• Skip to primary navigation
  • Skip to main content

Uly.me

cloud engineer

  • Home
  • About
  • Archives

firewall

GCP Firewall Source Service Account

by Ulysses · Feb 16, 2021

Here’s how to create a firewall from service account to service account.

gcloud compute firewall-rules create "firewall-name" \
--description="firewall-description" \
--priority "1000" \
--direction INGRESS \
--action allow \
--network "network-name" \
--source-service-accounts="service@account.net" \
--target-service-accounts="service@account.net" \
--rules tcp:9001

gcloud compute firewall-rules create "firewall-name" \ --description="firewall-description" \ --priority "1000" \ --direction INGRESS \ --action allow \ --network "network-name" \ --source-service-accounts="service@account.net" \ --target-service-accounts="service@account.net" \ --rules tcp:9001

Instead of source-range, it’s using source-service-accounts.

Filed Under: Cloud Tagged With: firewall, gcp, service account, source-service-accounts, target-service-accounts

AWS EC2 List Firewall Rules

by Ulysses · Jan 26, 2021

AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.

#!/bin/bash
# set variables
instanceid='i-xxxxxxxxxxxxxxxx'
region='us-east-1'
profile='sample'
# log and temp files
output="ec2-sg.log"
tmpfil="ec2-sg.tmp"
# empty log at start
> $output
# get sg ids
aws ec2 describe-instances \
--instance-ids $instanceid \
--region $region \
--profile $profile \
--query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil
while read -r id; do
  echo '============================================' >> $output
  echo $id >> $output
  echo '============================================' >> $output
  echo '---------------- INGRESS -------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
  echo '---------------- EGRESS --------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
done < $tmpfil

#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil

Here’s a sample output.

============================================
sg-xxxxxxxxxxxxxxx
============================================
---------------- INGRESS -------------------
5985    5985    tcp     10.0.0.220/32
10005   10005   tcp     10.0.0.164/32
---------------- EGRESS --------------------
80      80      tcp     10.0.0.14/32
40000   65535   udp     10.0.0.0/8
3389    3389    tcp     10.0.0.96/32
9389    9389    tcp     10.0.0.0/8
5985    5986    tcp     10.0.0.96/32

============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32

Filed Under: Cloud Tagged With: aws, cli, ec2, firewall, output, security groups, text

GCP Create Firewall with Tags

by Ulysses · May 28, 2020

Here’s another way to create a firewall in GCP using network tag as targets.

gcloud compute firewall-rules create "firewall-name" \
    --description="egress rule to allow port 8000 to destination" \
    --priority "1000" \
    --direction EGRESS \
    --action allow \
    --network "your-network" \
    --target-tags="your-network-tag" \
    --destination-ranges="10.0.0.1/32" \
    --rules tcp:8000

gcloud compute firewall-rules create "firewall-name" \ --description="egress rule to allow port 8000 to destination" \ --priority "1000" \ --direction EGRESS \ --action allow \ --network "your-network" \ --target-tags="your-network-tag" \ --destination-ranges="10.0.0.1/32" \ --rules tcp:8000

Filed Under: Cloud Tagged With: destination, egress, firewall, gcp, tags, target

GCP SDK Firewall Rule AH and ESP

by Ulysses · Feb 26, 2020

Here’s how to add a GCP firewall rule with the AH (authentication header) and ESP (Encapsulating Security Payload) protocols.

gcloud compute firewall-rules update "firewall-name" \
    --description="firewall description" \
    --priority "1000" \
    --target-service-accounts="service-account@gserviceaccount.com" \
    --destination-ranges="10.0.0.0/8" \
    --rules 50,51,tcp:80,udp:1000

gcloud compute firewall-rules update "firewall-name" \ --description="firewall description" \ --priority "1000" \ --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" \ --rules 50,51,tcp:80,udp:1000

There is no need to add protocols for AH and ESP. Just the port numbers.

Filed Under: Cloud Tagged With: ah, cli, esp, firewall, gcp, sdk

GCP SDK Firewall Update

by Ulysses · Feb 23, 2020

Here’s how to update an existing GCP firewall.

Ingress

gcloud compute firewall-rules update "firewall-rule-name" \
--description="firewall description" \
--priority="1000"
--target-service-accounts="service-account@gserviceaccount.com" \
--source-ranges="10.0.0.0/8"
--rules tcp:80,tcp:443,udp:1000-1100

gcloud compute firewall-rules update "firewall-rule-name" \ --description="firewall description" \ --priority="1000" --target-service-accounts="service-account@gserviceaccount.com" \ --source-ranges="10.0.0.0/8" --rules tcp:80,tcp:443,udp:1000-1100

Egress

gcloud compute firewall-rules update "firewall-rule-name" \
--description="firewall description" \
--priority="1000"
--target-service-accounts="service-account@gserviceaccount.com" \
--destination-ranges="10.0.0.0/8"
--rules tcp:80,tcp:443,udp:1000-1100

gcloud compute firewall-rules update "firewall-rule-name" \ --description="firewall description" \ --priority="1000" --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" --rules tcp:80,tcp:443,udp:1000-1100

Filed Under: Cloud Tagged With: egress, firewall, gcp, ingress, update

GCP Setup NLB

by Ulysses · Dec 23, 2019

Here’s how to setup a Network Load Balancer in GCP.

Setup your instances.

# Instance 1
gcloud compute instances create www1 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --zone us-central1-b \
  --tags network-lb-tag \
  --metadata startup-script="#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www1</h1></body></html>' | tee /var/www/html/index.html
    EOF"
# Instance 2
gcloud compute instances create www2 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --zone us-central1-b \
  --tags network-lb-tag \
  --metadata startup-script="#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www2</h1></body></html>' | tee /var/www/html/index.html
    EOF"
# Instance 3
gcloud compute instances create www3 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --zone us-central1-b \
  --tags network-lb-tag \
  --metadata startup-script="#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www3</h1></body></html>' | tee /var/www/html/index.html
    EOF"

# Instance 1 gcloud compute instances create www1 \ --image-family debian-9 \ --image-project debian-cloud \ --zone us-central1-b \ --tags network-lb-tag \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo service apache2 restart echo '<!doctype html><html><body><h1>www1</h1></body></html>' | tee /var/www/html/index.html EOF" # Instance 2 gcloud compute instances create www2 \ --image-family debian-9 \ --image-project debian-cloud \ --zone us-central1-b \ --tags network-lb-tag \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo service apache2 restart echo '<!doctype html><html><body><h1>www2</h1></body></html>' | tee /var/www/html/index.html EOF" # Instance 3 gcloud compute instances create www3 \ --image-family debian-9 \ --image-project debian-cloud \ --zone us-central1-b \ --tags network-lb-tag \ --metadata startup-script="#! /bin/bash sudo apt-get update sudo apt-get install apache2 -y sudo service apache2 restart echo '<!doctype html><html><body><h1>www3</h1></body></html>' | tee /var/www/html/index.html EOF"

Create a firewall to allow external traffic to reach port 80.

gcloud compute firewall-rules create www-firewall-network-lb \
    --target-tags network-lb-tag --allow tcp:80

gcloud compute firewall-rules create www-firewall-network-lb \ --target-tags network-lb-tag --allow tcp:80

Configure your network load balancer.

# Create an external IP address.
gcloud compute addresses create network-lb-ip-1 \
    --region us-central1
# Add a legacy HTTP health check.
gcloud compute http-health-checks create basic-check
# Add a target pool.
gcloud compute target-pools add-instances www-pool \
    --instances www1,www2,www3 \
    --instances-zone us-central1-b
# Add a forwarding rule.
gcloud compute forwarding-rules create www-rule \
    --region us-central1 \
    --ports 80 \
    --address network-lb-ip-1 \
    --target-pool www-pool
# Lookup external IP address.
gcloud compute forwarding-rules describe www-rule \
    --region us-central1

# Create an external IP address. gcloud compute addresses create network-lb-ip-1 \ --region us-central1 # Add a legacy HTTP health check. gcloud compute http-health-checks create basic-check # Add a target pool. gcloud compute target-pools add-instances www-pool \ --instances www1,www2,www3 \ --instances-zone us-central1-b # Add a forwarding rule. gcloud compute forwarding-rules create www-rule \ --region us-central1 \ --ports 80 \ --address network-lb-ip-1 \ --target-pool www-pool # Lookup external IP address. gcloud compute forwarding-rules describe www-rule \ --region us-central1

Finally, use the curl command to send traffic to the NLB external IP address.

while true; do curl -m1 [IP_ADDRESS]; done

while true; do curl -m1 [IP_ADDRESS]; done

Filed Under: Cloud Tagged With: curl, firewall, forwarding, gcp, health check, instances, load balancer, network, nlb, pool

Tcpdump

by Ulysses · Nov 27, 2019

Tcpdump is a command line utility that allows you to capture and analyze network traffic going through your system. It is often used to help troubleshoot network issues.

# Find out if tcpdump is installed
$ which tcpdump
/usr/sbin/tcpdump
 
# Install tcpdump
sudo yum install -y tcpdump
 
# Find which interface is available to you
tcpdump -D
 
# Capture on eth0. Use Ctrl-C to end capture.
tcpdump -i eth0
 
# Capture after 10 packets
tcpdump -i eth0 -c10
 
# Filter by port
tcpdump -i any -c10 -nn port 80
 
# Filter by ip address
tcpdump -i any -c10 -nn host 192.168.1.23
 
# Filter by source or destination ip
tcpdump -i any -c10 -nn src 192.168.1.23
tcpdump -i any -c10 -nn dst 192.168.1.23
 
# Filter by destination ip and port
tcpdump -i any -c5 -nn src 192.168.1.23 and port 80
 
# Save output to a file (binary format)
tcpdump -i any -c10 -nn -w http.pcap port 80
 
# Save output to a file (text format)
tcpdump -nn -r http.pcap

# Find out if tcpdump is installed $ which tcpdump /usr/sbin/tcpdump # Install tcpdump sudo yum install -y tcpdump # Find which interface is available to you tcpdump -D # Capture on eth0. Use Ctrl-C to end capture. tcpdump -i eth0 # Capture after 10 packets tcpdump -i eth0 -c10 # Filter by port tcpdump -i any -c10 -nn port 80 # Filter by ip address tcpdump -i any -c10 -nn host 192.168.1.23 # Filter by source or destination ip tcpdump -i any -c10 -nn src 192.168.1.23 tcpdump -i any -c10 -nn dst 192.168.1.23 # Filter by destination ip and port tcpdump -i any -c5 -nn src 192.168.1.23 and port 80 # Save output to a file (binary format) tcpdump -i any -c10 -nn -w http.pcap port 80 # Save output to a file (text format) tcpdump -nn -r http.pcap

Here’s a good intro article about tcpdump.

Filed Under: Linux Tagged With: analysis, firewall, network, tcpdump

Passive FTP Firewall

by Ulysses · Nov 18, 2019

Passive FTP is a FTP mode that alleviates the issues with client firewalls. The client initiates a call to the server. The return traffic is allowed as long as the client has initiated it. In addition, the server sends a port command along with an ephemeral port that the client can connect to. The client initiates a call on that ephemeral port, and the connection is then established.

Egress port 21 and ephemeral ports 1024-65535 needs to be opened from the client side.

# From the client side, egress port 21 must be open.
tcp:21
# From the client side, ephemeral ports from port 1024 to 165535 must be open.
tcp:1024-165535

# From the client side, egress port 21 must be open. tcp:21 # From the client side, ephemeral ports from port 1024 to 165535 must be open. tcp:1024-165535

Filed Under: Cloud Tagged With: aws, ephemeral, firewall, ftp, gcp, high, passive, port

GCP StackDriver Firewall Log

by Ulysses · Oct 4, 2019

Here’s one way how to look at traffic hitting a GCP firewall. To view the traffic activity, go to Stackdriver Logging > Viewer. Enter the following search string. Just replace the network name and firewall name.

logName:(projects/project-name/logs/compute.googleapis.com%2Ffirewall) 
AND jsonPayload.rule_details.reference:("network:network-name/firewall:firewall-name")

logName:(projects/project-name/logs/compute.googleapis.com%2Ffirewall) AND jsonPayload.rule_details.reference:("network:network-name/firewall:firewall-name")

Filed Under: Cloud Tagged With: firewall, gcp, logging, stackdriver

AWS Security Groups IP Cidr

by Ulysses · Sep 10, 2019

Here’s how to search for AWS Security Groups containing this IP Cidr.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

aws ec2 describe-security-groups \ --filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \ --query "SecurityGroups[*].{Name:GroupName}" \ --output text \ --profile default \ --region us-east-1

Search with ports.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
         Name=egress.ip-permission.from-port,Values='22' \
         Name=egress.ip-permission.to-port,Values='22' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

aws ec2 describe-security-groups \ --filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \ Name=egress.ip-permission.from-port,Values='22' \ Name=egress.ip-permission.to-port,Values='22' \ --query "SecurityGroups[*].{Name:GroupName}" \ --output text \ --profile default \ --region us-east-1

Query will only display the Security Group name.

Filed Under: Cloud Tagged With: aws, firewall, ip cidr, search, security groups, vpc

  • Go to page 1
  • Go to page 2
  • Go to Next Page »

Copyright © 2012–2021