Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Custom Firewall Module Examples

This Howto will give specific examples to help you craft appropriate firewall rules that work well with ClearOS. ClearOS has a Custom Firewall app that allows raw IPTables rules that can be used in conjunction with the rest of the firewall. This guide contains examples of some useful rules. Be careful making rules. Iptables can deny your connection to the server if malformed.

For these examples we will use the network WAN network of 1.2.3.0/28 with .1 as the target router of our ISP, .4 is our ClearOS server. The DMZ network is 5.6.7.0/27 with 5.6.7.8 as the ClearOS DMZ IP address. The HotLAN network is 172.22.22.0/24 with ClearOS as 172.22.22.22. The LAN is 192.168.1.0/24 with 192.168.1.1 as the ClearOS server and 192.168.1.10 as a third party web/file server.

Be sure to test these firewall rules in command line before placing them in the Custom Firewall app.

Content Filter

Bypass

If you are running a gateway ClearOS system and wish to bypass the content filter for a single IP address you can create a rule so that it surfs the web normally.

$IPTABLES -t nat -I PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT

Same as above but for a group of computers from .16 through .31.

$IPTABLES -t nat -I PREROUTING -s 192.168.1.16/28 -p tcp --dport 80 -j ACCEPT

Another example of a content filter bypass method is to bypass a certain URL for a everyone. This can come in handy if the content filter is having difficulty processing a non-standard web object. Certain authentication types from a large OS vendor in Redmond, Washington (for example) sometimes get crushed by the content filter. The following will bypass the filter for that site:

$IPTABLES -t nat -I PREROUTING -d site.example.com -p tcp --dport 80  -j ACCEPT

Proxy Server

Bypass

If you are running a gateway ClearOS system and wish to bypass the proxy server for a single IP address you can create a rule so that it surfs the web normally. This is the same method for the content filter.

$IPTABLES -t nat -I PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT

Same as above but for a group of computers from .16 through .31.

$IPTABLES -t nat -I PREROUTING -s 192.168.1.16/28 -p tcp --dport 80 -j ACCEPT

Another example of a proxy bypass method is to bypass a certain URL for a everyone. This can come in handy if the proxy is having difficulty processing a certain web object:

$IPTABLES -t nat -I PREROUTING -d site.example.com -p tcp --dport 80  -j ACCEPT

Firewalling

Port Forwarding Restricted to Specific Public IPs

If you need to create a port forwarding rule but restrict it to a particular remote network or IP address, you can follow this procedure. First, add the custom firewall rules to restrict access. The example below allows connections to a MySQL server (TCP port 3306) on the LAN at 192.168.4.109 from the remote IPs 1.2.3.4 and 5.6.7.8

$IPTABLES -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROP
$IPTABLES -t filter -I FORWARD -s 1.2.3.4 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT
$IPTABLES -t filter -I FORWARD -s 5.6.7.8 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT

Port forwarding is not yet working at this point. The next step is to use the Port Forwarding app to create the generic port forwarding rule for the above example: TCP port 3306 to IP 192.168.4.109. The custom firewall rules handles the restriction to specific public IPs, while the port forward rule handles the rest.

Port-based Filtering

Much like passing traffic to bypass the content filter, you can single out ports that are normally passed and drop them for certain hosts or a range of hosts. For example, you can block SMTP for your entire DHCP range of addresses if your DHCP scope goes from 192.168.1.128-254

$IPTABLES -t nat -I PREROUTING -s 192.168.1.128/25 -p tcp --dport 25 -j DROP

Managing LAN-to-LAN Traffic

By default, network traffic between multiple LANs is permitted. If you would like to restrict between LANs, you can use the following example as a guideline.

  • eth1: LAN1
  • eth2: LAN2
# Block traffic between eth1 and eth2
$IPTABLES -I FORWARD -i eth1 -o eth2 -j DROP
$IPTABLES -I FORWARD -i eth2 -o eth1 -j DROP

# Allow reply traffic
$IPTABLES -I FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -I FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic to web server on LAN2 network
$IPTABLES -I FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT

Logging Specific Network Traffic

In some circumstances, you may want to log certain types of network traffic. The first thing that you need to do is create a special logging firewall rule:

$IPTABLES -N log-traffic
$IPTABLES -I log-traffic -j LOG --log-prefix "Traffic log: "

Next, you can add rules that can be directed to the logger. Here are some examples:

# Log traffic destined to 1.2.3.4
$IPTABLES -I FORWARD -d 1.2.3.4 -j log-traffic
# Log traffic destined to port 12345 
$IPTABLES -I FORWARD -p tcp --dport 12345 -j log-traffic

The information is logged to the /var/log/messages log which can be viewed in the web-based interface using the Log Viewer app. Please be careful with this tool since it doesn't take long to fill up the log file if too much traffic is caught!

Gateway Services

To bypass all gateway services except for NAT, you can use a rule like this:

$IPTABLES -t nat -I PREROUTING -s 192.168.1.99 -j ACCEPT

This rule will bypass all filtering of all types for this IP address. If you want to limit it to bypass for TCP only services, you the following:

$IPTABLES -t nat -I PREROUTING -s 192.168.1.99 -p tcp -j ACCEPT

HotLAN to LAN

Let us say that there is a service on a server inside your LAN that you wish for users on the HotLAN to access. This is similar to a Pinhole method in the DMZ app. For this example your LAN network is 10.1.1.0/24 and your HotLAN network is 192.168.1.0/24. In this example the service is port 25 SMTP on the server 10.1.1.10. You can add a forwarding rule using the Custom Firewall app:

$IPTABLES -I FORWARD -p tcp -s 192.168.1.0/24 -d 10.1.1.110 --dport 25 -j ACCEPT

Port Forwarding from selected hosts

Let us say for example that you want to only allow certain hosts to access your SMTP service behind your firewall from the outside Internet. You normally could use the Port Forwarding module for this but you want to get restrictive to a single IP address or perhaps a range of addresses.

In this example, our internal server is 10.1.1.110 and is running SMTP. We want to make it so that 3.2.1.0/24 can get to it but only this range.

You will need to add two rules:

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -s 3.2.10/24 --dport 25 -j DNAT --to-destination 10.1.1.110:25
$IPTABLES -A FORWARD -p tcp -s 3.2.1.0/24 -d 10.1.1.110 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Tips for Making Your Custom Rules

  • - If you want your rules to appear at the top of your rules use the '-I' instead of '-A' in order to take effect before the rest of the ClearOS firewall rules.
  • - There are two main tables in ClearOS (nat, and mangle). When you don't specify a table, it is using the 'mangle' table.
  • - If your rule is similar to some function in ClearOS already, take a snapshot of the output of your tables (iptables -L > /tmp/currentmangle.1, and/or iptables -t nat -L /tmp/currentnat.1). Then make the rule in ClearOS Webconfig UI and then take another snapshot (iptables -L > /tmp/currentmangle.2, and/or iptables -t nat -L /tmp/currentnat.2). Then run a diff of the results (diff /tmp/currentmangle.1 /tmp/currentmangle.2, and/or diff /tmp/currentnat.1 /tmp/currentnat.2).
content/en_us/kb_o_custom_firewall_module_examples.txt · Last modified: 2018/01/22 14:05 by cjones

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_o_custom_firewall_module_examples&1710845270