SLES 15 IP Masquerade selective ports

I am using a SLES 15 machine with 2 network cards as a router for a private network to the internet. I have setup IP masquerading and machines in the ‘private’ network can access the internet successfully.

What I want to do now is limit the outbound traffic from the private network to the external network to a selection of TCP ports and block everything else. I need to allow port 22 (SSH) and a few ports on an external licence server but nothing else (no http or https for example) but I am struggling to see how to setup firewalld to do this.

The firewall is running and the internal zone allows https as my router machine is running rmt for patching and registration but I only want this to apply to connections from the internal (private) networks to the router itself, not via the masquerading process to he external network.

Can anyone offer any advice or links to resources on how to set this up?

Thanks

Rob

ttrcf wrote:
[color=blue]

I am using a SLES 15 machine with 2 network cards as a router for a
private network to the internet. I have setup IP masquerading and
machines in the ‘private’ network can access the internet
successfully.

What I want to do now is limit the outbound traffic from the private
network to the external network to a selection of TCP ports and block
everything else. I need to allow port 22 (SSH) and a few ports on an
external licence server but nothing else (no http or https for
example) but I am struggling to see how to setup firewalld to do this.

The firewall is running and the internal zone allows https as my
router machine is running rmt for patching and registration but I
only want this to apply to connections from the internal (private)
networks to the router itself, not via the masquerading process to he
external network.

Can anyone offer any advice or links to resources on how to set this
up?

Thanks

Rob[/color]

Hi Rob,

How are you configuring your firewall?

  • YaST provides an easy way to configure a simple firewall and the
    configuration is saved in /etc/sysconfig/SuSEfirewall2.
  • You have more control over what is configured if you edit
    /etc/sysconfig/SuSEfirewall2 directly.

The configuration specified in SuSEfirewall2 is used to create the
actual firewall rules via iptables. If you know what you are doing you
can use iptables directly and obtain very granular control over how the
firewall behaves. (man iptables)

To simplify your configuration, SuSEfirewall2 makes a number of
assumptions including: internal zones have access to external zones;
external zones do not have access to other zones; services running on
your firewall system are generally not accessible from other systems.
Then, of course, the rest of the firewall configuration involves
creating exceptions to these rules but there are only so many types of
exceptions that can be created even by editing SuSEfirewall2 directly.

Sometimes it may be necessary to thing outside the box!

I haven’t tried this but what happens if you setup both interfaces as
external? By default external interfaces don’t have access to anything.
Could you not then define precisely what traffic is permitted to and
from each interface and which interface has access to services on the
firewall itself?


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

Kevin

Thanks for your reply. SLES15 uses firewalld rather than SuSEFirewall2 which complicates matters a little but the the underlying technology is still iptables.

My difficulty is how to apply separate rules to the traffic from the private network that is destined for the router machine via the adapter in the internal firewall zone (https to the rmt server for example) whilst not allowing https traffic to servers on the external side via the IP masquerade.

Rob

ttrcf wrote:
[color=blue]

My difficulty is how to apply separate rules to the traffic from the
private network that is destined for the router machine via the
adapter in the internal firewall zone[/color]

That is what I understood.

Can you not configure both interfaces as external and then permit
specific traffic to/from each interface?


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

[QUOTE=KBOYLE;56640]ttrcf wrote:
[color=blue]

My difficulty is how to apply separate rules to the traffic from the
private network that is destined for the router machine via the
adapter in the internal firewall zone[/color]

That is what I understood.

Can you not configure both interfaces as external and then permit
specific traffic to/from each interface?


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.[/QUOTE]

Kevin

Thanks again but I am not sure what you mean by this. If I have both NICs in the same zone will they not pickup exactly the same rules? Could you perhaps give an example of a firewalld rule that would act on traffic between two interfaces in the same zone.

I was playing yesterday with outbound rules on the external interface and managed to block all outgoing traffic except DNS and SSH. This worked for traffic from the external zone but did not affect the masqueraded traffic from the internal zone, even though it was passing through the external interface. Is this expected behaviour?

Rob

ttrcf wrote:
[color=blue]

KBOYLE;56640 Wrote:[color=green]

ttrcf wrote:
[color=darkred]

My difficulty is how to apply separate rules to the traffic from
the private network that is destined for the router machine via
the adapter in the internal firewall zone[/color]

That is what I understood.

Can you not configure both interfaces as external and then permit
specific traffic to/from each interface?


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.[/color]

Kevin

Thanks again but I am not sure what you mean by this. If I have both
NICs in the same zone will they not pickup exactly the same rules?
Could you perhaps give an example of a firewalld rule that would act
on traffic between two interfaces in the same zone.[/color]

Hi Rob,

I have not worked with SLES 15 so I’m going to let someone else jump in
and offer some suggestions…

I’ve done a lot of firewall configuration in SLES 11 which uses
SuSEfirewall2 but things have changed in SLES 15.

Have you read the documentation?
https://www.suse.com/documentation/sles-15/index.html

The firewall is mentioned throughout the various documents but the
Security Guide seems to have the most relevant information. See the
section on Masquerading and Firewalls:

https://www.suse.com/documentation/sles-15/book_security/data/cha_security_firewall.html

[color=blue]

I was playing yesterday with outbound rules on the external interface
and managed to block all outgoing traffic except DNS and SSH. This
worked for traffic from the external zone but did not affect the
masqueraded traffic from the internal zone, even though it was passing
through the external interface. Is this expected behaviour?[/color]

firewalld appears to be quite different from SuSEfirewall2. Until I
have worked with it I can’t say what is expected behaviour.

While you can easily configure rules you have to be careful. Until you
understand all the nuances of the application and the configuration
utility, the rules you define may not produce the results you desire
and may even allow unintentional access.

Most firewall configuration tools use the concept of zones to create a
set of default rules to simplify the configuration. Typically, an
external zone is associated with a public network where all input is
blocked unless it is specifically enabled while an internal zone is
associated with a trusted network where all input is permitted. When
you configure a system to function as a router you want some traffic to
pass from one interface to another. To accomplish this you need to
enable “forwarding” then define rules to permit specific types of
traffic.

My earlier suggestion to put both your interfaces into the external
zone would mean that input form both interfaces would be blocked by
default. You would then have to create rules to define what services on
your server, if any, can be accessed from a specific interface and
additional ruled to permit specific types of traffic to pass from one
interface to the other. How you might do that depends on the specific
firewall configuration tool you are using.

I hope that helps.


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.