====== Runbook: Firewall pravila ======

<WRAP round info>
**Trajanje:** ~10 minuta \\
**Uloga:** Network-Admin, Security-Admin \\
**Preduvjet:** Root/Admin prava
</WRAP>

Kontrola pristupa za Data Gateway na mreznoj razini.

----

===== Tijek rada =====

<mermaid>
flowchart TD
    A[Start] --> B[Portove identificirati]
    B --> C{Platforma?}
    C -->|Windows| D[Windows Firewall]
    C -->|Linux| E[iptables/firewalld]
    C -->|Cloud| F[Security Groups]
    D --> G[Pravilo kreirati]
    E --> G
    F --> G
    G --> H[Testirati]
    H --> I{Pristup OK?}
    I -->|Da| J[Dokumentirati]
    I -->|Ne| K[Pravilo prilagoditi]

    style J fill:#e8f5e9
    style K fill:#ffebee
</mermaid>

----

===== Potrebni portovi =====

| Port | Protokol | Smjer | Opis |
|------|-----------|----------|--------------|
| 443 | TCP | Ulazni | HTTPS (Produkcija) |
| 5000 | TCP | Ulazni | HTTP (samo Razvoj) |
| 9090 | TCP | Izlazni | Prometheus (opcionalno) |
| 1433 | TCP | Izlazni | SQL Server |
| 5432 | TCP | Izlazni | PostgreSQL |
| 3306 | TCP | Izlazni | MySQL |

----

===== 1. Windows Firewall =====

**PowerShell (kao Admin):**

<code powershell>
# Ulazni: HTTPS dozvoliti
New-NetFirewallRule -DisplayName "Data Gateway HTTPS" `
    -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443

# Ulazni: Samo od odredenih IP-ova
New-NetFirewallRule -DisplayName "Data Gateway HTTPS Restricted" `
    -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443 `
    -RemoteAddress "10.0.0.0/8","192.168.0.0/16"

# Izlazni: SQL Server dozvoliti
New-NetFirewallRule -DisplayName "Data Gateway to SQL Server" `
    -Direction Outbound -Action Allow -Protocol TCP -RemotePort 1433

# Pravila ispisati
Get-NetFirewallRule -DisplayName "Data Gateway*" | Format-Table Name, Enabled, Direction, Action

# Pravilo ukloniti
Remove-NetFirewallRule -DisplayName "Data Gateway HTTPS"
</code>

----

===== 2. Linux: firewalld (RHEL/CentOS) =====

<code bash>
# HTTPS port otvoriti
sudo firewall-cmd --permanent --add-port=443/tcp

# Samo iz odredene mreze
sudo firewall-cmd --permanent --add-rich-rule='
    rule family="ipv4"
    source address="10.0.0.0/8"
    port protocol="tcp" port="443"
    accept'

# Promjene primijeniti
sudo firewall-cmd --reload

# Pravila prikazati
sudo firewall-cmd --list-all

# Pravilo ukloniti
sudo firewall-cmd --permanent --remove-port=443/tcp
sudo firewall-cmd --reload
</code>

----

===== 3. Linux: ufw (Ubuntu/Debian) =====

<code bash>
# HTTPS dozvoliti
sudo ufw allow 443/tcp

# Iz odredene mreze
sudo ufw allow from 10.0.0.0/8 to any port 443 proto tcp

# Status prikazati
sudo ufw status verbose

# Pravilo ukloniti
sudo ufw delete allow 443/tcp
</code>

----

===== 4. Linux: iptables (rucno) =====

<code bash>
# HTTPS dozvoliti
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Samo iz odredene mreze
sudo iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

# Pravila spremiti
sudo iptables-save > /etc/iptables/rules.v4

# Pravila prikazati
sudo iptables -L -n --line-numbers

# Pravilo ukloniti (po broju)
sudo iptables -D INPUT 3
</code>

----

===== 5. Cloud: AWS Security Group =====

<code bash>
# Security Group kreirati
aws ec2 create-security-group \
    --group-name gateway-sg \
    --description "Data Gateway Security Group" \
    --vpc-id vpc-12345678

# HTTPS od svuda
aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0

# HTTPS samo iz VPN-a
aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 10.0.0.0/8
</code>

----

===== 6. Cloud: Azure NSG =====

<code bash>
# NSG kreirati
az network nsg create \
    --resource-group rg-gateway \
    --name gateway-nsg

# HTTPS pravilo
az network nsg rule create \
    --resource-group rg-gateway \
    --nsg-name gateway-nsg \
    --name AllowHTTPS \
    --priority 100 \
    --direction Inbound \
    --access Allow \
    --protocol Tcp \
    --destination-port-ranges 443 \
    --source-address-prefixes '10.0.0.0/8'
</code>

----

===== 7. IP-Whitelist u Gatewayu =====

Alternativa Firewallu: Filtriranje u aplikaciji.

**appsettings.json:**

<code json>
{
  "Security": {
    "AllowedIPs": [
      "10.0.0.0/8",
      "192.168.0.0/16",
      "172.16.0.0/12"
    ]
  }
}
</code>

----

===== 8. Testiranje =====

<code bash>
# Lokalno
curl https://localhost/health

# Iz dozvoljene mreze
curl https://gateway.example.com/health

# Izvana (treba biti blokirano)
curl --connect-timeout 5 https://gateway.example.com/health
# Ocekivanje: Connection refused ili Timeout
</code>

----

===== 9. Kontrolna lista =====

| # | Provjera | Da/Ne |
|---|-----------|---|
| 1 | Port 443 ulazni dozvoljen | - |
| 2 | Port 5000 (HTTP) blokiran | - |
| 3 | Samo potrebni IP-ovi dozvoljeni | - |
| 4 | Izlazni do DB-a dozvoljen | - |
| 5 | Izvana testirano | - |
| 6 | Pravila dokumentirana | - |

----

===== Rjesavanje problema =====

| Problem | Uzrok | Rjesenje |
|---------|---------|--------|
| ''Connection refused'' | Port nije otvoren | Firewall pravilo dodati |
| ''Connection timeout'' | Firewall blokira | Pravilo/Source-IP provjeriti |
| Pristup od svuda | Nema ogranicenja | Source-IP limitirati |
| DB konekcija neuspjesna | Izlazni blokiran | Outbound pravilo dodati |

----

===== Najbolje prakse =====

<WRAP round important>
**Princip najmanjih privilegija:**
  * Samo potrebne portove otvoriti
  * Samo potrebne IP-ove dozvoliti
  * HTTP (5000) u produkciji blokirati
  * Redovito pravila auditirati
</WRAP>

----

===== Povezani runbookovi =====

  * [[.:tls-einrichten|TLS postavljanje]] - HTTPS aktivirati
  * [[..:automatisierung:kubernetes|Kubernetes]] - NetworkPolicies
  * [[..:monitoring:alerting|Alerting]] - Monitoring konekcija

----

<< [[.:zertifikat-erneuern|<- Certifikat obnoviti]] | [[..:start|-> Operator pregled]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional//

{{tag>operator runbook firewall sicherheit netzwerk}}