Setups
General information
Wirnet™ iBTS information
Wirnet™ iFemtoCell information
Wirnet™ iFemtoCell-evolution information
Wirnet™ iStation information
System management
Network management
LoRa Features
KerOS customization
Support and resources
Sidebar
wiki:firewall
This is an old revision of the document!
Table of Contents
Firewall
The Linux iptables/ip6tables firewalls are enabled by default.
Default configuration
Firmware version v3.3.3 and higher
Major changes were introduced in the v3.3.3 version:
- Removal of the automatic acceptance of incoming packets which are analyzed by the kernel as belonging to the same (or some related) flow. The removed rule was:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ICMP incoming traffic is accepted, and all outgoing traffic for any protocol is also accepted by default.
- Rules also apply for IPv6, which benefits from the same filtering rules as IPv4.
- Firewall now has rejection rules at the end of the INPUT and OUTPUT chains, to properly disallow non-matching trafic. This implies that new rules appended to the chain will never be matched.
If you want to add new rules, either make sure to add them to a file in /etc/firewall.d/, or if you add them in your application, prepend them to the chain by using “-I” (insert) instead of “-A” (append).
By default, the flows allowed, for IPv4 and IPv6, are: DHCP, DNS, ICMP, SSH, NTP, HTTP (TCP/80), HTTPS.
Firmware version v3.1.X
Custom rules
Firmware version v3.3.3
Modify/Add rules
Custom rules can be added in /etc/firewall.d/, in the iptables-save/dump format.
Four tables are already created with default rules. These files can be edited by the user to add or remove rules. Files named *.rules are used for IPv4, and *.v6rules for IPv6.
- 00_default.rules
- 00_default.v6rules
- zz_reject.rules
- zz_reject.v6rules
Apply new rules
To apply new rules, reboot the gateway or restart the firewall with the command /etc/init.d/firewall restart.
Check rules applied
To check the rules, launch the command: iptables -L for IPv4 rules and ip6tables -L for IPv6 rules.
Firmware version v3.1.X
Example
These rules can allow UDP traffic to go through and from remote port 1600 on UDP:
-A INPUT -p udp --sport 1600 -j ACCEPT -A OUTPUT -p udp --dport 1600 -j ACCEPT
Add these rules in the /user/rootfs_rw/etc/firewall.d/00_default.rules file.
# Default IPv4 firewall rules for Keros * filter # Open output port for DNS request -A OUTPUT -p udp --dport domain -j ACCEPT -A INPUT -p udp --sport domain -j ACCEPT -A OUTPUT -p tcp --dport domain -j ACCEPT -A INPUT -p tcp --sport domain ! --syn -j ACCEPT # Allows loopback -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # SSH -A OUTPUT -p tcp --dport ssh -j ACCEPT -A INPUT -p tcp --sport ssh ! --syn -j ACCEPT -A OUTPUT -p tcp --sport ssh -j ACCEPT -A INPUT -p tcp --dport ssh -j ACCEPT # NTP Out -A OUTPUT -p udp --dport ntp -j ACCEPT -A INPUT -p udp --sport ntp -j ACCEPT # outbound HTTP + HTTPS -A OUTPUT -p tcp --dport http -j ACCEPT -A INPUT -p tcp --sport http ! --syn -j ACCEPT -A OUTPUT -p tcp --dport https -j ACCEPT -A INPUT -p tcp --sport https ! --syn -j ACCEPT # ICMP -A OUTPUT -p icmp -j ACCEPT -A INPUT -p icmp -j ACCEPT # TCP resets that we use to REJECT connection attempts -A OUTPUT -p tcp --tcp-flags RST RST -j ACCEPT # or that we receive (useful to terminate connection if no symmetric rule exist on INPUT) -A INPUT -p tcp --tcp-flags RST RST -j ACCEPT # DHCP client and server -A INPUT -p udp --dport bootps:bootpc --sport bootps:bootpc -j ACCEPT # My new rules -A OUTPUT -p udp --dport 1600 -j ACCEPT -A INPUT -p udp --sport 1600 -j ACCEPT COMMIT
Restart the firewall to apply the rules:
# /etc/init.d/firewall restart Flushing iptable rules. Set default policy to 'ACCEPT' Flushing ip6table rules. Setting default IPv6 policy to 'ACCEPT' Flushing iptable rules. Applying IPv4 firewall config file /etc/firewall.d//00_default.rules Applying IPv4 firewall config file /etc/firewall.d//zz_reject.rules Flushing ip6table rules. Applying IPv6 firewall config file /etc/firewall.d//00_default.v6rules Applying IPv6 firewall config file /etc/firewall.d//zz_reject.v6rules root@klk-lpbs-04018B:/user/rootfs_rw/etc/firewall.d #
Check the result with:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp spt:domain flags:!FIN,SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp spt:ssh flags:!FIN,SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere tcp spt:http flags:!FIN,SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp spt:https flags:!FIN,SYN,RST,ACK/SYN ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp spt:1600 REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp flags:RST/RST ACCEPT udp -- anywhere anywhere udp dpt:1600 REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
wiki/firewall.1525445205.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
