User Tools

Site Tools


network:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
network:firewall [2016/02/03 20:58]
walter created
network:firewall [2016/02/04 22:00]
walter
Line 4: Line 4:
  
 ====== How to Open a Port ====== ====== How to Open a Port ======
 +<WRAP center round important 60%>
 +Don't forget to save the new config with **iptables-save > /​etc/​iptables/​iptables.conf** unless editing the config directly. ​
 +</​WRAP>​
  
-FIXME+**First** gather the list of ports you need on which protocol.  
 + 
 +===== INPUT Chain ===== 
 +This allows the port to make it through the INPUT chain and onto forwarding. \\ 
 +The affects the INPUT chains for ALL network devices, although loopback is handled prior to this. \\ 
 +Use the -i <​interface>​ flag to restrict the rule further to one network interface, but this is not required.\\ 
 +==== Single Port ==== 
 +<​code>​ 
 +iptables -A <​TCP|UDP>​ -p <​tcp|udp>​ -m <​tcp|udp>​ --dport <​port>​ -j ACCEPT 
 +</​code>​ 
 +==== Multiple Ports ==== 
 +<​code>​ 
 +iptables -A <​TCP|UDP>​ -p <​tcp|udp>​ -m multiport --dports <​port1>,<​port2>,​...,<​portN>​ -j ACCEPT 
 +</​code>​ 
 +===== FORWARD Chain ===== 
 + 
 +If this interface has not been added to the list of interfaces allowed to forward packets between them, you must first add it with. 
 +<​code>​ 
 +iptables -A fw-interfaces -i <​interface>​ -j ACCEPT 
 +</​code>​ 
 +Afterwards, you can add the rules that forward ports to specific machines. Use the LAN address of the destination machine inside the network for the '​-d'​ option. ​  
 +==== Single Port ==== 
 +<​code>​ 
 +iptables -A fw-open -d <​172.29.x.x/​32>​ -p <​tcp|udp>​ -m <​tcp|udp>​ --dport <​port>​ -j ACCEPT 
 +</​code>​ 
 +==== Multiple Ports ==== 
 +<​code>​ 
 +iptables -A fw-open -d <​172.29.x.x/​32>​ -p <​tcp|udp>​ -m multiport --dports<​port1>,<​port2>,​...,<​portN>​ -j ACCEPT 
 +</​code>​ 
 + 
 +====== NAT Configuration ====== 
 + 
 +Forwarding the ports is, by itself, of little use for WAN accessible hosts. To make sure their traffic can get back in and out of the network correctly, you will also need to create Source and Destination NAT rules for the host. **Make sure you have its WAN address as received from the UIC DHCP server, //NOT// the REAL WAN address.** As of writing, this will be of the form 10.7.46.x/​32 rather than 131.193.46.x. If you are only adding ports to an existing config, it is likely easier to edit the iptables.conf file and then use iptables-restore to load the new config. //Do not forget to save if you added rules via the CLI otherwise you will loose your changes!// It is also important to remember iptables rules are processed in order from the top down.  
 + 
 +<​file|/​etc/​iptables/​iptables.conf>​ 
 +:​POSTROUTING ACCEPT [35:​50336] 
 +#DNAT 
 +-A PREROUTING -d <​10.7.46.x/​32>​ -p tcp -m multiport --dports 22,​80,​443,​...,<​portN>​ -j DNAT --to-destination <​172.29.x.x>​ -j ACCEPT 
 +-A PREROUTING -d <​10.7.46.x/​32>​ -p udp -m multiport --dports 6667,​64738,​...,<​portN>​ -j DNAT --to-destination <​172.29.x.x>​ -j ACCEPT 
 +#SNAT 
 +-A POSTROUTING -s <​172.29.x.x/​32>​ -o <​wan_interface>​ -j SNAT -to-source <​10.7.46.x>​ 
 +COMMIT 
 +</​file>​
network/firewall.txt · Last modified: 2021/05/02 21:36 (external edit)