the port to be opened via
firewall-cmd directly. Let’s demonstrate that – and prepare for our next article on SELinux at the same time – by changing the default port number for the OpenSSH service to port 31337. Assuming that we will use
firewalld together with SELinux, we can enable the port by using the
--add-port option. Note that if we want to make our changes permanent, we need to reload the firewall rules immediately.
# firewall-cmd --permanent --add-port=31337/tcp; firewall-cmd --reload success success # firewall-cmd --list-all internal (default) interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: 31337/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
If we want to remove unneeded services such as
ipp-client, etc, we can do so with the
# firewall-cmd --permanent --remove-service=dhcpv6-client --remove-service=ipp-client --remove-service=mdns --remove-service=samba-client; firewall-cmd --reload success success # firewall-cmd --list-all internal (default) interfaces: sources: services: ssh ports: 31337/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
You can take a peek at the
iptables rules that
firewall-cmd magically generated based on the commands we just issued:
# iptables -S | tail -A FWDI_internal -j FWDI_internal_allow -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A INPUT_ZONES -g IN_internal -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 31337 -m conntrack --ctstate NEW -j ACCEPT
If you have managed to successfully follow along so far, great work! You will find that
firewalld is a lot easier to work with than trying to directly configure
In our next article, we will explore setting up SELinux on Amazon Linux, and walking through a simple SELinux example on Red Hat Enterprise Linux. For more on Cloud server security, why not take Cloud Academy’s Linux Security course?
Comments? Please join in!
Cloud Migration Risks & Benefits
If you’re like most businesses, you already have at least one workload running in the cloud. However, that doesn’t mean that cloud migration is right for everyone. While cloud environments are generally scalable, reliable, and highly available, those won’t be the only considerations dri...
Real-Time Application Monitoring with Amazon Kinesis
Amazon Kinesis is a real-time data streaming service that makes it easy to collect, process, and analyze data so you can get quick insights and react as fast as possible to new information. With Amazon Kinesis you can ingest real-time data such as application logs, website clickstre...
Google Cloud Functions vs. AWS Lambda: The Fight for Serverless Cloud Domination
Serverless computing: What is it and why is it important? A quick background The general concept of serverless computing was introduced to the market by Amazon Web Services (AWS) around 2014 with the release of AWS Lambda. As we know, cloud computing has made it possible for users to ...
Google Vision vs. Amazon Rekognition: A Vendor-Neutral Comparison
Google Cloud Vision and Amazon Rekognition offer a broad spectrum of solutions, some of which are comparable in terms of functional details, quality, performance, and costs. This post is a fact-based comparative analysis on Google Vision vs. Amazon Rekognition and will focus on the tech...
New on Cloud Academy: CISSP, AWS, Azure, & DevOps Labs, Python for Beginners, and more…
As Hurricane Dorian intensifies, it looks like Floridians across the entire state might have to hunker down for another big one. If you've gone through a hurricane, you know that preparing for one is no joke. You'll need a survival kit with plenty of water, flashlights, batteries, and n...
Amazon Route 53: Why You Should Consider DNS Migration
What Amazon Route 53 brings to the DNS table Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service offered by AWS. It is named by the TCP or UDP port 53, which is where DNS server requests are addressed. Like any DNS service, Route 53 handles domain regist...
How to Unlock Complimentary Access to Cloud Academy
Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cloud Security, Python, Java, or another technical skill? Then you'll want to mark your calendars for August 23, 2019. Starting Friday at 12:00 a.m. PDT (3:00 a.m. EDT), Cloud Academy is offering c...
What Exactly Is a Cloud Architect and How Do You Become One?
One of the buzzwords surrounding the cloud that I'm sure you've heard is "Cloud Architect." In this article, I will outline my understanding of what a cloud architect does and I'll analyze the skills and certifications necessary to become one. I will also list some of the types of jobs ...
Boto: Using Python to Automate AWS Services
Boto allows you to write scripts to automate things like starting AWS EC2 instances Boto is a Python package that provides programmatic connectivity to Amazon Web Services (AWS). AWS offers a range of services for dynamically scaling servers including the core compute service, Elastic...
Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More
Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...
DevSecOps: How to Secure DevOps Environments
Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...
Test Your Cloud Knowledge on AWS, Azure, or Google Cloud Platform
Cloud skills are in demand | In today's digital era, employers are constantly seeking skilled professionals with working knowledge of AWS, Azure, and Google Cloud Platform. According to the 2019 Trends in Cloud Transformation report by 451 Research: Business and IT transformations re...