Uly.me

cloud engineer

Home/Archives for firewall

GCP Setup NLB

Here’s how to setup a Network Load Balancer in GCP.

Setup your instances.

# Instance 1
gcloud compute instances create www1 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --zone us-central1-b \
  --tags network-lb-tag \
  --metadata startup-script="#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www1</h1></body></html>' | tee /var/www/html/index.html
    EOF"
# Instance 2
gcloud compute instances create www2 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --zone us-central1-b \
  --tags network-lb-tag \
  --metadata startup-script="#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www2</h1></body></html>' | tee /var/www/html/index.html
    EOF"
# Instance 3
gcloud compute instances create www3 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --zone us-central1-b \
  --tags network-lb-tag \
  --metadata startup-script="#! /bin/bash
    sudo apt-get update
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>www3</h1></body></html>' | tee /var/www/html/index.html
    EOF"

Create a firewall to allow external traffic to reach port 80.

gcloud compute firewall-rules create www-firewall-network-lb \
    --target-tags network-lb-tag --allow tcp:80

Configure your network load balancer.

# Create an external IP address.
gcloud compute addresses create network-lb-ip-1 \
    --region us-central1
# Add a legacy HTTP health check.
gcloud compute http-health-checks create basic-check
# Add a target pool.
gcloud compute target-pools add-instances www-pool \
    --instances www1,www2,www3 \
    --instances-zone us-central1-b
# Add a forwarding rule.
gcloud compute forwarding-rules create www-rule \
    --region us-central1 \
    --ports 80 \
    --address network-lb-ip-1 \
    --target-pool www-pool
# Lookup external IP address.
gcloud compute forwarding-rules describe www-rule \
    --region us-central1

Finally, use the curl command to send traffic to the NLB external IP address.

while true; do curl -m1 [IP_ADDRESS]; done

Tcpdump

Tcpdump is a command line utility that allows you to capture and analyze network traffic going through your system. It is often used to help troubleshoot network issues. 

# Find out if tcpdump is installed
$ which tcpdump
/usr/sbin/tcpdump
 
# Install tcpdump
sudo yum install -y tcpdump
 
# Find which interface is available to you
tcpdump -D
 
# Capture on eth0. Use Ctrl-C to end capture.
tcpdump -i eth0
 
# Capture after 10 packets
tcpdump -i eth0 -c10
 
# Filter by port
tcpdump -i any -c10 -nn port 80
 
# Filter by ip address
tcpdump -i any -c10 -nn host 192.168.1.23
 
# Filter by source or destination ip
tcpdump -i any -c10 -nn src 192.168.1.23
tcpdump -i any -c10 -nn dst 192.168.1.23
 
# Filter by destination ip and port
tcpdump -i any -c5 -nn src 192.168.1.23 and port 80
 
# Save output to a file (binary format)
tcpdump -i any -c10 -nn -w http.pcap port 80
 
# Save output to a file (text format)
tcpdump -nn -r http.pcap

Here’s a good intro article about tcpdump.

Passive FTP Firewall

Passive FTP is a FTP mode that alleviates the issues with client firewalls. The client initiates a call to the server. The return traffic is allowed as long as the client has initiated it. In addition, the server sends a port command along with an ephemeral port that the client can connect to. The client initiates a call on that ephemeral port, and the connection is then established.

Egress port 21 and ephemeral ports 1024-65535 needs to be opened from the client side.

# From the client side, egress port 21 must be open.
tcp:21
# From the client side, ephemeral ports from port 1024 to 165535 must be open.
tcp:1024-165535

GCP StackDriver Firewall Log

Here’s one way how to look at traffic hitting a GCP firewall. To view the traffic activity, go to Stackdriver Logging > Viewer. Enter the following search string. Just replace the network name and firewall name.

logName:(projects/project-name/logs/compute.googleapis.com%2Ffirewall) 
AND jsonPayload.rule_details.reference:("network:network-name/firewall:firewall-name")

AWS Security Groups IP Cidr

Here’s how to search for AWS Security Groups containing this IP Cidr.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

Search with ports.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
         Name=egress.ip-permission.from-port,Values='22' \
         Name=egress.ip-permission.to-port,Values='22' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

Query will only display the Security Group name.