Die Firewall Linux in heterogenen Netzen Grundkonfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→Tests) |
|||
| (9 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 10: | Zeile 10: | ||
*'''hostnamectl''' | *'''hostnamectl''' | ||
<pre> | <pre> | ||
| − | Static hostname: lab34.linuggs.de | + | Static hostname: firewall.lab34.linuggs.de |
Icon name: computer-vm | Icon name: computer-vm | ||
Chassis: vm 🖴 | Chassis: vm 🖴 | ||
| Zeile 42: | Zeile 42: | ||
auto enp0s3 | auto enp0s3 | ||
iface enp0s3 inet static | iface enp0s3 inet static | ||
| − | address 172.30.34.14 | + | address 172.30.34.14/24 |
gateway 172.30.34.254 | gateway 172.30.34.254 | ||
| Zeile 84: | Zeile 84: | ||
iface enp0s8 inet static | iface enp0s8 inet static | ||
| − | address 172.26.55. | + | address 172.26.55.1/24 |
</pre> | </pre> | ||
| + | |||
=Forwarding anschalten= | =Forwarding anschalten= | ||
*'''echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf''' | *'''echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf''' | ||
| Zeile 124: | Zeile 125: | ||
*nft -f /etc/nftables.conf | *nft -f /etc/nftables.conf | ||
*systemctl enable nftables | *systemctl enable nftables | ||
| − | + | *nft list ruleset | |
==Reboot== | ==Reboot== | ||
*'''reboot''' | *'''reboot''' | ||
| + | =Tests= | ||
| + | |||
| + | ==IPv4== | ||
| + | ;MGMT | ||
| + | *ping -c 1 -4 -I 172.26.52.1 8.8.8.8 | ||
| + | ;CLIENTS | ||
| + | *ping -c 1 -4 -I 172.26.53.1 8.8.8.8 | ||
| + | ;SERVER | ||
| + | *ping -c 1 -4 -I 172.26.54.1 8.8.8.8 | ||
| + | ;DMZ | ||
| + | *ping -c 1 -4 -I 172.26.55.1 8.8.8.8 | ||
| + | |||
| + | ==IPv6== | ||
| + | ;MGMT | ||
| + | *ping -c 1 -6 -I 2a02:24d8:71:3034::1 google.de | ||
| + | ;CLIENTS | ||
| + | *ping -c 1 -6 -I 2a02:24d8:71:3035::1 google.de | ||
| + | ;SERVER | ||
| + | *ping -c 1 -6 -I 2a02:24d8:71:3036::1 google.de | ||
| + | ;DMZ | ||
| + | *ping -c 1 -6 -I 2a02:24d8:71:3037::1 google.de | ||
| + | ==DNS== | ||
| + | *nslookup heise.de | ||
| + | ==Wie ist meine IP== | ||
| + | *apt install -y curl | ||
| + | *curl -4 ifconfig.co | ||
| + | *curl -6 ifconfig.co | ||
Aktuelle Version vom 8. Oktober 2024, 11:38 Uhr
Die Firewall
Virtualbox Konfiguration
- Adapter1: Bridged Adapter br0
- Adapter2: Internal Network dmz
- Adapter3: Internal Network eth1/1
Setzen und anpassen des Hostnamen
- LAB=lab34
- hostnamectl set-hostname firewall.$LAB.linuggs.de
- hostnamectl
Static hostname: firewall.lab34.linuggs.de
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: a736abd11f52406db0e02d7a3877059b
Boot ID: 089a7ce53e6a429797007e7e4acba90b
Virtualization: oracle
Operating System: Debian GNU/Linux 12 (bookworm)
Kernel: Linux 6.1.0-25-amd64
Architecture: x86-64
Hardware Vendor: innotek GmbH
Hardware Model: VirtualBox
Firmware Version: VirtualBox
- cat /etc/hosts
127.0.0.1 localhost 127.0.1.1 firewall.lab34.linuggs.de firewall
Installation des vlan Paketes
- apt install vlan
Anpassen der Netzwerk Konfiguration
- cat /etc/network/interfaces
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # WAN auto enp0s3 iface enp0s3 inet static address 172.30.34.14/24 gateway 172.30.34.254 iface enp0s3 inet6 static address 2a02:24d8:71:3040::3034/64 gateway 2a02:24d8:71:3040::1 #MGMT auto enp0s9 iface enp0s9 inet6 static address 2a02:24d8:71:3034::1/64 iface enp0s9 inet static address 172.26.52.1/24 #CLIENTS auto enp0s9.21 iface enp0s9.21 inet6 static address 2a02:24d8:71:3035::1/64 vlan-raw-device enp0s9 iface enp0s9.21 inet static address 172.26.53.1/24 vlan-raw-device enp0s9 #SERVER auto enp0s9.22 iface enp0s9.22 inet6 static address 2a02:24d8:71:3036::1/64 vlan-raw-device enp0s9 iface enp0s9.22 inet static address 172.26.54.1/24 vlan-raw-device enp0s9 #DMZ auto enp0s8 iface enp0s8 inet6 static address 2a02:24d8:71:3037::1/64 iface enp0s8 inet static address 172.26.55.1/24
Forwarding anschalten
- echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
- echo net.ipv6.conf.all.forwarding=1 >> /etc/sysctl.conf
Firewall die nur Nat macht
- vi /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
define wandev = enp0s3
define netz = { 172.26.52.0/22 }
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oif $wandev ip saddr $netz masquerade
}
}
Firewall aktivieren
- nft -f /etc/nftables.conf
- systemctl enable nftables
- nft list ruleset
Reboot
- reboot
Tests
IPv4
- MGMT
- ping -c 1 -4 -I 172.26.52.1 8.8.8.8
- CLIENTS
- ping -c 1 -4 -I 172.26.53.1 8.8.8.8
- SERVER
- ping -c 1 -4 -I 172.26.54.1 8.8.8.8
- DMZ
- ping -c 1 -4 -I 172.26.55.1 8.8.8.8
IPv6
- MGMT
- ping -c 1 -6 -I 2a02:24d8:71:3034::1 google.de
- CLIENTS
- ping -c 1 -6 -I 2a02:24d8:71:3035::1 google.de
- SERVER
- ping -c 1 -6 -I 2a02:24d8:71:3036::1 google.de
- DMZ
- ping -c 1 -6 -I 2a02:24d8:71:3037::1 google.de
DNS
- nslookup heise.de
Wie ist meine IP
- apt install -y curl
- curl -4 ifconfig.co
- curl -6 ifconfig.co