Die Firewall Linux in heterogenen Netzen Grundkonfiguration

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Die Firewall

Virtualbox Konfiguration

  • Adapter1: Bridged Adapter br0
  • Adapter2: Internal Network dmz
  • Adapter3: Internal Network eth1/1

Setzen und anpassen des Hostnamen

  • LAB=lab34
  • hostnamectl set-hostname firewall.$LAB.linuggs.de
  • hostnamectl
 Static hostname: firewall.lab34.linuggs.de
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: a736abd11f52406db0e02d7a3877059b
         Boot ID: 089a7ce53e6a429797007e7e4acba90b
  Virtualization: oracle
Operating System: Debian GNU/Linux 12 (bookworm)  
          Kernel: Linux 6.1.0-25-amd64
    Architecture: x86-64
 Hardware Vendor: innotek GmbH
  Hardware Model: VirtualBox
Firmware Version: VirtualBox
  • cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	firewall.lab34.linuggs.de	firewall

Installation des vlan Paketes

  • apt install vlan

Anpassen der Netzwerk Konfiguration

  • cat /etc/network/interfaces
source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# WAN
auto enp0s3
iface enp0s3 inet static
 address 172.30.34.14/24
 gateway 172.30.34.254

iface enp0s3 inet6 static
 address 2a02:24d8:71:3040::3034/64
 gateway 2a02:24d8:71:3040::1


#MGMT
auto enp0s9
iface enp0s9 inet6 static
 address 2a02:24d8:71:3034::1/64

iface enp0s9 inet static
 address 172.26.52.1/24

#CLIENTS
auto enp0s9.21
iface enp0s9.21 inet6 static
 address 2a02:24d8:71:3035::1/64
 vlan-raw-device enp0s9

iface enp0s9.21 inet static
 address 172.26.53.1/24 
 vlan-raw-device enp0s9

#SERVER
auto enp0s9.22
iface enp0s9.22 inet6 static
 address 2a02:24d8:71:3036::1/64
 vlan-raw-device enp0s9

iface enp0s9.22 inet static
 address 172.26.54.1/24
 vlan-raw-device enp0s9

#DMZ
auto enp0s8
iface enp0s8 inet6 static
 address 2a02:24d8:71:3037::1/64

iface enp0s8 inet static
 address 172.26.55.1/24

Forwarding anschalten

  • echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
  • echo net.ipv6.conf.all.forwarding=1 >> /etc/sysctl.conf

Firewall die nur Nat macht

  • vi /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset
define wandev = enp0s3
define netz = { 172.26.52.0/22 }
table inet filter {
	chain input {
		type filter hook input priority filter;
	}
	chain forward {
		type filter hook forward priority filter;
	}
	chain output {
		type filter hook output priority filter;
	}
}

table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        oif $wandev ip saddr $netz masquerade
    }

}

Firewall aktivieren

  • nft -f /etc/nftables.conf
  • systemctl enable nftables
  • nft list ruleset

Reboot

  • reboot

Tests

IPv4

MGMT
  • ping -c 1 -4 -I 172.26.52.1 8.8.8.8
CLIENTS
  • ping -c 1 -4 -I 172.26.53.1 8.8.8.8
SERVER
  • ping -c 1 -4 -I 172.26.54.1 8.8.8.8
DMZ
  • ping -c 1 -4 -I 172.26.55.1 8.8.8.8

IPv6

  • ping -c 1 -6 -I 2a02:24d8:71:3034::1 google.de
  • ping -c 1 -6 -I 2a02:24d8:71:3035::1 google.de
  • ping -c 1 -6 -I 2a02:24d8:71:3036::1 google.de
  • ping -c 1 -6 -I 2a02:24d8:71:3037::1 google.de

DNS

  • nslookup heise.de

Wie ist meine IP

  • apt install -y curl
  • curl -4 ifconfig.co
  • curl -6 ifconfig.co
Abgerufen von „http://wiki.ixheim.de/index.php?title=Die_Firewall_Linux_in_heterogenen_Netzen_Grundkonfiguration&oldid=57345