From 0c1db606272771908ae30e5bf4e35cfc78053988 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sun, 30 Jun 2019 09:02:37 +0200 Subject: Add section about firewall. --- INSTALL.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 95b0320..3d3830a 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -38,4 +38,39 @@ locate this (likely almost last) line: add builtin network interface like this: INTERFACESv4="eth0" +## Install and setup firewall service + +Install package firewalld: + + apt install firewalld + +Adapt firewalld to match our network topology +(press the actual [TAB] key where mentioned, to autocomplete): + + firewall-cmd --set-default-zone=external + firewall-cmd --add-interface=en[TAB] + firewall-cmd --add-service=dhcpv6-client + firewall-cmd --add-service=mosh + firewall-cmd --zone=internal --remove-service=samba-client + firewall-cmd --zone=internal --remove-service=dhcpv6-client + firewall-cmd --zone=internal --add-interface=eth0 + firewall-cmd --zone=internal --add-service=dhcp + firewall-cmd --zone=internal --add-service=dhcpv6 + firewall-cmd --zone=internal --add-service=dns + firewall-cmd --add-forward-port=proto=tcp:toaddr=192.168.222.250:port=80 + firewall-cmd --add-forward-port=proto=tcp:toaddr=192.168.222.250:port=443 + firewall-cmd --runtime-to-permanent + +Edit file /etc/firewalld/firewalld.conf; +locate this (likely almost last) line: + FirewallBackend=iptables +changing the line to use backend "nftables", like this: + FirewallBackend=nftables + +Edit file /etc/systemd/network/10-eth0.network; +locate in section [Network] these options + IPMasquerade=yes + IPForward=yes +Remove both options if they exist (handled by firewalld now). + reboot the system. -- cgit v1.2.3