====== Firewall ======
The Linux iptables/ip6tables firewalls are enabled by default.
===== Default configuration =====
* ICMP incoming traffic is accepted, and all outgoing traffic for any protocol is also accepted by default.
* Rules also apply for IPv6, which benefits from the same filtering rules as IPv4.
* Firewall has rejection rules at the end of the INPUT and OUTPUT chains, to properly disallow non-matching traffic. This implies that new rules appended to the chain will never be matched.
If you want to add new rules, either make sure to add them to a file in ''/etc/firewall.d/'', or if you add them in your application, prepend them to the chain by using "-I" (insert) instead of "-A" (append).
By default, the flows allowed, for IPv4 and IPv6, are: DHCP, DNS, ICMP, SSH, NTP, HTTP (TCP/80), HTTPS.
===== Custom rules =====
==== Modify/Add rules ====
Custom rules can be added in ''/etc/firewall.d/'', in the ''iptables-save/dump'' format.\\
Some tables are already created with default rules. These files can be edited by the user to add or remove rules. Files named ''*.rules'' are used for IPv4, and ''*.v6rules'' for IPv6.
A table is dedicated to the web interface access: ''/etc/firewall.d/webaw.rules'' and ''/etc/firewall.d/webaw.v6rules''. Don't modify these files.
==== Apply new rules ====
To apply new rules, reboot the gateway or restart the firewall with the command ''/etc/init.d/firewall restart''.
==== Check rules applied ====
To check the rules, launch the command: ''iptables -L'' for IPv4 rules and ''ip6tables -L'' for IPv6 rules.
===== Example =====
These rules can allow UDP traffic to go through and from remote port 1600 on UDP:
-A INPUT -p udp --sport 1600 -j ACCEPT
-A OUTPUT -p udp --dport 1600 -j ACCEPT
Add these rules in the ''/etc/firewall.d/00_default.rules'' file.
# Default IPv4 firewall rules for Keros
* filter
# Open output port for DNS request
-A OUTPUT -p udp --dport domain -j ACCEPT
-A INPUT -p udp --sport domain -j ACCEPT
-A OUTPUT -p tcp --dport domain -j ACCEPT
-A INPUT -p tcp --sport domain ! --syn -j ACCEPT
# Allows loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# SSH
-A OUTPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -p tcp --sport ssh ! --syn -j ACCEPT
-A OUTPUT -p tcp --sport ssh -j ACCEPT
-A INPUT -p tcp --dport ssh -j ACCEPT
# NTP Out
-A OUTPUT -p udp --dport ntp -j ACCEPT
-A INPUT -p udp --sport ntp -j ACCEPT
# outbound HTTP + HTTPS
-A OUTPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --sport http ! --syn -j ACCEPT
-A OUTPUT -p tcp --dport https -j ACCEPT
-A INPUT -p tcp --sport https ! --syn -j ACCEPT
# ICMP
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
# TCP resets that we use to REJECT connection attempts
-A OUTPUT -p tcp --tcp-flags RST RST -j ACCEPT
# or that we receive (useful to terminate connection if no symmetric rule exist on INPUT)
-A INPUT -p tcp --tcp-flags RST RST -j ACCEPT
# DHCP client and server
-A INPUT -p udp --dport bootps:bootpc --sport bootps:bootpc -j ACCEPT
# My new rules
-A OUTPUT -p udp --dport 1600 -j ACCEPT
-A INPUT -p udp --sport 1600 -j ACCEPT
COMMIT
Restart the firewall to apply the rules:
# /etc/init.d/firewall restart
Flushing iptable rules.
Set default policy to 'ACCEPT'
Flushing ip6table rules.
Setting default IPv6 policy to 'ACCEPT'
Flushing iptable rules.
Applying IPv4 firewall config file /etc/firewall.d//00_default.rules
Applying IPv4 firewall config file /etc/firewall.d//zz_reject.rules
Flushing ip6table rules.
Applying IPv6 firewall config file /etc/firewall.d//00_default.v6rules
Applying IPv6 firewall config file /etc/firewall.d//zz_reject.v6rules
root@klk-lpbs-04018B:/user/rootfs_rw/etc/firewall.d #
Check the result with:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain flags:!FIN,SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:http flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp spt:https flags:!FIN,SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spt:1600
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST
ACCEPT udp -- anywhere anywhere udp dpt:1600
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable