Firewall

Firewall

The Linux iptables/ip6tables firewalls are enabled by default.

Default configuration

ICMP incoming traffic is accepted, and all outgoing traffic for any protocol is also accepted by default.
Rules also apply for IPv6, which benefits from the same filtering rules as IPv4.
Firewall has rejection rules at the end of the INPUT and OUTPUT chains, to properly disallow non-matching traffic. This implies that new rules appended to the chain will never be matched.

If you want to add new rules, either make sure to add them to a file in /etc/firewall.d/, or if you add them in your application, prepend them to the chain by using “-I” (insert) instead of “-A” (append).

By default, the flows allowed, for IPv4 and IPv6, are: DHCP, DNS, ICMP, SSH, NTP, HTTP (TCP/80), HTTPS.

Custom rules

Modify/Add rules

Custom rules can be added in /etc/firewall.d/, in the iptables-save/dump format.
Some tables are already created with default rules. These files can be edited by the user to add or remove rules. Files named *.rules are used for IPv4, and *.v6rules for IPv6.

A table is dedicated to the web interface access: /etc/firewall.d/webaw.rules and /etc/firewall.d/webaw.v6rules. Don't modify these files.

Apply new rules

To apply new rules, reboot the gateway or restart the firewall with the command /etc/init.d/firewall restart.

Check rules applied

To check the rules, launch the command: iptables -L for IPv4 rules and ip6tables -L for IPv6 rules.

Example

These rules can allow UDP traffic to go through and from remote port 1600 on UDP:

-A INPUT -p udp --sport 1600 -j ACCEPT
-A OUTPUT -p udp --dport 1600 -j ACCEPT

Add these rules in the /etc/firewall.d/00_default.rules file.

# Default IPv4 firewall rules for Keros
* filter
# Open output port for DNS request
-A OUTPUT -p udp --dport domain -j ACCEPT
-A INPUT  -p udp --sport domain -j ACCEPT
-A OUTPUT -p tcp --dport domain -j ACCEPT
-A INPUT  -p tcp --sport domain ! --syn -j ACCEPT
 
# Allows loopback
-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
 
# SSH
-A OUTPUT -p tcp --dport ssh -j ACCEPT
-A INPUT  -p tcp --sport ssh ! --syn -j ACCEPT
-A OUTPUT -p tcp --sport ssh -j ACCEPT
-A INPUT  -p tcp --dport ssh -j ACCEPT
 
# NTP Out
-A OUTPUT -p udp --dport ntp -j ACCEPT
-A INPUT  -p udp --sport ntp -j ACCEPT
 
# outbound HTTP + HTTPS
-A OUTPUT -p tcp --dport http -j ACCEPT
-A INPUT  -p tcp --sport http ! --syn -j ACCEPT
-A OUTPUT -p tcp --dport https -j ACCEPT
-A INPUT  -p tcp --sport https ! --syn -j ACCEPT
 
# ICMP
-A OUTPUT -p icmp -j ACCEPT
-A INPUT  -p icmp -j ACCEPT
 
# TCP resets that we use to REJECT connection attempts
-A OUTPUT -p tcp --tcp-flags RST RST -j ACCEPT
# or that we receive (useful to terminate connection if no symmetric rule exist on INPUT)
-A INPUT  -p tcp --tcp-flags RST RST -j ACCEPT
 
# DHCP client and server
-A INPUT -p udp --dport bootps:bootpc --sport bootps:bootpc -j ACCEPT
 
# My new rules 
-A OUTPUT -p udp --dport 1600 -j ACCEPT
-A INPUT -p udp --sport 1600 -j ACCEPT
 
COMMIT

Restart the firewall to apply the rules:

# /etc/init.d/firewall restart
Flushing iptable rules.
Set default policy to 'ACCEPT'
Flushing ip6table rules.
Setting default IPv6 policy to 'ACCEPT'
Flushing iptable rules.
Applying IPv4 firewall config file /etc/firewall.d//00_default.rules
Applying IPv4 firewall config file /etc/firewall.d//zz_reject.rules
Flushing ip6table rules.
Applying IPv6 firewall config file /etc/firewall.d//00_default.v6rules
Applying IPv6 firewall config file /etc/firewall.d//zz_reject.v6rules
root@klk-lpbs-04018B:/user/rootfs_rw/etc/firewall.d #

Check the result with:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp flags:RST/RST
ACCEPT     udp  --  anywhere             anywhere             udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp spt:1600
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp flags:RST/RST
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1600
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Table of Contents