Join Sean Colins for an in-depth discussion in this video Iptables and Firewalld, part of Linux: Firewalls and SELinux.
- [Instructor] As we get started, I want to get some basic concepts out of the way. Firewalls, in general, are complicated. The entire subject is complicated. But here, on our Fedora 25 Server, the concept of a firewall is more specifically complicated because in an opensource universe, there are many add-ons and services that interact with the functional kernel of the system. Firewalls in Linux, in general, all function within, and because of, the existence of something called Netfilter, which is the networking guts of the Linux kernel. But you can't directly configure Netfilter, so you need some tools to get in there and make things work.
After years of foundational technology coming to life and passing away, today, we have two conflicting demons, that both can be used to make Netfilter do its firewalling thing. One is called Iptables, the other is called Firewalld. So, Iptables. Iptables has been around longer, but, as such, even though you can still install it and run it, ya may find it becomes deprecated in the near future, so you might not want to use it. Firewalld is relatively newer.
It functions on a different security metaphor, and in certain ways, can be thought of as easier to configure. Iptables and Firewalld cannot, however, run at the same time, on the same system. And they require some mutual exclusion rules before we can get started. And setting that up properly, so you can move forward in this course, is exactly what we're going to do now. First, you want to see if Iptables is running on your system. It might be, if you've upgraded from a previous installation of Linux, or if you've tried your hand at setting up a firewall on your system before. So, we do this by first entering into a sudoer session.
We're going to type sudo -s, and we'll put in our password, that would your password on your system, and that gives us a root session. You can tell the difference instantly whenever you're logged in. The dollar sign indicates that you are logged in as your primary user or the user account that you authenticated with. The little number sign here, the hashtag, that indicates that you're logged in as root. You can also see the name of the user next to your insertion prompt all the way over here to the left. And the user that I was logged into, initially, is sean and the one that I'm logged into now is root.
So, we're going to issue these commands. Not all of these require root, but it's nice to be in as root to just run these things so we don't have to worry about which one's which. And here we are, systemctl. That's the command we're going to use. And we're going to just do a quick status check on Iptables. See if it is running. And on my system, because mine is a new development system, on which I've never configured Iptables before, it says nope, sorry, not found. So, Iptables is installed, I will point out. If we were to go and cd into sbin and hit Return, that's cd /sbin/ and hit Return, then we would do an ls -fla, and whoah that's a lot of stuff.
So, that's probably way more than I want to look at. If I go to ls, and I just type iptables, there it is. And so I can see that Iptables is, in fact, installed. That ls at iptables just said hey, list out Iptables for me in the current directory. If I wanted to see more information about Iptables, I could just up arrow, and back arrow, and then I could type Fla, capital F, lowercase la, and hit iptables, and look, there it goes. Sees, there, that it's a redirect over to xtables-multi.
It's there, it is installed, and that is good to know. But it's also important to know that it's not running. Because it is installed, it's important that we mask it out, so that it can't run on its own in the future. And that is what we're going to do next. So, if we go systemctl mask iptables and hit Return, it's going to say well, you know, the service doesn't exist, that's because it's not running, but I'm going to proceed anyway, and it creates the symlink and we're set. So, that is masked out and it won't run on its own.
Now, what happens if you, when you ran your systemctl status iptables, what if it said it was running? Or if it said it was not running? Well, in that case, you can run systemctl. Again, this is not what you have to do if you saw the results that I saw. But, if your results were different, and you saw that Iptables is, in fact, running, you would run systemctl stop iptables and you would hit Return. And it would be stopped. So, those are the three steps that you need to take. You need to check to see if Iptables is running.
If it is running, you need to stop it, and then mask it. If it is not present, or it's not installed, not running, then you need to simply mask Iptables so that it won't run on its own in the future. And, at that point, you are ready to start your configuration and running of FirewallD, which we'll take care of in later movies.
- Working with iptables
- Installing Firewalld
- Exploring zones and services
- Allowing the Apache web server
- Allowing FTP and SFTP servers
- Installing SELinux utils
- Setting discretionary or mandatory access
- Installing SELinux man pages
- Working with Booleans
- Changing context labels
- Running sepolicy
- Finding SELinux logs
- Making domains permissive
- Disabling and reenabling SELinux