I am running a CentOS 7 box with two NICs as a router/firewall/DHCP etc. By examining the firewall with iptables -L I have observed that firewalld has taken the three basic chains INPUT, FORWARD and OUTPUT and spawned off additional chains for the various zones.
For example I guess that the chain IN_public_deny would contain a list of addresses of packets accessing the public zone which should be dropped. I created a rich rule
Quote:
firewall-cmd --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public
|
and now see this
Code:
Chain IN_public_deny (1 references)
target prot opt source destination
DROP all -- 10.42.0.217 anywhere
This prevents the computer at 10.42.0.217 from connecting to the firewall box with ssh or pinging the firewall box. However, the node computer can connect to the Internet.
I inserted a rule in the main FORWARD chain using iptables (should have used firewall-cmd --direct ... but have not figured that out yet.) The rule is here
Code:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 10.42.0.217 anywhere
ACCEPT all -- anywhere 10.42.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.42.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
This prevents the node computer from connecting to the Internet for example with a web browser or pinging an Internet IP address.
Code:
[ken@localhost Desktop]$ ping 85.12.30.226
PING 85.12.30.226 (85.12.30.226) 56(84) bytes of data.
^C
--- 85.12.30.226 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8173ms
[ken@localhost Desktop]$ ping www.centos.org
PING www.centos.org (85.12.30.226) 56(84) bytes of data.
^C
--- www.centos.org ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7338ms
In the first case, the ping by IP address never returned. In the second case the name
www.centos.org was resolved and then the ping never returned.
The connection on the host points to the firewall box 10.42.0.1 as the primary DNS, However I have, successfully I think, prevented the node from contacting the firewall box directly or routing traffic through the firewall box to the Internet. My question is... how do I block access to DNS which is being provided by/through the firewall box?
TIA,
Ken
p.s. Zenmap (nmap gui) shows
Code:
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.76
when I scan against the firewall box from the node computer.