The Blog of Nitin J Mutkawoa, AKA @TheTunnelix – Page 2 – Mauritian living in the USA | Founding member of cyberstorm.mu | Creator of tunnelix.com | Devops Engineer | Hacker at IETF Hackathon | VCA & VCP

35 commands to understand Firewalld in RHEL7 environment

10/10/2019 Nitin J Mutkawoa Add Comment

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. – Firewalld.org

IPtables VS Firewalld

In RHEL6, we had IPtables. Now, in RHEL7, the firewall mechanism or say, the firewall daemon changed to Firewalld. Both serve the same purpose, i.e; packet filtering using the Netfilter module inbuilt in the Linux kernel. However, it is important to know why the Firewalld took over the IPtables. In Firewalld, you can change settings dynamically whilst being on production compared to IPtables which needs to flush out the entire rules set once a change has been made. Another difference is that during the installation of firewalld, you have support for both IPv4 and IPv6 compared to IPtables, you will have to install Ip6tables for IPv6 support. For those who are not acquainted with IPv6, please check out the article on “Diving into the basics of IPv6“. To briefly describe Firewalld, it is a set of services and daemons that manage the Netfilter in the Linux kernel. Finally, it is important to understand that both RHEL6 and RHEL7 used the IPtables (commands) to talk to the Netfilter.

Zones concept in Firewalld

One of the important concepts in firewalld is ‘zones’. Zones are groups of rules which is managed by the firewalld. Zones are based on the level of trust a user has on the interface and traffic within a network. Zones are even defined from least trusted to most trusted. These are the types of zones:

Drop zones: This is where incoming connections are dropped without any messages.
Block zones: Same as block zone but the only difference is that it gives an ICMP reply.
Public zones: It is an untrusted zone, but may allow connections based on case to case basis.
External zones: It is used when your firewall is also a gateway or simply, configuration for NAT.
Internal zones: This is the other side of the gateway or simply the firewall configurations used inside your own network, usually in a private network.
Demilitarized zones: Demilitarized zones or say DMZ, is where only certain incoming connections are allowed.
Work zones: There is a trust in the majority of hosts on the network which makes it possible to allow more services.
Home zones: The trust here is more and more acceptable and much more restrictions are removed.
Trusted: Here, there is absolute trust. Note that this should be used carefully.

VIEW information on your firewall

1. You can check if your firewall is running from either of the following commands:

systemctl status firewalld

firewalld-cmd --state

2. Like we said earlier, we can also check in which zone is the interface card configured:

firewalld-cmd --get-default-zone

3. Now, to check which interface card is in which zone, simply do the following. As you can see below, both interface cards enp0s3 and enp0s8 is in the active zone:

firewalld-cmd --get-active-zone

4. To check which rules are in the zones:

firewalld-cmd --list-all

5. If you want to get all the existing zones, simply do the following:

firewalld-cmd --get-zones

6. To list all existing rules within each zone, use the following:

Currently, you will also know which zones are your interfaces.

firewalld-cmd --list-all

7. But, you can still list the rules for a specific zone, say, the ‘home’ zone.

firewall-cmd --zone=home --list-all

8. For more details of all zones:firewall-cmd –list-all-zones

9. We have also seen, for example, in part 4 that firewall-zone –get-active-zone also shows us the services associated with the zone. But, we can also see a list of services with the firewall-zone command:

firewall-cmd --get-services

The services are just XML file located in /usr/lib/firewalld/services

Change information on the Firewall

10. Let’s say you want to move one interface from one zone to another zone. In my case, I want to move enp0s3 from the public to the home zone.

firewall-cmd --zone=home --change-interface=enp0s3

You can verify same using firewall-cmd –list-all-zones

11. However, another way to made verifications can be done using the command:

firewall-cmd --get-active-zones

12. Please note that restarting the service firewalld will result in loss of the change carried out. To ensure it is effective even after a restart of the service, go on the configuration on the network card which is /etc/sysconfig/network-scripts/ifcfg-enp0s3 and add the following line to it.

ZONE=home

13. Also, note that you can always change the default zone from public to home directly with the command:

firewall-cmd --set-default-zone=home

14. To add a specific service to a zone, for example, adding https to the zone public.

firewall-cmd --zone=public --add-service=https

15. Please note that this is only temporarily and after a restart of the service, the https will not be anymore in the home zone. To make it permanent:

firewall-cmd --permanent --zone=public --add-service=https

Always test your change with a firewall-cmd –reload

16. Most of the time, if you are running your own custom application, let’s say it is running on port 8080 and the services are not seen using firewall-cmd get-services, you can still add it to a zone by mentioning the port.

firewall-cmd --permanent --zone=public --add-port=8080/tcp

After adding the port, you must reload it to view the change.

More crazy Firewalld rules

17. You can also specify a range, for example, from 8000 to 8080 using the command:

firewall-cmd --permanent --zone=public --add-port=8000-8080/tcp

18. More interesting if you want to allow a specific IP Address for a specific zone, you can use the –add-source parameter:

firewall-cmd --permanent --zone=public --add-source=10.0.3.16/24

19. We can also block a specific IP Address from a zone. Let’s say we want to block IP 10.10.10.10/24 from the zone public. For that, we have to use the parameter –add-rich-rule.

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.10/24" reject'

20. You might also want a particular service to be allowed from a particular IP Address. Let’s say we want to allow IP 10.10.10.5 for the zone public and only for the FTP service. In this example below, limit value=”2/m” means to limit 2 connections per minute.

[[email protected] services]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" service name="ftp" log prefix="tftp" level="info" limit value="2/m" accept'

21. Let’s say you want to know which zone is a specific interface. You can use the following command:

firewall-cmd --get-zone-of-interface=enp0s3

22. You can also find how many particular interfaces are in a particular zone:

firewall-cmd --zone=public --list-interfaces

23. To stop all communications, let’s say during an attack, you can fire this command:

firewall-cmd --panic-on

24. You can also stop the panic using the following command:

firewall-cmd --panic-off

25. You can also check if you are in a query panic using the following command:

firewall-cmd --query-panic

NAT, Port Forwarding and Masquerading

Network Address Translation (NAT) means to use a strategy to hide an IP address space into another IP address by modifying the network address information in the IP header. The packets in the IP header will transit through a routing device.

Port Address Translation (PAT) sometimes called Port forwarding works the same fashion except that it works on port level. You can forward port 22 on from your IP address to port 8000 to your internal web server.

The word Masquerading itself means to use something fake. NAT masquerading is another strategy to allow a device that does not have an IP address to communicate with other computers on the internet. IP Masquerading means to set up an IP gateway for a device.

26. To check if masquerading is on or off, you can use the following command:

firewall-cmd --query-masquerade

27. Or say you want to query a particular zone if masquerade is on or off, simply use the –zone parameter:

firewall-cmd --zone=public --query-masquerade

28. To enable masquerade for the zone public

firewall-cmd --zone=public --add-masquerade

29. Before performing a port forwarding, we need to enable the masquerading:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" masquerade'

30. Now, let’s say we want to forward all SSH traffic which is on port 22 to port 8000. This can be achieved using the following command:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000

31. Since we did not define the IP address, it will redirect to localhost. Otherwise, you can also add an IP address:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

32. You can also query it by using the parameter –query-forward-port:

firewall-cmd --permanent --zone=public --query-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

Other stuff in Firewalld

33. You can also use firewalld on the graphic user interface. This can be done by installing the package firewall-config. The following command can be used:

yum install firewall firewalld-config

34. There are other ways to check if firewalld is running:

systemctl status firewalld

firewall-cmd --state

35. To active debug mode on firewalld logs enter the following parameter in the /etc/sysconfig/firewalld

FIREWALLD_ARGS='--debug'

After setting the parameter, the service need to be restarted.

If you want to get to the Ninja level using firewalld, please refer to this blog article by certdepot.net

Linux System, Networking, Security cybersecurity, DevOps, firewall, linux, security

10 steps to install Puppet configuration management tool

10/09/2019 Nitin J Mutkawoa Add Comment

Some days ago a guy asked me why I do not blog anything on Puppet configuration management tool and prefer Ansible over Puppet. True it is that I prefer Ansible because it is agentless and very easy to use. However, we agreed that there are certain situations that Puppet wins over Ansible. I decided to blog about this configuration management tool so as to enhance my knowledge and that of my readers. Puppet provides several services such as Windows automation, cloud management, configuration management, etc. However, in this blog post, we will talk about puppet as a configuration management tool. Puppet provides the ability to define which software and configuration a system requires and then maintain a specified state after the initial setup. The nodes that Puppet control must have the Puppet agent installed. In this blog post, we will focus on the installation of the Puppet Server and the Agent as well.

1. For that, I created two VMs (puppet-server and puppet-client) on my Virtual Box labs which are Puppet-Server and Pupper-Client. I have also mentioned each hostname and IP Address in the /etc/hosts file of each server.

2. You can get the repository on yum.puppetlabs.com. I downloaded it with the following commands on both servers:

rpm -Uvh https://yum.puppetlabs.com/puppet-release-el-7.noarch.rpm

3. On the puppet-server, install the puppet-server package.

yum install puppetserver

4. Since I am on a virtual machine with very low memory assigned, I tweak the memory Xms and Xmx value (heap size). The Xms is the initial minimum heap size when the service start whilst the Xmx is the maximum heap size. On the puppet-server, I edited the file /etc/sysconfig/puppetserver and change the heap value to this:

JAVA_ARGS="-Xms1g -Xmx1g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

5. Add the puppet binary to your environment. I edited the bash_profile file for that.

PATH=$PATH:$HOME/bin:/opt/puppetlabs/bin

Also launched the following command:

source bash_profile

6. Also, install the puppet-agent on the puppetclient machine.

yum install puppet-agent -y

7. On the puppetserver, you can start the service with the following command:

systemctl start puppetserver

8. And, on the puppetclient you can start the service as follows:

systemctl start puppet

9. Now, that we have seen how to install the Puppet server and the agent. Let’s now see other directories related to Puppet.

/etc/puppetlabs/puppet – contain several configuration files
/etc/puppetlabs/puppet/ssl – contain the certificate
/etc/sysconfig/puppetserver – file that contain the java configuration such as heap size, start timeout etc.
/etc/puppetlabs/code/environments/production – Default production environment available to write the codes.

10. In Puppet, whatever instructions you give the Puppet agent is called a ‘resource’. This is the fundamentals to write the manifest where instructions are given to manage Puppet. To know the resources available you need to launch the following command:

puppet resource --type

11. To understand the syntax of the resource, for example, the resource ‘file’, use the following command:

puppet describe file

In the next article, I will describe how to use the Puppet configuration management tool to administer or to instruct the puppet agent to perform specific tasks. Remember, Puppet file extension ends with ‘.pp’ and I will focus a lot more on that. At the same time, this is a good way to refresh my memory when using Puppet. I hope you liked this article when it comes to the basic installation and configuration when using Puppet.

Linux Application DevOps, linux, Puppet

Getting started with Terraform

10/08/2019 Nitin J Mutkawoa Add Comment

Terraform is an open-source tool created by HashiCorp and it is written in Go programming language. Using Terraform allows us to define our infrastructure as a Code by using declarative language. It’s important to understand that Terraform language is declarative, which describes an intended goal rather than the steps to reach the goal. Once you define your infrastructure, Terraform will figure out how to create it. Terraform also supports a variety of cloud providers and virtualization platforms such as AWS, Azure, VMware, OpenStack, etc.. This is pretty cool as it eliminates several tasks, for example, to create several AWS instances.

Installation of Terraform

1. This is pretty simple. You just have to go on the official website and download the package. In my case, I am on a Linux machine, and I am choosing a Linux 64 bit package.

To download and unzip it, use the following command:

wget https://releases.hashicorp.com/terraform/0.12.10/terraform_0.12.10_linux_amd64.zip && unzip terraform*.zip

2. I moved the binary to /usr/local/bin. Make sure it is in the path environment variable.

mv terraform /usr/local/bin

3. By this time, you should get your binary and be able to check the version.

terraform version

Setting up API call for Terraform on AWS

4. We also need to allow terraform to make an API call on our behalf. I will be calling the API on AWS. For that, you will need to create a user on the AWS IAM and assign the rights and policies. Assuming that you have already created the user and you have the credentials to move ahead. Use the following commands:

export AWS_ACCESS_KEY_ID="AKIA***************"

export AWS_SECRET_ACCESS_KEY="mVTwU6JtC***************"

export AWS_DEFAULT_REGION="us-east-1"

Writing the codes

5. Once you are done exporting the credentials, you can start building your Terraform code. The whole code is in my Github and you can download it for free.

The first thing is to configure the provider and the region.

provider "aws" {

 region = "us-east-1"

}

6. Each provider supports different kinds of resources such as load balancers, servers, databases, etc.. In this example, we are trying to create a single EC2 instance. I have chosen the AWS Linux OS and the smallest nano server. The tags are just the identifier in AWS.

resource "aws_instance" "web" {

  ami           = "ami-0b69ea66ff7391e80"

  instance_type = "t2.nano"

}

7. Then launch a terraform init to initialized the Terraform working directory. By that, I mean that it will download the AWS plugin. You should found a similar type of output from your screen.

8. Before performing the actual change, you can use the terraform plan to understand what change has been established. The plus sign means what is going to be added and the minus sign means those that are going to be removed.

9. To create the instance use the terraform apply to create the instance. It will prompt you to type ‘yes’ to continue on with the creation.

10. If you go on the AWS EC2 console, you will notice that the resource has been created successfully.

11. Hey, it’s not over yet! There are more things that need to be added for example the name of the instance. Let’s called it Nginx-Server. Let’s add the tags. Also, launch a terraform apply.

tags = {

    Name = "Nginx-Web"

 }

Adding User Data and Security groups

12. At this stage, I believed you must understand what is Terraform and how it works? To make the installation of Nginx add the following block of lines:

user_data = <<-EOF

  #!/bin/bash

  yum install nginx -y

  systemctl start nginx

  systemctl enable nginx

  EOF

13. To add the security groups, enter these codes:

resource "aws_security_group" "allow_http" {

  name        = "allow_http"

  description = "Allow HTTP inbound traffic"

  ingress {

    from_port   = 80

    to_port     = 80

    protocol    = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

14. In part 6 under instance_type, I have added this line. What it means? “aws_security_group” is a resource, “allow_http” is a variable that has been called from the security group in part 13, and lastly “id” is the attribute.

  vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]

15. Note that when launching terraform apply, you will notice that Terraform will destroy the old machine and build a new one which implies that there will be a downtime.

16. You can also view your code through a graph. Launch the command terraform graph. The output can also be viewed as more human-readable through Graphviz which you have to install. You can also go to webgraphviz.com to view it online.

It is very interesting to understand the dependency when using declarative language in Terraform. The full code can be viewed here on my Github Repository.

Linux Application, Linux System, Scripts and codes, Virtualisation AWS, DevOps, Terraform, virtualization

cyberstorm.mu member relocated to the United States of America

08/20/2019 Nitin J Mutkawoa Add Comment

I admit that I was keeping that a secret since long. Well, many already know now that I moved to the state of Connecticut in the United States of America. I finally got my permanent residency authorization and I am considering different job opportunities. However, I am open to voluntary works here in the states.

When someone first arrives here, there are many things to start with such as a Driving license. It is also important to ensure that the green card is being shipped although the permanent residency is already proven on through the passport visa, Social Security card, Conversion of certificates, prospective jobs, getting used to traveling, communication tools such as SIM cards, Internet access, housing, etc.

Today is the fifth day that I am in the states and I have been visiting several places in Connecticut and been to New York City. As we are in summer here, I have been to BlueBerry picking at a farm and other nature recreational places. Of course, when it comes to food, I make sure that I did not miss the burger. There are also several health caravans which were providing free health checkup which I did. I made some shopping in huge hardware shops such as Lowes which were pretty fascinating. Also had some administrative tasks to complete at the John Kennedy International Airport.

firstweekusa

When reaching the United States, I made a landing video from the plane. You can check it out below.

[yotuwp type=”videos” id=”6zLfD0TQS5k” ]

Now, the adventure begins and my checklist is becoming so complicated. But, I’m sure everything will get sorted soon. I’m also following events and meetups in Mauritius and I’m glad that cyberstorm.mu is present in the AFPIF – African Peering and Interconnection Forum conference in Mauritius.

Uncategorized usa

IETF 105 Hackathon remotely from Mauritius

08/20/2019 Nitin J Mutkawoa Add Comment

For sure, I cannot miss out to share this blog post which is about the IETF 105 hackathon which took place in Montreal, Canada. It was carried out at The Kiosk, Coromandel at the quarters of cyberstorm.mu. If you have been following cyberstorm.mu team during the IETF hackathon, you would have noticed that we had a pool and several amenities. This time, due to some constraints, we have decided to shift to our brand new office at The Kiosk, Coromandel.

It was two days hackathon. Some decided to work remotely whilst others came at the office to discuss and proceed ahead with robust analysis and more codes. We also had new participants who agreed to attend the hackathon. Some visited us for a while whilst others came to visit us just out of curiosity.

The team also came to know that it could be my last days in Mauritius as I decided to move to the United States and also resigned from my current position as DevOps Engineer at Orange Business Services. Thanks to Nathan Sunil Mangar who provided us with several goodies. Some days back the SANS Internet Storm Center sent me some stickers which I shared with the team.

The team was working on TLS 1.3, SSH, SCE, DSCP-LE PHB, and the IETF Mobile App. On the next day, Loganaden Velvindron presented the work remotely from Mauritius. I was glad to be able to work on the Check-SMTP software by ZeroSpam which is a company in Canada. More and more applications are now TLS 1.3 compatible. The SSH RC4 deprecation is now becoming a reality. You can view the presentation here:

[yotuwp type=”videos” id=”SoHsM4SlYZ0″ ]

Thanks to the TheKiosk who sponsored us the location and a brand new office. The team is looking forward to work further in the next IETF hackathon. Also, cyberstorm.mu is now giving support to several IETF hubs in Africa and bringing more free security patches to the world. More picture here:

ietf105

MeetUps and Presentations hackathon, ietf, ietf 105