Using firewalld for Routing and Firewall

One of the teams at work replaced a group of old, end of life Dell hardware and contacted me (among others) to see if I wanted it. Sure!

System: Dell R710 (Rack Mounted server). Was used as the DMZ Virtualization system.

2 10,000 RPM 146 Gig Drives RAID 1 mirrored.
4 7,200 RPM 750 Gig Drives RAID 5 mirrored

2 8 Core 2.67 GHz CPUs

192 Gigabytes of RAM

Four on board Ethernet ports. Four on a PCI card. Two 10 Gig ports on a PCI card. Two HBA (Fiber) PCI cards.

iDRAC (remote console access).

I determined to use it as a replacement for my existing ancient system running Ubuntu. I’ll be installing CentOS 7 which will let me play with some of the newer tools, important in my line of work.

I installed CentOS 7 and also upgraded the firmware of the system and drives. After a week or so of research, I got my firewall and router configuration working.

In the examples below, I run the command twice. The second time with the –permanent option. That’s because –permanent doesn’t activate the command but it does make it available on reboot or when reloading the firewall (firewall-cmd –reload). I ran them twice when I was working on the system in order to test my work. You can just run the –permanent commands and at the end, run the firewall-cmd –reload command to configure your firewall.

I have 3 Interfaces on my system:

em1 – Zone: external – Need to Enable Masquerading
em2 – Zone: internal
em3 – Zone: dmz – This is for wireless access

To enable routing, set the ipv4 forwarding in the kernel. Normally in /etc/sysctl.conf, in CentOS 7 it’s in a slightly different location:

/etc/sysctl.d/99-forwarding.conf
net.ipv4.ip_forward=1

Set Masquerading:

firewall-cmd –zone=external –masquerade
firewall-cmd –zone=external –masquerade –permanent

The default zone is public. I changed it to be internal.

firewall-cmd –set-default-zone=internal
firewall-cmd –set-default-zone=internal –permanent

Then change the interface zones. All interfaces are in the internal zone by default.

firewall-cmd –change-interface=em1 –zone=external
firewall-cmd –change-interface=em1 –zone=external –permanent
firewall-cmd –change-interface=em3 –zone=dmz
firewall-cmd –change-interface=em3 –zone=dmz –permanent

One of the problems discovered is the permanent setting doesn’t actually save the interface/zone info across network up/down. So a reboot will put all three interfaces into the default zone. There are two solutions:

Set the desired ZONE=[external|internal|dmz] variable in the /etc/sysconfig/network-scripts/ifcfg-em[123] files.

Use the Network Manager to set it:

nmcli conn modify em1 connection.zone external
nmcli conn modify em3 connection.zone dmz

Both the external and dmz zones have the ssh service enabled by default. I removed ssh from both zones.

firewall-cmd –remove-service=ssh –zone=external
firewall-cmd –remove-service=ssh –zone=external –permanent
firewall-cmd –remove-service=ssh –zone=dmz
firewall-cmd –remove-service=ssh –zone=dmz –permanent

I rebooted the system after I was done of course (standard sysadmin stuff :) ) and that’s how I discovered the interfaces weren’t being saved. Note that I didn’t add masquerade to the wireless interface. That’s because the wireless one is simply running through my wifi hotspot to the server and out to the ‘net. Same as this laptop right now :)

I ran a test through grc.com (Gibson Research’s Shield’s Up tool). The system isn’t quite the same with the above rules. You can ping the system which I had disabled on the old box and it’s answering to a few queries but no services are running. So there’s some tweaking to get done. But the server is up and everything works.

Posted in Computers | Tagged , , | Leave a comment

Recover root Password

There are multiple methods of changing root’s password. Some of us old timers just boot a bootable system disk, fsck the root file system, mount it, and edit etc/shadow. This may not work correctly with a system configured using SELinux.

In this quickie, I’m talking about Red Hat 7.

Boot the system. At the grub2 menu, hit e to go into edit mode.

On the kernel line, remove the rhgb and quiet keywords. You should do this anyway on a server so you can see the system messages as it boots. Helps to know that a system is running fsck or some crazy DBA has set up an Oracle script to prompt for an answer (ask me how I know).

At the end of the line (Ctrl + e), add rd.break enforcing=0.

Press Ctrl + x to continue booting.

Once it’s done, you’ll be at a prompt. Remount the root file system as read-write. mount -o remount,rw /sysroot

Change the mounted root file system to be a jail. chroot /sysroot. You’ll have a normal prompt.

Run the passwd command to set root’s password.

You’ll need to rescan the drive for SELinux. touch /.autorelabel.

Remount the file system as read only. This flushes any memory to ensure all writes have completed. mount -o remount,ro /

Exit out of the chroot jail. exit

Exit out of emergency mode and continue booting. Depending on the size of the system it can take several minutes. exit

You’ll need restore the context of the /etc/shadow file. restorecon /etc/shadow

Check the current SELinux status. getenforce

If you’re out of enforcing mode, set it. setenforce 1

Check the status once again. getenforce

And done. Reset root’s password once the system is back up and ready to use.

Posted in Computers | Tagged | Leave a comment

RHCE Database Services

RHCE Objectives: Database Services

  • Install and configure MariaDB
  • Backup and restore a database
  • Create a simple database schema
  • Perform simple SQL queries against a database

Installing MariaDB is easy enough; yum install mariadb. This will install the main files, server, and libs.

mariadb-5.5.41-2.el7_0.x86_64
mariadb-server-5.5.41-2.el7_0.x86_64
mariadb-libs-5.5.41-2.el7_0.x86_64

Standard configuration by running mysql_secure_installation and following the prompts.

Use the systemctl commands to enable and start the database.

systemctl enable mariadb.service
systemctl start mariadb.service
systemctl status mariadb.service

To log in, simply type in mysql. If you’ve set up a password for the root user, you’ll need to pass -u root -p or –user=root -p to log in.

Database stuff is pretty easy if you’ve done anything with it.

MariaDB [(none)]> create database username;
Query OK, 1 row affected (0.00 sec)

Piece of cake.

You’ll want to create a table (schema) for querying to satisfy the last requirement.

MariaDB [(none)]> use database username;
Database changed

MariaDB [username]> create table users (
-> usr_id int(10) not null auto_increment,
-> usr_last char(30) not null default ”,
-> usr_first char(30) not null default ”,
-> usr_name char(30) not null default ”,
-> usr_phone char(30) not null default ”,
-> usr_email char(255) not null default ”,
-> primary key (usr_id)
-> );
Query OK, 0 rows affected (0.04 sec)

And you’ll need to add some data

MariaDB [cschelin]> insert into users set usr_id = null,usr_last=’Lastname’,usr_first=’Firstname’,usr_name=’FLastnam’,usr_phone=”303-555-1212″,usr_email=”user@testing.com”;
Query OK, 1 row affected (0.02 sec)

Okay, to perform a simple query, run the following command:

MariaDB [cschelin]> select * from users;
+——–+———-+———–+———-+————–+——————+
| usr_id | usr_last | usr_first | usr_name | usr_phone | usr_email |
+——–+———-+———–+———-+————–+——————+
| 1 | Lastname | Firstname | FLastnam | 303-555-1212 | user@testing.com |
+——–+———-+———–+———-+————–+——————+
1 row in set (0.00 sec)

Again, piece of cake.

Backing up a database is simple as well:

mysqldump --user=root -p username
Enter password: 
-- MySQL dump 10.14  Distrib 5.5.41-MariaDB, for Linux (x86_64)
--
-- Host: localhost    Database: username
-- ------------------------------------------------------
-- Server version	5.5.41-MariaDB

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `users`
--

DROP TABLE IF EXISTS `users`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `users` (
  `usr_id` int(10) NOT NULL AUTO_INCREMENT,
  `usr_last` char(30) NOT NULL DEFAULT '',
  `usr_first` char(30) NOT NULL DEFAULT '',
  `usr_name` char(30) NOT NULL DEFAULT '',
  `usr_phone` char(30) NOT NULL DEFAULT '',
  `usr_email` char(255) NOT NULL DEFAULT '',
  PRIMARY KEY (`usr_id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `users`
--

LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES (1,'Lastname','Firstname','FLastnam','303-555-1212','user@testing.com');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2015-08-11 10:06:22

And reloading the data is easy as well. You’ll need to recreate the database first though.

MariaDB [(none)]> drop database username;
Query OK, 1 row affected (0.03 sec)

MariaDB [(none)]> create database username;
Query OK, 1 row affected (0.00 sec)

Exit out and restore your backup. The thing to note is that the data file needs to be where mariadb can get to the file. Saving it to your home directory fails because of the access restrictions. I save to /var/tmp for this but generally I have a mariadb directory in /var/tmp for the daily backups.

mysql –user=root -p username < username.sql

Once done (and after entering your password), log in to mariadb, use username, show tables, select * from users. Done!

Posted in Computers | Tagged | Leave a comment

RHCE NTP

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service

http://www.certdepot.net/rhel7-use-selinux-port-labelling/

  • Synchronize time using other NTP peers

Install packages: yum install ntp, systemctl start ntpd

Configure SELinux: Should be configured out of the box; ps -e –context | grep ntp

SELinux Port labeling: Use the semanage tool to see the existing ports to be used:

semanage port -l | grep ntp

To use a different port, you’ll need to make sure the target port isn’t different

sepolicy network -p [port number]

If unreserved, then assign it.

semanage port -a -t ntp_port_t -p tcp 60123

Configure to start when booted: systemctl enable ntpd

Configure for basic operation: By default; ntpq -p to review the output.

Configure host-based and user-based security for the service:

Synchronize time using other NTP peers: Start ntpd; systemctl start ntpd. This will start the sync process. If you need to initially set your hardware clock, you can use ntpdate [servername] to manually set the date and time but ntpd can’t be running. So stop ntpd (systemctl stop ntpd), run ntpdate [servername] to sync, and then start ntpd back up (systemctl start ntpd).

Posted in Computers | Tagged | Leave a comment

RHCE SSH

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service
  • Configure key-based authentication
  • Configure additional options described in documentation

Install: yum install sshd (technically it’s already in place but to satisfy the listing above). You’ll need to add it to the firewall if it’s not there already: firewall-cmd –permanent –add-service=ssh; firewall-cmd –reload

Configure SELinux to support: Should already be there

Use SELinux Port labeling: See NTP. You’ll need to change /etc/ssh/sshd_config port command if you use a different port.

Configure the service to start: systemctl enable sshd

Configure the service for basic operation: again, already started.

Configure host-based and user-based security for the service:

http://www.certdepot.net/rhel7-configure-ssh-key-based-authentication/

Configure key-based authentication: Simple enough. In your home directory, create a .ssh directory chmod 700. Run ssh-keygen -t rsa and hit enter through the prompts. On the second machine, create a .ssh directory also chmod 700 and copy the id_rsa.pub file from server 1 to server to:.ssh/authorized_keys

Configure additional options: Edit the /etc/ssh/sshd_config file. The file itself is pretty clearly documented. Commented out commands show the default option. Restart the service after changes (systemctl restart sshd).

Posted in Computers | Tagged | Leave a comment

RHCE SMTP

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service

http://www.certdepot.net/rhel7-configure-system-forward-email-central-mail-server/

  • Configure a system to forward all email to a central mail server

Assuming Postfix here vs sendmail (especially with the above article).

Install: yum install postfix

SELinux: Again, with the yum install, the selinux part is already configured.

SELinux Port: See ntp

Configure to start: systemctl enable postfix; systemctl restart postfix;

Configure the service for basic operation: This may be the first block below (the myhostname to mydestination).

Configure host-based and user-based security for the service:

Configure a system to forward all email to a central mail server:

Here we don’t know if there is a central mail server already or if one will be provided. Assuming “send mail to the following IP address or server”

In /etc/postfix/main.cf uncomment/change the following lines:

myhostname = server.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = loopback-only
mydestination =
relayhost = 192.168.1.1

The first parts are to configure your system. Blank mydestination and set relayhost. This will forward mail to the relayhost.

Posted in Computers | Tagged | Leave a comment

RHCE SMB

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service
  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-Samba-Configuration_examples.html#sect-Managing_Confined_Services-Configuration_examples-Sharing_directories_you_create

http://www.certdepot.net/rhel7-provide-smb-network-shares/

Install is a bit more involved, at least for the testing part: yum groupinstall “file-server”, plus samba-client and samba-winbind

firewall-cmd –permanent –add-service=samba

systemctl enable smb

systemctl enable nmb

systemctl enable winbind

systemctl start smb

systemctl start nmb

systemctl start winbind

Setting it up is easy enough. in /etc/samba/smb.conf:

Uncomment ‘netbios name’
Update interfaces with interfaces on system

Everything should already be set.

Add a new shared entry at the end

Comment =
browseable = yes
path = /shared
valid users = your user
writable = yes

Done

Make the directory and set it 777 (mkdir /shared, chmod 777 /shared, touch /shared/test

The selinux part is as always the harder part.

If semanage not there, install setroubleshoot-server

semanage fcontext –list | grep samba gives you some. Set up samba_share_t for the new shared filesystem

semanage fcontext -a -t samba_share_t “/shared(/.*)?”
restorecon -R /shared

And add the user to the password file.

smbpasswd -a your user. It’ll ask for your new password.

Use smbclient to access the share //localhost/shared -U user%password

Group access is similar but a few extra options are needed for management

valid users = @group
create mode = 0660
directory mode = 0770

Change the group for /shared to group (chgrp /shared group)

Posted in Computers | Tagged | Leave a comment

RHCE NFS

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service
  • Provide network shares to specific clients
  • Provide networks hares suitable for group collaboration
  • Use Kerberos to control access to NFS network shares

Install: yum groupinstall “file-server”

firewall-cmd –permanent –add-service=nfs

firewall-cmd –reload

systemctl enable rpcbind
systemctl enable nfs-server
systemctl enable nfs-lock
systemctl enable nfs-idmap

mkdir -p /home/tools; mkdir -p /home/guests; chmod 777 /home/tools; chmod 777 /home/guests

In the /etc exports file, add the two file systems to be shared

/home/tools client1(rw,no_root_squash)
/home/guests client2(rw,no_root_squash)

exportfs -avr

systemctl restart nfs-server

As always, selinux adds complexity to a simple task :)

You’ll need to change the context of the two file systems and set up the boolean values

semanage fcontext -a -t public_content_rw_t “/home/tools(/.*)?”
semanage fcontext -a -t public_content_rw_t “/home/guests(/.*)?”

semanage boolean -l | grep nfs

The last three need to be set on (last two should already be on)

setsebool -P use_nfs_home_dirs on

On the client side, install the nfs-utils package and then use

mount -t nfs server:/home/tools /mnt

To mount the share.

Group is the same, just create the group owned directory and add GUID (2770) to the file system.

Posted in Computers | Tagged | Leave a comment

RHCE DNS

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service
  • Configure a caching-only name server
  • Troubleshoot DNS client issues

Edit /etc/named.conf

Change 127.0.0.1 to any
Change query to any
Change dnssec-validation to no

Save

Run named-checkconf

firewall-cmd –permanent –add-service=dns

firewall-cmd –reload

systemctl enable named

systemctl start named

Posted in Computers | Tagged | Leave a comment

RHCE HTTP/HTTPS

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service
  • Configure a virtual host
  • Configure private directories
  • Deploy a basic CGI application
  • Configure group-managed content
  • Configure TLS security

Install: yum groupinstall “Web Server”

If no DNS, add IP and hostname in /etc/hosts

systemctl enable httpd

systemctl start httpd

firewall-cmd –permanent –add-service=http

firewall-cmd –reload

Virtual Hosts

Make a directory under /var/www/html for the new server

/etc/httpd/conf.d/vhosts.conf

VirtualHost *:80
ServerAdmin
DocumentRoot
ServerName
ErrorLog
CustomLog

apachectl configtest

apachectl restart or systemctl restart httpd

httpd -D DUMP_VHOSTS

Posted in Computers | Tagged | Leave a comment