firewall-cmd bloqueando snmp

Navegue suas respostas
1

Eu herdei um sistema que tem regras implementadas com o firewall-cmd, tem as regras abaixo. Outro sistema está tentando se conectar à porta SNMP (UDP / 161), mas não é capaz (meu servidor está respondendo com o host ICMP proibida administrativamente). se eu remover a regra "rejeitar-com icmp-host-proibido" usando o comando iptables das cadeias INPUT e FORWARD ele funciona bem.

Como posso remover essa regra usando o firewall-cmd? ou melhor, como posso permitir o tráfego para UDP / 161? 

[root@host]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT_direct 2 -p tcp --dport 10000 -m limit --limit 50/second --limit-burst 1 -j ACCEPT
ipv4 filter INPUT_direct 2 -p tcp --dport 10020 -m limit --limit 50/second --limit-burst 1 -j ACCEPT
ipv4 filter INPUT_direct 2 -p tcp --dport 11000 -m limit --limit 50/second --limit-burst 1 -j ACCEPT
ipv4 filter INPUT_direct 2 -p tcp --dport 11020 -m limit --limit 50/second --limit-burst 1 -j ACCEPT
ipv4 filter INPUT_direct 2 -p udp --dport 161 -j ACCEPT
ipv4 filter OUTPUT 3 -j DROP
ipv4 filter OUTPUT 0 -p icmp -j ACCEPT
ipv4 filter OUTPUT 0 -p tcp -m multiport --dport=53,22,80,443 -j ACCEPT
ipv4 filter OUTPUT 1 -p tcp -m multiport --sport=53,22,80,443 -j ACCEPT
ipv4 filter OUTPUT 0 -p tcp -m multiport --dport=1024:65535 -j ACCEPT
ipv4 filter OUTPUT 1 -p tcp -m multiport --sport=1024:65535 -j ACCEPT
ipv4 filter OUTPUT 0 -p udp -m multiport --dport=1024:65535 -j ACCEPT
ipv4 filter OUTPUT 1 -p udp -m multiport --sport=1024:65535 -j ACCEPT
ipv4 filter OUTPUT 0 -p udp --dport=161 -j ACCEPT
ipv4 filter OUTPUT 1 -p udp --sport=161 -j ACCEPT
ipv4 filter OUTPUT 0 -p udp --dport=162 -j ACCEPT
ipv4 filter OUTPUT 1 -p udp --sport=162 -j ACCEPT
ipv4 filter OUTPUT 0 -p udp --dport=705 -j ACCEPT
ipv4 filter OUTPUT 1 -p udp --sport=705 -j ACCEPT
ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -i ens224 -j ACCEPT
ipv4 filter INPUT 1 -p udp -m udp -i ens224 -j ACCEPT
ipv4 nat PREROUTING 0 -p tcp --destination 172.16.187.39 --dport 10700 -j DNAT --to 172.16.187.7:10700
ipv4 filter FORWARD_direct 2 -p udp --dport 161 -j ACCEPT

é traduzido para as seguintes regras do iptables: 

[root@host]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_ledefaultzone  all  --  anywhere             anywhere            [goto] 
FWDI_ledefaultzone  all  --  anywhere             anywhere            [goto] 
FWDI_ledefaultzone  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_ledefaultzone  all  --  anywhere             anywhere            [goto] 
FWDO_ledefaultzone  all  --  anywhere             anywhere            [goto] 
FWDO_ledefaultzone  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp

Chain FWDI_ledefaultzone (3 references)
target     prot opt source               destination         
FWDI_ledefaultzone_log  all  --  anywhere             anywhere            
FWDI_ledefaultzone_deny  all  --  anywhere             anywhere            
FWDI_ledefaultzone_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_ledefaultzone_allow (1 references)
target     prot opt source               destination         

Chain FWDI_ledefaultzone_deny (1 references)
target     prot opt source               destination         

Chain FWDI_ledefaultzone_log (1 references)
target     prot opt source               destination         

Chain FWDO_ledefaultzone (3 references)
target     prot opt source               destination         
FWDO_ledefaultzone_log  all  --  anywhere             anywhere            
FWDO_ledefaultzone_deny  all  --  anywhere             anywhere            
FWDO_ledefaultzone_allow  all  --  anywhere             anywhere            

Chain FWDO_ledefaultzone_allow (1 references)
target     prot opt source               destination         

Chain FWDO_ledefaultzone_deny (1 references)
target     prot opt source               destination         

Chain FWDO_ledefaultzone_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_ledefaultzone  all  --  anywhere             anywhere            [goto] 
IN_ledefaultzone  all  --  anywhere             anywhere            [goto] 
IN_ledefaultzone  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ndmp limit: avg 50/sec burst 1
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10020 limit: avg 50/sec burst 1
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:irisa limit: avg 50/sec burst 1
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11020 limit: avg 50/sec burst 1
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp
ACCEPT     all  --  anywhere             anywhere             PKTTYPE = multicast
ACCEPT     udp  --  anywhere             anywhere             udp

Chain IN_ledefaultzone (3 references)
target     prot opt source               destination         
IN_ledefaultzone_log  all  --  anywhere             anywhere            
IN_ledefaultzone_deny  all  --  anywhere             anywhere            
IN_ledefaultzone_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_ledefaultzone_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20701 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33000 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7199 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:yo-main ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33003 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10742 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33005 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:rmiregistry ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10701 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33002 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11443 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20601 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33004 ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10700 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33006 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10760 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:blocks ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20700 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:33001 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:amanda ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:23232 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10388 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20600 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10181 ctstate NEW

Chain IN_ledefaultzone_deny (1 references)
target     prot opt source               destination         

Chain IN_ledefaultzone_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             multiport dports domain,ssh,http,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     udp  --  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmptrap
ACCEPT     udp  --  anywhere             anywhere             udp dpt:agentx
ACCEPT     tcp  --  anywhere             anywhere             multiport sports domain,ssh,http,https
ACCEPT     tcp  --  anywhere             anywhere             multiport sports 1024:65535
ACCEPT     udp  --  anywhere             anywhere             multiport sports 1024:65535
ACCEPT     udp  --  anywhere             anywhere             udp spt:snmp
ACCEPT     udp  --  anywhere             anywhere             udp spt:snmptrap
ACCEPT     udp  --  anywhere             anywhere             udp spt:agentx
DROP       all  --  anywhere             anywhere
    
por Rima 11.07.2018 / 17:03

1 resposta

2

Você pode usar a ferramenta de cliente CLI firewall-cmd para adicionar uma regra permanente e permitir a porta UDP específica através do firewalld daemon para a zona aplicável.

1. Get the Active Interface Zone(s)

--get-active-zones

2. Allowing the UDP Port Traffic Through

firewall-cmd --permanent --zone=<zone> --add-port=161/udp
firewall-cmd --reload

Note: The <zone> value will be the value needed per the command #1.

     

3. Confirmando 

firewall-cmd --list-ports

Mais recursos

  • firewall-cmd 

    --get-active-zones

    Print currently active zones altogether with interfaces and sources used in these zones. Active zones are zones, that have a binding to an interface or source. The output format is:

    --permanent

    The permanent option --permanent can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent option, a change will only be part of the runtime configuration.

    If you want to make a change in runtime and permanent configuration, use the same call with and without the --permanent option.

    The --permanent option can be optionally added to all options further down where it is supported.

    [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol [--timeout=timeval]

    Add the port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards. timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h.

    The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp.

por 14.07.2018 / 02:57

Tags

Autohotkey vai para EOL efeito de tela de desligamento do Virtualbox