This shows you the differences between two versions of the page.
network:firewall [2016/02/04 21:38] walter [How to Open a Port] |
network:firewall [2021/05/02 21:36] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Firewall ====== | ||
- | The router host provides an iptables based firewall that filters traffic for all the ACM public hosts. Generally it can be assumed that a listed publicly accessible host has allowed access to TCP ports 22(SSH), 80(HTTP), and 443(HTTPS). Any additional TCP or UDP application ports that need to be opened for a given host can be configured by an [[:admins#network_admin|ACM network admin]] on a per request basis. **All port opening requests must include the protocol, TCP, UDP, or both, along with the individual port number. ** | ||
- | |||
- | ====== How to Open a Port ====== | ||
- | <WRAP center round important 60%> | ||
- | Don't forget to save the new config with **iptables-save > /etc/iptables/iptables.conf** unless editing the config directly. | ||
- | </WRAP> | ||
- | |||
- | **First** gather the list of ports you need on which protocol. | ||
- | |||
- | ===== INPUT Chain ===== | ||
- | This allows the port to make it through the INPUT chain and onto forwarding. \\ | ||
- | The affects the INPUT chains for ALL network devices, although loopback is handled prior to this. \\ | ||
- | Use the -i <interface> flag to restrict the rule to one network interface.\\ | ||
- | ==== Single Port ==== | ||
- | <code> | ||
- | iptables -A <TCP|UDP> -p <tcp|udp> -m <tcp|udp> --dport <port> -j ACCEPT | ||
- | </code> | ||
- | ==== Multiple Ports ==== | ||
- | <code> | ||
- | iptables -A <TCP|UDP> -p <tcp|udp> -m multiport --dports <port1>,<port2>,...,<portN> -j ACCEPT | ||
- | </code> | ||
- | ===== FORWARD Chain ===== | ||
- | |||
- | If this interface has not been added to the list of interfaces allowed to forward packets between them, you must first add it with. | ||
- | <code> | ||
- | iptables -A fw-interfaces -i <interface> -j ACCEPT | ||
- | </code> | ||
- | Afterwards, you can add the rules that forward ports to specific machines. | ||
- | ==== Single Port ==== | ||
- | <code> | ||
- | iptables -A fw-open -d <x.x.x.x/32> -p <tcp|udp> -m <tcp|udp> --dport <port> -j ACCEPT | ||
- | </code> | ||
- | ==== Multiple Ports ==== | ||
- | <code> | ||
- | iptables -A fw-open -d <x.x.x.x/32> -p <tcp|udp> -m multiport --dports<port1>,<port2>,...,<portN> -j ACCEPT | ||
- | </code> |