Configuring firewalld after a Management Console Upgrade

In Management Console releases 19.05 through 20.01, installation disabled firewalld, enabled iptables and created rules that allowed Management Console to work as expected. Starting with release 20.04, Management Console upgraded to firewalld, and leaves the firewall configuration in the hands of the local administrator.

If you are upgrading from Management Console release 19.05 through 20.01 to release 20.04 or newer using Management Console RPM, existing firewall configurations can be left intact or if moving to firewalld they will have to be re-applied to the upgraded version of Management Console.

If you decide to use firewalld, the following instructions provide the steps to remove the iptables configuration applied by Management Console and steps to add firewalld rules required by Management Console to operate properly. Additional rules required to comply to your corporate security policy must be added by the administrator.

Upgrade Scenarios discussed in this topic are:

Firewall changes after a RPM Upgrade from Management Console 20.01 or older using IPv4

Firewall changes for RPM Upgrades from Management Console 20.04 to Management Console 20.07 or newer in IPv4 Deployments

Firewalld IPv4 Script

Firewall changes required after an Upgrade from Management Console 20.01 or older to Management Console 20.07 or newer in an IPv6 Deployment

Firewalld Script for IPv6

Firewall changes required after an RPM Upgrade from Management Console 20.04 to Management Console 20.07 or newer in IPv6 Deployment

Firewall changes required after updating a Management Console OVA IPv4 deployment to an IPv6 Deployment

Firewall changes required when changing an existing Management Console IPv4 deployment to an IPv6 Deployment

Upgrades in IPv4 Environments

Firewall changes after a RPM Upgrade from Management Console 20.01 or older using IPv4

When upgrading from a Management Console 20.01 or older installation using RPM, consideration for all previous installation firewall rules must be considered. The following steps will remove previously installed Management Console iptables IPv4 rules and add firewalld IPv4 rules so Management Console can operate properly in an IPv4 environment.

  1. Login to Management Console host operating system console.

  2. Check iptables status(which should be active).

    sudo systemctl status iptables

    Iptables Status

  3. Check the applied iptables rules.

    sudo iptables -L

    Iptables Rules

  4. Remove rule which enabled port 8080.

    sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8080 -j ACCEPT

  5. Remove rule which enabled port 8443.

    sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8443 -j ACCEPT

  6. Remove rule which enabled port 5172.

    sudo iptables -D INPUT -p tcp -m state --state NEW --dport 5172 -j ACCEPT

  7. Remove rule which allowed incoming and outgoing pings.

    sudo iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
    sudo iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
    sudo iptables -D OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    sudo iptables -D INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    
  8. Remove PREROUTING rule.

    sudo iptables -t nat -D PREROUTING -i `ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'` -p tcp --dport 443 -j REDIRECT --to-port 8443
    
  9. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo iptables -D INPUT -i lo -j ACCEPT
    sudo iptables -D INPUT -i lo -d 127.0.0.0/8 -j REJECT
    
  10. Remove outbound traffic rule.

    sudo iptables -D OUTPUT -j ACCEPT

  11. Remove logging rule.

    sudo iptables -D INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

  12. Remove rule which dropped packets not matching any other rule.

    sudo iptables -D INPUT -j DROP
    sudo iptables -D FORWARD -j REJECT
    
  13. Save iptables service to save your changes (should show status OK).

    sudo service iptables save

  14. Restart iptables to apply your changes.

    sudo systemctl restart iptables

  15. Check iptables rules (should not contain rules which Management Console install previously added).

    sudo iptables -L

    Check iptables Rules

  16. Mask iptables.

    sudo systemctl mask iptables

  17. Stop iptables service.

    sudo systemctl stop iptables

  18. Unmask firewalld, (should show removed symlink).

    sudo systemctl unmask firewalld

    Unmasked Firewalld

  19. Enable firewalld.

    sudo systemctl enable firewalld --now

  20. Start firewalld.

    sudo systemctl start firewalld

  21. Check firewalld status (should be active).

    sudo systemctl status firewalld

    Check firewalld Status

    1. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

      sudo firewall-cmd --get-default

      If default zone is not public, execute the following commands to set the default zone to public.

      1. sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
      2. sudo firewall-cmd --set-default=public
      3. sudo firewall-cmd --reload
  22. Get the default zone and assign it to a variable.

    def_zone=$(firewall-cmd --get-default)

  23. Set the log.(all denied packets logged together)

    sudo firewall-cmd --set-log-denied=all

  24. Add an interface.

    sudo firewall-cmd --zone=$(echo $def_zone) --change-interface=$(ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}')

  25. Enable required ports.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-port={80,443,22,5172}/tcp

  26. Allow pings.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null

  27. Redirect port 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=443:proto=tcp:toport=8443

  28. Enable IP Masquerading.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-masquerade

  29. Redirect Port 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=80:proto=tcp:toport=8080

  30. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
    sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
    sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
    
  31. Reload the firewall rules.

    sudo firewall-cmd --reload

  32. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules

Firewall changes for RPM Upgrades from Management Console 20.04 to Management Console 20.07 or newer in IPv4 Deployments

Upgrading from an operational Management Console 20.04 to Management Console 20.07 or newer in an IPv4 environment does not require any firewalld rule changes.

Confirm iptables service has been disabled

It is a good idea to confirm any previous Management Console iptables installation has been removed if your 20.04 version has been previously upgraded from an older version.

Firewalld IPv4 Script

Teradici has provided instructions to create a script that will apply firewalld rules that allow Management Console to work correctly in an IPv4 environment.

Instructions on creating and executing the script can be found here

Upgrades in IPv6 Environments

Firewall changes required after an Upgrade from Management Console 20.01 or older to Management Console 20.07 or newer in an IPv6 Deployment

When upgrading from a Management Console 20.01 or older installation using RPM, consideration for previous installation firewall rules must be considered. The following steps will remove previously installed iptables IPv4 rules and add firewalld IPv6 rules so Management Console can operate properly in an IPv6 environment.

  1. Login to Management Console host operating system console.

  2. Check iptables status(which should be active).

    sudo systemctl status iptables

    Iptables Status

  3. Check the applied iptables rules.

    sudo iptables -L

    Iptables Rules

  4. Remove rule which enabled port 8080.

    sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8080 -j ACCEPT

  5. Remove rule which enabled port 8443.

    sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8443 -j ACCEPT

  6. Remove rule which enabled port 5172.

    sudo iptables -D INPUT -p tcp -m state --state NEW --dport 5172 -j ACCEPT

  7. Remove rule which allowed incoming and outgoing pings.

    sudo iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
    sudo iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
    sudo iptables -D OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    sudo iptables -D INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    
  8. Remove PREROUTING rule.

    sudo iptables -t nat -D PREROUTING -i `ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'` -p tcp --dport 443 -j REDIRECT --to-port 8443
    
  9. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo iptables -D INPUT -i lo -j ACCEPT
    sudo iptables -D INPUT -i lo -d 127.0.0.0/8 -j REJECT
    
  10. Remove outbound traffic rule.

    sudo iptables -D OUTPUT -j ACCEPT

  11. Remove logging rule.

    sudo iptables -D INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

  12. Remove rule which dropped packets not matching any other rule.

    sudo iptables -D INPUT -j DROP
    sudo iptables -D FORWARD -j REJECT
    
  13. Save iptables service to save your changes (should show status OK).

    sudo service iptables save

  14. Restart iptables to apply your changes.

    sudo systemctl restart iptables

  15. Check iptables rules (should not contain rules which Management Console install previously added).

    sudo iptables -L

    Check iptables Rules

  16. Mask iptables.

    sudo systemctl mask iptables

  17. Stop iptables service.

    sudo systemctl stop iptables

  18. Unmask firewalld, (should show removed symlink).

    sudo systemctl unmask firewalld

    Unmasked Firewalld

  19. Enable firewalld.

    sudo systemctl enable firewalld --now

  20. Start firewalld.

    sudo systemctl start firewalld

  21. Check firewalld status (should be active).

    sudo systemctl status firewalld

    Check firewalld Status

    1. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

      sudo firewall-cmd --get-default

      If default zone is not public, execute the following commands to set the default zone to public.

      1. sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
      2. sudo firewall-cmd --set-default=public
      3. sudo firewall-cmd --reload
  22. Get the default zone and assign it to a variable.

    def_zone=$(firewall-cmd --get-default)

  23. Set the log.(all denied packets logged together)

    sudo firewall-cmd --set-log-denied=all

  24. Add an interface.

    sudo firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
    
  25. Enable required ports.

  26. Open required ports.

    • IPv6 Port 443

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'

    • IPv6 Port 22

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'

    • IPv6 Port 5172

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'

    • IPv6 Port 80

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'

  27. Allow pings.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null

  28. Redirect port 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'

  29. Redirect Port 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

  30. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
    sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
    sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
    
  31. Reload the firewall rules.

    sudo firewall-cmd --reload

  32. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules

Firewalld Script for IPv6

Teradici has provided instructions to create a script that removes Management Console iptables rules, stops the iptables service, and enables firewalld with the required rules for Management Console to work correctly in an IPv6 deployment.

The script file is created and executed using the following steps:

  1. Copy the script content and save into firewalld.sh

    sudo vi firewalld.sh

    #!/bin/bash
    val1=1 
    if [ $val1 -eq 1 ]; then
    systemctl stop iptables || service iptables stop
    systemctl enable firewalld --now
    def_zone=$(firewall-cmd --get-default)
    if [ $def_zone != "public" ] ; then
        firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
        firewall-cmd --set-default=public
        firewall-cmd --reload
        def_zone=$(firewall-cmd --get-default)
    fi
    firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp # Closes 22, 443, 80, 5172 port IPv4 rules
    firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443  # Removes IPv4 internal port forwarding from 443 to 8443
    firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080   # Removes IPv4 internal port forwarding from 80 to 8080
    firewall-cmd --set-log-denied=all
    firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'                  # Open 443 port IPv6  rules
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'                   # Open 22 port IPv6  rules
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'                 # Open 5172 port IPv6  rules
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'                   # Open 80 port IPv6  rules
    firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request}                                         # Allow icmp ping reply and request
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'    # Forward IPv6 443 port to 8443
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'     # Forward IPv6 80 port to 8080
    firewall-cmd --permanent --new-zone loopback
    firewall-cmd --permanent --zone=loopback --change-interface=lo
    firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8  # Not removing loopback as some services require loopback address to function properly
    firewall-cmd --reload          # Reload the firewall tables
    firewall-cmd --list-all
    fi 2> /dev/null
    
  2. Provide permissions for the script to execute.

    sudo chmod +x ./firewalld.sh

  3. Run firewalld.sh:

    sudo ./firewalld.sh

Firewall changes required after an RPM Upgrade from Management Console 20.04 to Management Console 20.07 or newer in an IPv6 Deployment

When upgrading from IPv4 to IPv6, firewalld IPv4 rules must be replaced with IPv6 rules.

Perform the following steps to ensure Management Console only has IPv6 rules enabled after upgrading from an IPv4 environment.

  1. Login to Management Console operating system console using an SSH client (e.g. PuTTY).

  2. Ensure firewalld is enabled.

    sudo systemctl enable firewalld --now

  3. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

    sudo firewall-cmd --get-default

    If default zone is not public, execute the following commands to set the default zone to public.

    1. sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent

    2. sudo firewall-cmd --set-default=public

    3. sudo firewall-cmd --reload

  4. Get the default zone and assign it to a variable.

    def_zone=$(firewall-cmd --get-default)

  5. Close IPv4 ports 22, 443, 80, and 5172.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp

  6. Remove IPv4 internal port forwarding from 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443

  7. Remove IPv4 internal port forwarding from 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080

  8. Set the log. (all denied packets are logged together)

    sudo firewall-cmd --set-log-denied=all

  9. Add an interface.

    sudo firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
    
  10. Open required ports.

    • IPv6 Port 443

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'

    • IPv6 Port 22

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'

    • IPv6 Port 5172

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'

    • IPv6 Port 80

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'

  11. Allow pings.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null

  12. Redirect port 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'

  13. Redirect Port 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

  14. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
    sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
    sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
    
  15. Reload the firewall rules.

    sudo firewall-cmd --reload

  16. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules

Firewall changes required after updating a Management Console OVA IPv4 deployment to an IPv6 Deployment

To use Management Console OVA in an IPv6 environment, the firewall rules for IPv4 should be removed and the IPv6 rules must be added so Management Console can communicate properly.

Once Management Console 20.07 or newer is deployed, log into it's host operating system console and perform the following steps.

  1. Close IPv4 ports 22, 443, 80, and 5172.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp

  2. Remove IPv4 internal port forwarding rules.

    • From port 443 to 8443.

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443

    • From port 80 to 8080.

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080

  3. Open required IPv6 ports.

    • IPv6 Port 443

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'`
      
    • IPv6 Port 22

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'

    • IPv6 Port 5172

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'

    • IPv6 Port 80

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'

  4. Redirect required ports.

    • Port 443 to 8443

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'

    • Port 80 to 8080

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

  5. Reload firewall rules.

    sudo firewall-cmd --reload

  6. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules