wiki:firewall
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
wiki:firewall [2018/03/09 10:05] ghi created |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Firewall ====== | ||
| - | |||
| - | The Linux iptables/ip6tables firewalls are enabled by default. | ||
| - | |||
| - | ===== Default configuration ===== | ||
| - | |||
| - | ==== Firmware version v3.3.3 ==== | ||
| - | |||
| - | Major changes were introduced in the v3.3.3 version: | ||
| - | |||
| - | * Removal of the automatic acceptance of incoming packets which are analyzed by the kernel as belonging to the same (or some related) flow. The removed rule was: \\ | ||
| - | |||
| - | <code> | ||
| - | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| - | </code> | ||
| - | |||
| - | * ICMP incoming traffic is accepted, and all outgoing traffic for any protocol is also accepted by default. | ||
| - | * Rules also apply for IPv6, which benefits from the same filtering rules as IPv4. | ||
| - | * Firewall now has rejection rules at the end of the INPUT and OUTPUT chains, to properly disallow non-matching trafic. This implies that new rules appended to the chain will never be matched. \\ | ||
| - | If you want to add new rules, either make sure to add them to a file in ''/etc/firewall.d/'', or if you add them in your application, prepend them to the chain by using “-I” (insert) instead of “-A” (append). | ||
| - | |||
| - | By default, the flows allowed, for IPv4 and IPv6, are: DHCP, DNS, ICMP, SSH, NTP, HTTP (TCP/80), HTTPS. | ||
| - | |||
| - | ==== Firmware version v3.1.X ==== | ||
| - | ++++ Click to pull down| | ||
| - | By default, only the following ports are opened in IPv4: | ||
| - | |||
| - | * Input: DNS (TCP-UDP/53), HTTP (TCP/80), HTTPS (TCP/443), SSH (TCP/22), DHCP (UDP/67-68) | ||
| - | * Output: DNS (TCP-UDP/53), HTTP (TCP/80), HTTPS (TCP/443), SSH (TCP/22), NTP (UDP/123), ICMP | ||
| - | |||
| - | Regarding IPv6, by default, everything is rejected, except ICMPv6 (Input, Output). | ||
| - | |||
| - | This configuration can be modified by the application using standard Linux command ''iptables'' for IPv4, and ''ip6tables'' for IPv6. | ||
| - | ++++ | ||
| - | ===== Custom rules ===== | ||
| - | |||
| - | ==== Firmware version v3.3.3 ==== | ||
| - | |||
| - | === Modify/Add rules === | ||
| - | |||
| - | Custom rules can be added in ''/etc/firewall.d/'', in the ''iptables-save/dump'' format.\\ | ||
| - | Four tables are already created with default rules. These files can be edited by the user to add or remove rules. Files named ''*.rules'' are used for IPv4, and ''*.v6rules'' for IPv6. | ||
| - | |||
| - | * 00_default.rules | ||
| - | * 00_default.v6rules | ||
| - | * zz_reject.rules | ||
| - | * zz_reject.v6rules | ||
| - | |||
| - | === Apply new rules === | ||
| - | |||
| - | To apply new rules, reboot the gateway or restart the firewall with the command ''/etc/init.d/firewall restart''. | ||
| - | |||
| - | === Check rules applied === | ||
| - | |||
| - | To check the rules, launch the command: ''iptables -L'' for IPv4 rules and ''ip6tables -L'' for IPv6 rules. | ||
| - | |||
| - | ==== Firmware version v3.1.X ==== | ||
| - | |||
| - | ++++ Click to pull down| | ||
| - | Custom rules can be added in ''/etc/firewall.d/'', in the ''iptables-save/dump'' format.\\ | ||
| - | Files named ''*.rules'' are used for IPv4, and ''*.v6rules'' for IPv6. | ||
| - | |||
| - | - Create an empty file ''.rules'' in ''/etc/firewall.d/'', for example ''custom.rules''. | ||
| - | - Launch the command: ''iptables-save > /etc/firewall.d/custom.rules'' | ||
| - | - Launch the command: ''/etc/init.d/firewall restart'' => All default rules of the firewall will be then in the file ''/etc/firewall.d/custom.rules''. | ||
| - | - Edit the file ''/etc/firewall.d/custom.rules'' and __add it some new rules__. | ||
| - | - Launch the command: ''/etc/init.d/firewall restart'' | ||
| - | - Launch the command: ''iptables -L'' => The new rules are applied. | ||
| - | |||
| - | |||
| - | <note important> | ||
| - | Custom rules and IPv6 support are only available for firmware version v3.1.7 and upper. | ||
| - | </note> | ||
| - | ++++ | ||
| - | ===== Example ===== | ||
| - | |||
| - | These rules can allow UDP traffic to go through and from remote port 1600 on UDP: | ||
| - | |||
| - | <code bash> | ||
| - | -A INPUT -p udp --sport 1600 -j ACCEPT | ||
| - | -A OUTPUT -p udp --dport 1600 -j ACCEPT | ||
| - | </code> | ||
| - | |||
| - | Add these rules in the ''/user/rootfs_rw/etc/firewall.d/00_default.rules'' file. | ||
| - | |||
| - | <code bash> | ||
| - | # Default IPv4 firewall rules for Keros | ||
| - | * filter | ||
| - | # Open output port for DNS request | ||
| - | -A OUTPUT -p udp --dport domain -j ACCEPT | ||
| - | -A INPUT -p udp --sport domain -j ACCEPT | ||
| - | -A OUTPUT -p tcp --dport domain -j ACCEPT | ||
| - | -A INPUT -p tcp --sport domain ! --syn -j ACCEPT | ||
| - | # Allows loopback | ||
| - | -A INPUT -i lo -j ACCEPT | ||
| - | -A OUTPUT -o lo -j ACCEPT | ||
| - | # SSH | ||
| - | -A OUTPUT -p tcp --dport ssh -j ACCEPT | ||
| - | -A INPUT -p tcp --sport ssh ! --syn -j ACCEPT | ||
| - | -A OUTPUT -p tcp --sport ssh -j ACCEPT | ||
| - | -A INPUT -p tcp --dport ssh -j ACCEPT | ||
| - | # NTP Out | ||
| - | -A OUTPUT -p udp --dport ntp -j ACCEPT | ||
| - | -A INPUT -p udp --sport ntp -j ACCEPT | ||
| - | # outbound HTTP + HTTPS | ||
| - | -A OUTPUT -p tcp --dport http -j ACCEPT | ||
| - | -A INPUT -p tcp --sport http ! --syn -j ACCEPT | ||
| - | -A OUTPUT -p tcp --dport https -j ACCEPT | ||
| - | -A INPUT -p tcp --sport https ! --syn -j ACCEPT | ||
| - | |||
| - | # ICMP | ||
| - | -A OUTPUT -p icmp -j ACCEPT | ||
| - | -A INPUT -p icmp -j ACCEPT | ||
| - | |||
| - | # TCP resets that we use to REJECT connection attempts | ||
| - | -A OUTPUT -p tcp --tcp-flags RST RST -j ACCEPT | ||
| - | # or that we receive (useful to terminate connection if no symmetric rule exist on INPUT) | ||
| - | -A INPUT -p tcp --tcp-flags RST RST -j ACCEPT | ||
| - | |||
| - | # DHCP client and server | ||
| - | -A INPUT -p udp --dport bootps:bootpc --sport bootps:bootpc -j ACCEPT | ||
| - | |||
| - | # My new rules | ||
| - | -A OUTPUT -p udp --dport 1600 -j ACCEPT | ||
| - | -A INPUT -p udp --sport 1600 -j ACCEPT | ||
| - | |||
| - | |||
| - | |||
| - | COMMIT | ||
| - | </code> | ||
| - | |||
| - | Restart the firewall to apply the rules: | ||
| - | |||
| - | <code bash> | ||
| - | # /etc/init.d/firewall restart | ||
| - | Flushing iptable rules. | ||
| - | Set default policy to 'ACCEPT' | ||
| - | Flushing ip6table rules. | ||
| - | Setting default IPv6 policy to 'ACCEPT' | ||
| - | Flushing iptable rules. | ||
| - | Applying IPv4 firewall config file /etc/firewall.d//00_default.rules | ||
| - | Applying IPv4 firewall config file /etc/firewall.d//zz_reject.rules | ||
| - | Flushing ip6table rules. | ||
| - | Applying IPv6 firewall config file /etc/firewall.d//00_default.v6rules | ||
| - | Applying IPv6 firewall config file /etc/firewall.d//zz_reject.v6rules | ||
| - | root@klk-lpbs-04018B:/user/rootfs_rw/etc/firewall.d # | ||
| - | </code> | ||
| - | |||
| - | Check the result with: | ||
| - | |||
| - | <code bash> | ||
| - | # iptables -L | ||
| - | Chain INPUT (policy ACCEPT) | ||
| - | target prot opt source destination | ||
| - | ACCEPT udp -- anywhere anywhere udp spt:domain | ||
| - | ACCEPT tcp -- anywhere anywhere tcp spt:domain flags:!FIN,SYN,RST,ACK/SYN | ||
| - | ACCEPT all -- anywhere anywhere | ||
| - | ACCEPT tcp -- anywhere anywhere tcp spt:ssh flags:!FIN,SYN,RST,ACK/SYN | ||
| - | ACCEPT tcp -- anywhere anywhere tcp dpt:ssh | ||
| - | ACCEPT udp -- anywhere anywhere udp spt:ntp | ||
| - | ACCEPT tcp -- anywhere anywhere tcp spt:http flags:!FIN,SYN,RST,ACK/SYN | ||
| - | ACCEPT tcp -- anywhere anywhere tcp spt:https flags:!FIN,SYN,RST,ACK/SYN | ||
| - | ACCEPT icmp -- anywhere anywhere | ||
| - | ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST | ||
| - | ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc | ||
| - | ACCEPT udp -- anywhere anywhere udp spt:1600 | ||
| - | REJECT tcp -- anywhere anywhere reject-with tcp-reset | ||
| - | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | ||
| - | Chain FORWARD (policy ACCEPT) | ||
| - | target prot opt source destination | ||
| - | Chain OUTPUT (policy ACCEPT) | ||
| - | target prot opt source destination | ||
| - | ACCEPT udp -- anywhere anywhere udp dpt:domain | ||
| - | ACCEPT tcp -- anywhere anywhere tcp dpt:domain | ||
| - | ACCEPT all -- anywhere anywhere | ||
| - | ACCEPT tcp -- anywhere anywhere tcp dpt:ssh | ||
| - | ACCEPT tcp -- anywhere anywhere tcp spt:ssh | ||
| - | ACCEPT udp -- anywhere anywhere udp dpt:ntp | ||
| - | ACCEPT tcp -- anywhere anywhere tcp dpt:http | ||
| - | ACCEPT tcp -- anywhere anywhere tcp dpt:https | ||
| - | ACCEPT icmp -- anywhere anywhere | ||
| - | ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST | ||
| - | ACCEPT udp -- anywhere anywhere udp dpt:1600 | ||
| - | REJECT tcp -- anywhere anywhere reject-with tcp-reset | ||
| - | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | ||
| - | </code> | ||
wiki/firewall.1520586349.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
