Forums

Eg Mu
Eg Mu
Offline
Resolved
0 votes
Hi All.

Just installed COS for the first time.. looks great.
I've used Smoothwall for years but replacing my fw i wanted to try COS7

You guys will probably just shake your heads, for that i'm sorry, but here we go (again)...

My COS doesnt have static external ip from isp. it's DHCP and changes every second day or so.

After installing COS yesterday - everything works as a charm - but my first issue is:
Occationally i need to RDP to my computer from my office. (not the default rdp port of course)
Office has a static ip.
So - i do a Port Forward in COS - and this works fine - but - from *all* external ip's on the internet also - which of course isnt wanted at all.

Reading up on a lot of posts and searches i tried adding the rules in "custom firewall" instead:

$IPTABLES -t filter -I FORWARD -s OFFICEIP -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT (officeip - beeing the static ip from the office)
$IPTABLES -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROP

So, in my understanding this should accept port 3306 from my office ip but drop all others,

But i just cant make this work.

Am i mistakenly entering my office-ip in the second rule there?
Any other hints?
What am i missing... (exept from brains obviously)

Kindly
Saturday, January 12 2019, 12:48 PM
Share this post:
Responses (8)
  • Accepted Answer

    Tuesday, January 15 2019, 09:34 PM - #Permalink
    Resolved
    0 votes
    Hi Nick!

    Port 5160, if one is using both PJSIP and SIP, is now a nonstandard port for SIP. PJSIP has taken over 5060.

    Let's start from square one... or maybe we should move this to a new forum post. But how about a good step by step best practices tutorial on proper port forwarding from a specific, singular, Internet IP for any singular port, or multiple ports.

    Somehow I am surely missing something! Not fully understanding.

    AM I to make a standard port forwarding rule as well in the ClearOS WebGIU?

    Thanks!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 15 2019, 08:42 AM - #Permalink
    Resolved
    0 votes
    How you do the rules is up to you. One way you should create a single Port Forward in the Webconfig, and than one custom rule (or perhaps 2 if you can't negate the source IP) or you create three custom rules to emulate the Port Forwarding rules, but target specific IP's.

    I don't see how your rules work as port forwarding rules as there are no DNAT rules. The only place I see them working is if 192.168.1.165 is initiating contact and your rules are blocking return packets. Effectively you are overriding the rule:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    3172K 3405M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    I don't see a way for anyone externally to initiate a connection to 192.168.1.165 on udp:5060 or udp:5160. Or, perhaps I am missing something.

    BTW is udp:5160 correct? Typically 5061 goes with 5060 with VoIP.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 15 2019, 04:23 AM - #Permalink
    Resolved
    0 votes
    Thanks Nick..

    Just trying to learn more and it is great to pick the brains of experts!

    So... am I doing this wrong? SHould I have also setup a standard port forwarding rule in the WebGUI? This would be under Network -> Port Forwarding? Or is what I have good? Just wanting best practices but I assure you this seems to work with no other rules.

    Here is a dump of port forwarding that seems to work well. Even the results seem to show things as good. Oh... I did ask about the dollar sign in iptables and you repsonded some time ago, just FYI.


    [root@jcits ~]# iptables -nvL
    Chain INPUT (policy DROP 21338 packets, 937K bytes)
    pkts bytes target prot opt in out source destination
    161 12236 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    1250 63914 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    78 6692 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
    0 0 DROP all -- eth0 * 169.254.0.0/16 0.0.0.0/0
    5873 783K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    29318 2539K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    709 20561 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
    0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
    8 303 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
    0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
    321 106K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    12845 1923K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    4 776 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * * 216.115.69.144 192.168.1.165 udp dpt:5160
    0 0 ACCEPT udp -- * * 34.226.36.32/28 192.168.1.165 udp dpt:5060
    0 0 ACCEPT udp -- * * 147.75.60.160/28 192.168.1.165 udp dpt:5060
    737 344K ACCEPT udp -- * * 34.210.91.112/28 192.168.1.165 udp dpt:5060
    0 0 DROP udp -- * * 0.0.0.0/0 192.168.1.165 udp dpt:5160
    0 0 DROP udp -- * * 0.0.0.0/0 192.168.1.165 udp dpt:5060
    260 15248 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.50 tcp dpt:80
    277 16132 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.51 tcp dpt:80
    10 580 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.52 tcp dpt:80
    5134 287K ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.53 tcp dpt:80
    0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.222 tcp dpts:4525:4529
    199 9804 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.222 tcp dpt:81
    145 9262 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.20 tcp dpt:443
    6173 888K ACCEPT udp -- * eth1 0.0.0.0/0 192.168.1.165 udp dpt:4569
    112 12257 ACCEPT udp -- * eth1 0.0.0.0/0 192.168.1.165 udp dpts:10000:20000
    0 0 ACCEPT udp -- * eth1 0.0.0.0/0 192.168.1.240 udp dpts:50000:52000
    0 0 ACCEPT 47 -- eth0 eth1 0.0.0.0/0 192.168.1.5
    2 80 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.1.5 tcp dpt:1723
    3172K 3405M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    53722 4460K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    5880 784K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    20531 3402K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
    855 34824 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
    1 328 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    13021 888K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
    [root@jcits ~]#


    [root@jcits ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 122K packets, 13M bytes)
    pkts bytes target prot opt in out source destination
    5 260 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:8084 to:192.168.1.50:80
    5 260 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:8085 to:192.168.1.51:80
    4 220 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:8086 to:192.168.1.52:80
    86 4588 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:8090 to:192.168.1.53:80
    0 0 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpts:4525:4529 to:192.168.1.222
    49 2408 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:81 to:192.168.1.222:81
    25 1148 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:443 to:192.168.1.20:443
    0 0 DNAT udp -- * * 0.0.0.0/0 73.24.155.181 udp dpt:4569 to:192.168.1.165:4569
    1 44 DNAT udp -- * * 0.0.0.0/0 73.24.155.181 udp dpts:10000:20000 to:192.168.1.165
    0 0 DNAT udp -- * * 0.0.0.0/0 73.24.155.181 udp dpts:50000:52000 to:192.168.1.240
    0 0 DNAT 47 -- * * 0.0.0.0/0 73.24.155.181 to:192.168.1.5
    1 40 DNAT tcp -- * * 0.0.0.0/0 73.24.155.181 tcp dpt:1723 to:192.168.1.5

    Chain POSTROUTING (policy ACCEPT 701 packets, 52772 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    3 180 SNAT tcp -- * * 192.168.1.0/24 192.168.1.50 tcp dpt:80 to:192.168.1.1
    3 180 SNAT tcp -- * * 192.168.1.0/24 192.168.1.51 tcp dpt:80 to:192.168.1.1
    3 180 SNAT tcp -- * * 192.168.1.0/24 192.168.1.52 tcp dpt:80 to:192.168.1.1
    9 540 SNAT tcp -- * * 192.168.1.0/24 192.168.1.53 tcp dpt:80 to:192.168.1.1
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.222 tcp dpts:4525:4529 to:192.168.1.1
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.222 tcp dpt:81 to:192.168.1.1
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.20 tcp dpt:443 to:192.168.1.1
    0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.165 udp dpt:4569 to:192.168.1.1
    0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.165 udp dpts:10000:20000 to:192.168.1.1
    0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.240 udp dpts:50000:52000 to:192.168.1.1
    59976 4677K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 14321 packets, 957K bytes)
    pkts bytes target prot opt in out source destination
    [root@jcits ~]#
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 04:48 PM - #Permalink
    Resolved
    0 votes
    Can I suggest you give a dump of:
    iptables -nvL
    iptables -nvL -t nat
    between code tags.

    The purpose of the DNAT rule in the PREROUTING chain is to redirect IP packets that were destined to your external IP address to your internal IP address. It is only when the packets hit the firewall that such a redirection can take place. Externally your SIP provider knows nothing about your LAN. Your forward rules make no sense without the PREROUTING.

    Then, in order to get the rule into one line I drop everything from anywhere except the single IP form being forwarded. The reason you need your DROP rule is because you probably already have a proper port forwarding rule further down the FORWARD chain which you are trying to negate.

    The purpose of $IPTABLES in v7 is that it evaluates to "/usr/sbin/iptables -w" and the -w is important if you want to avoid table locking problems. The -w switch does not exist in v6 and you can hit race conditions because of it, so there is no need to use $IPTABLES. I guess it also gives the devs some flexibility as they can tweak the meaning of "$IPTABLES" if anything changes upstream.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 04:44 PM - #Permalink
    Resolved
    0 votes
    My use:

    iptables -t filter -I FORWARD -d 192.168.1.165 -p udp --dport 5060 -j DROP
    iptables -t filter -I FORWARD -s 34.210.91.112/28 -d 192.168.1.165 -p udp --dport 5060 -j ACCEPT

    What is the difference? If mine work for SIP and PJSIP, why won't they work for RDP for the OP? These are in Custom Firewall only and I do not use a standard port forward under Network Port Forwarding.


    You could swap the order of the two rules or maybe change the -I to a -A on the second rule. Or insert a 1 after -I in the first rule and a 2 after the -I in the second rule. Seems to me the way you have the rules written, the first rule would be inserted at line 1, first. Then the second rule would be inserted at line 1, second. So since iptables works from rule 1 on down, the port accept rule would run first, then the drop rule. An append on the second rule would put it at the end of the table.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 04:29 PM - #Permalink
    Resolved
    0 votes
    Hi Nick!

    Just for my understanding, I use his (OP's) rules for my port forwarding of SIP traffic from my SIP provider to my internal FreePBX. Works like a charm. I do not use a DROP rule with IPTABLES -, but IPTABLES -t. I've asked and posted a couple of my rules in other posts, more recently over COS 6 and COS7 use of $IPTABLES.

    My use:

    iptables -t filter -I FORWARD -d 192.168.1.165 -p udp --dport 5060 -j DROP
    iptables -t filter -I FORWARD -s 34.210.91.112/28 -d 192.168.1.165 -p udp --dport 5060 -j ACCEPT

    What is the difference? If mine work for SIP and PJSIP, why won't they work for RDP for the OP? These are in Custom Firewall only and I do not use a standard port forward under Network Port Forwarding.

    Thanks!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Eg Mu
    Eg Mu
    Offline
    Saturday, January 12 2019, 05:10 PM - #Permalink
    Resolved
    0 votes
    Perfect!

    The iptables approach blocking the unwanted ip's there fixed it.

    Thank you very much!
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 12 2019, 01:58 PM - #Permalink
    Resolved
    0 votes
    You're missing a PREROUTING (DNAT) rule and possibly a POSTROUTING rule (SNAT). If you set up a normal port forward, do an "iptables -nvL -t nat" to see how it is done.

    You may find it easier to set up a standard port forwarding rule and then filter the unwanted IP's with an extra custom rule. Custom rules load after Port Forwards when the firewall starts so any custom rule inserted into a table (-I) will take precedence ofer the port forward. Try something like:
    $IPTABLES -I FORWARD ! -s OFFICEIP -d 192.168.4.109 -p tcp --dport 3306 -j DROP


    Personally I don't like allowing access this way. I always prefer connecting to ClearOS by OpenVPN then you can do the RDP directly by the machine's LAN IP or FQDN.
    The reply is currently minimized Show
Your Reply