Host-Based Firewall Management

On all Swisscom RHEL VMs, a host-based firewall is running in addition to the distributed firewall. On Swisscom RHEL 8 iptables is used as host-based firewall. On Swisscom RHEL 9 nftables is used as host-based firewall.

Configure iptables rules for Swisscom RHEL 8

The service iptables is being used to provide host-based firewall service. The iptables service uses the central /etc/sysconfig/iptables file. This file will be generated each time iptables.service is started.

The default rule set blocks everything on the main network interface with the exceptions of the ports 22 (TCP), 4118 (TCP) and 9100 (TCP).
From the loopback interface, all traffic is allowed.

The customer has the possibility to add custom rules to the rule set, this can be done on the VM directly in the Temp Admin state.

There are user configurable rule sets as follows. Each rule set in the list represents an editable file in /etc/sysconfig/

iptables.custom.before: Customer managed iptables configuration before Swisscom rules.
iptables.custom: Customer managed iptables configuration in the filter chain.
iptables.custom.after: Customer managed iptables configuration after Swisscom rules in other chains like the *mangle chain.

Filter rules

To add custom rule sets, you simply have to add them to the /etc/sysconfig/iptables.custom, /etc/sysconfig/iptables.custom.before or /etc/sysconfig/iptables.custom.after files respectively. The command sudo systemctl restart iptables will load the new customized configuration.

Example:

Given the following content in the /etc/sysconfig/iptables.custom.before file:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT

Given the following content in the /etc/sysconfig/iptables.custom file:

$ sudo cat /etc/sysconfig/iptables.custom
# Test rules added from iptables.custom: Allow any via TCP port 1234
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1234 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from ip 1.2.3.4 via UDP port 161
-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -s 1.2.3.4 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the subnet <subnet>/24 via TCP ports 1556,13720,13724,13782
-A RH-Firewall-1-INPUT -m tcp -p tcp -m multiport --dports 1556,13720,13724,13782 -s <subnet>/24 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the IP <ip> via TCP Port Range 3181:3189
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 3181:3189 -s <ip>
# End test rules added from iptables.custom

Given the following content in the /etc/sysconfig/iptables.custom.after file:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o lo -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT

Apply firewall rules for Swisscom RHEL 8

The command sudo systemctl restart iptables will add the custom rule sets to the /etc/sysconfig/iptables file and the iptables configuration will be reloaded:

$ sudo cat /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1212 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m udp -p udp --dport 3232 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 5555 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 3434 -j REJECT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state NEW -m multiport -m tcp -p tcp --dports 3333,4444 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m multiport -m udp -p udp --dports 8888,9999 -j ACCEPT
# Test rules added from iptables.custom: Allow any via TCP port 1234
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1234 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from ip 1.2.3.4 via UDP port 161
-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -s 1.2.3.4 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the subnet <subnet>/24 via TCP ports 1556,13720,13724,13782
-A RH-Firewall-1-INPUT -m tcp -p tcp -m multiport --dports 1556,13720,13724,13782 -s <subnet>/24 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the IP <ip> via TCP Port Range 3181:3189
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 3181:3189 -s <ip>
# End test rules added from iptables.custom
-A RH-Firewall-1-INPUT -j REJECT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o lo -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT

Configure nftables rules for Swisscom RHEL 9

On Swisscom RHEL 9 VMs nftables is being used to provide host-based firewall service. The nftables service uses the configuration files from the /etc/nftables directory. The files in this directory will be read each time nftables.service is started.

The default rule set blocks everything on the main network interface with the exceptions of the ports 22 (TCP) and 9100 (TCP).
From the loopback interface, all traffic is allowed.

The customer has the possibility to add custom rules to the rule set. This can be done on the VM directly in the Temp Admin state.

There are the following configurable rule files in /etc/nftables/

mos-lnx-customer-chains.nft: Customer managed nftables rules.
mos-lnx-customer-nat-chains.nft: Customer managed nat rules for nftables.

To add custom rule sets, you simply have to add them to the /etc/nftables/mos-lnx-customer-chains.nft or /etc/nftables/mos-lnx-customer-nat-chains.nft.

Example: Allow incoming TCP traffic on port 8443

As an example you can allow incoming TCP traffic on port 8443 with the following content in the /etc/nftables/mos-lnx-customer-chains.nft file:

$ sudo cat /etc/nftables/mos-lnx-customer-chains.nft
chain customer_inputs {
    tcp dport 8443 ct state new accept
}
chain customer_outputs {
}
chain customer_forwards {
}

The command sudo systemctl restart nftables will load the new customized configuration.

The command sudo nft list ruleset will show you the applied rules.

Example: Configure port redirection

As an example you can do custom port redirection with the following adaptions in /etc/nftables/mos-lnx-customer-chains.nft and /etc/nftables/mos-lnx-customer-nat-chains.nft:

$ sudo cat /etc/nftables/mos-lnx-customer-chains.nft
chain customer_inputs {
        tcp dport 443 accept
        ip daddr 127.0.0.1 tcp dport 8443 accept
}

$ sudo cat /etc/nftables/mos-lnx-customer-nat-chains.nft
chain customer_nat_preroutings {
        tcp dport 443 dnat to 127.0.0.1:8443
}

To make port redirections working net.ipv4.conf.<interface>.route_localnet=1 must be set.

The command sudo systemctl restart nftables will load the new customized configuration.

The command sudo nft list ruleset will show you the applied rules.

# Host-Based Firewall Management

# Configure iptables rules for Swisscom RHEL 8

# Filter rules

# Apply firewall rules for Swisscom RHEL 8

# Configure nftables rules for Swisscom RHEL 9

# Example: Allow incoming TCP traffic on port 8443