User Tools

Site Tools


network:firewall

Firewall

The router host provides an iptables based firewall that filters traffic for all the ACM public hosts. Generally it can be assumed that a listed publicly accessible host has allowed access to TCP ports 22(SSH), 80(HTTP), and 443(HTTPS). Any additional TCP or UDP application ports that need to be opened for a given host can be configured by an ACM network admin on a per request basis. All port opening requests must include the protocol, TCP, UDP, or both, along with the individual port number.

How to Open a Port

Don't forget to save the new config with iptables-save > /etc/iptables/iptables.conf unless editing the config directly.

First gather the list of ports you need on which protocol.

INPUT Chain

This allows the port to make it through the INPUT chain and onto forwarding.
The affects the INPUT chains for ALL network devices, although loopback is handled prior to this.
Use the -i <interface> flag to restrict the rule further to one network interface, but this is not required.

Single Port

iptables -A <TCP|UDP> -p <tcp|udp> -m <tcp|udp> --dport <port> -j ACCEPT

Multiple Ports

iptables -A <TCP|UDP> -p <tcp|udp> -m multiport --dports <port1>,<port2>,...,<portN> -j ACCEPT

FORWARD Chain

If this interface has not been added to the list of interfaces allowed to forward packets between them, you must first add it with.

iptables -A fw-interfaces -i <interface> -j ACCEPT

Afterwards, you can add the rules that forward ports to specific machines. Use the LAN address of the destination machine inside the network for the '-d' option.

Single Port

iptables -A fw-open -d <172.29.x.x/32> -p <tcp|udp> -m <tcp|udp> --dport <port> -j ACCEPT

Multiple Ports

iptables -A fw-open -d <172.29.x.x/32> -p <tcp|udp> -m multiport --dports<port1>,<port2>,...,<portN> -j ACCEPT

NAT Configuration

Forwarding the ports is, by itself, of little use for WAN accessible hosts. To make sure their traffic can get back in and out of the network correctly, you will also need to create Source and Destination NAT rules for the host. Make sure you have its WAN address as received from the UIC DHCP server, NOT the REAL WAN address. As of writing, this will be of the form 10.7.46.x/32 rather than 131.193.46.x. If you are only adding ports to an existing config, it is likely easier to edit the iptables.conf file and then use iptables-restore to load the new config. Do not forget to save if you added rules via the CLI otherwise you will loose your changes! It is also important to remember iptables rules are processed in order from the top down.

/etc/iptables/iptables.conf

:POSTROUTING ACCEPT [35:50336]
#DNAT
-A PREROUTING -d <10.7.46.x/32> -p tcp -m multiport --dports 22,80,443,...,<portN> -j DNAT --to-destination <172.29.x.x> -j ACCEPT
-A PREROUTING -d <10.7.46.x/32> -p udp -m multiport --dports 6667,64738,...,<portN> -j DNAT --to-destination <172.29.x.x> -j ACCEPT
#SNAT
-A POSTROUTING -s <172.29.x.x/32> -o <wan_interface> -j SNAT -to-source <10.7.46.x>
COMMIT

network/firewall.txt · Last modified: 2016/02/04 16:00 by walter