User Tools

Site Tools


network:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
network:firewall [2016/02/04 15:38]
walter [How to Open a Port]
network:firewall [2016/02/04 16:00] (current)
walter
Line 13: Line 13:
 This allows the port to make it through the INPUT chain and onto forwarding. \\ This allows the port to make it through the INPUT chain and onto forwarding. \\
 The affects the INPUT chains for ALL network devices, although loopback is handled prior to this. \\ The affects the INPUT chains for ALL network devices, although loopback is handled prior to this. \\
-Use the -i <​interface>​ flag to restrict the rule to one network interface.\\+Use the -i <​interface>​ flag to restrict the rule further ​to one network interface, but this is not required.\\
 ==== Single Port ==== ==== Single Port ====
 <​code>​ <​code>​
Line 28: Line 28:
 iptables -A fw-interfaces -i <​interface>​ -j ACCEPT iptables -A fw-interfaces -i <​interface>​ -j ACCEPT
 </​code>​ </​code>​
-Afterwards, you can add the rules that forward ports to specific machines. ​+Afterwards, you can add the rules that forward ports to specific machines. ​Use the LAN address of the destination machine inside the network for the '​-d'​ option.  ​
 ==== Single Port ==== ==== Single Port ====
 <​code>​ <​code>​
-iptables -A fw-open -d <x.x.x.x/32> -p <​tcp|udp>​ -m <​tcp|udp>​ --dport <​port>​ -j ACCEPT+iptables -A fw-open -d <172.29.x.x/32> -p <​tcp|udp>​ -m <​tcp|udp>​ --dport <​port>​ -j ACCEPT
 </​code>​ </​code>​
 ==== Multiple Ports ==== ==== Multiple Ports ====
 <​code>​ <​code>​
-iptables -A fw-open -d <x.x.x.x/32> -p <​tcp|udp>​ -m multiport --dports<​port1>,<​port2>,​...,<​portN>​ -j ACCEPT+iptables -A fw-open -d <172.29.x.x/32> -p <​tcp|udp>​ -m multiport --dports<​port1>,<​port2>,​...,<​portN>​ -j ACCEPT
 </​code>​ </​code>​
 +
 +====== NAT Configuration ======
 +
 +Forwarding the ports is, by itself, of little use for WAN accessible hosts. To make sure their traffic can get back in and out of the network correctly, you will also need to create Source and Destination NAT rules for the host. **Make sure you have its WAN address as received from the UIC DHCP server, //NOT// the REAL WAN address.** As of writing, this will be of the form 10.7.46.x/​32 rather than 131.193.46.x. If you are only adding ports to an existing config, it is likely easier to edit the iptables.conf file and then use iptables-restore to load the new config. //Do not forget to save if you added rules via the CLI otherwise you will loose your changes!// It is also important to remember iptables rules are processed in order from the top down. 
 +
 +<​file|/​etc/​iptables/​iptables.conf>​
 +:​POSTROUTING ACCEPT [35:50336]
 +#DNAT
 +-A PREROUTING -d <​10.7.46.x/​32>​ -p tcp -m multiport --dports 22,​80,​443,​...,<​portN>​ -j DNAT --to-destination <​172.29.x.x>​ -j ACCEPT
 +-A PREROUTING -d <​10.7.46.x/​32>​ -p udp -m multiport --dports 6667,​64738,​...,<​portN>​ -j DNAT --to-destination <​172.29.x.x>​ -j ACCEPT
 +#SNAT
 +-A POSTROUTING -s <​172.29.x.x/​32>​ -o <​wan_interface>​ -j SNAT -to-source <​10.7.46.x>​
 +COMMIT
 +</​file>​
network/firewall.txt ยท Last modified: 2016/02/04 16:00 by walter