Forums

Eg Mu
Eg Mu
Offline
Resolved
0 votes
Hi All.

Just installed COS for the first time.. looks great.
I've used Smoothwall for years but replacing my fw i wanted to try COS7

You guys will probably just shake your heads, for that i'm sorry, but here we go (again)...

My COS doesnt have static external ip from isp. it's DHCP and changes every second day or so.

After installing COS yesterday - everything works as a charm - but my first issue is:
Occationally i need to RDP to my computer from my office. (not the default rdp port of course)
Office has a static ip.
So - i do a Port Forward in COS - and this works fine - but - from *all* external ip's on the internet also - which of course isnt wanted at all.

Reading up on a lot of posts and searches i tried adding the rules in "custom firewall" instead:

$IPTABLES -t filter -I FORWARD -s OFFICEIP -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT (officeip - beeing the static ip from the office)
$IPTABLES -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROP

So, in my understanding this should accept port 3306 from my office ip but drop all others,

But i just cant make this work.

Am i mistakenly entering my office-ip in the second rule there?
Any other hints?
What am i missing... (exept from brains obviously)

Kindly
Saturday, January 12 2019, 12:48 PM
Share this post:
Responses (11)
  • Accepted Answer

    Wednesday, January 16 2019, 10:19 PM - #Permalink
    Resolved
    0 votes
    It looks like you have two port forwards to 192.168.1.165 - UDP ports 4569 and 10000-20000. You must have the FORWARD rules for them. The ones I do not understand are:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * * 216.115.69.144 192.168.1.165 udp dpt:5160
    0 0 ACCEPT udp -- * * 34.226.36.32/28 192.168.1.165 udp dpt:5060
    0 0 ACCEPT udp -- * * 147.75.60.160/28 192.168.1.165 udp dpt:5060
    737 344K ACCEPT udp -- * * 34.210.91.112/28 192.168.1.165 udp dpt:5060
    0 0 DROP udp -- * * 0.0.0.0/0 192.168.1.165 udp dpt:5160
    0 0 DROP udp -- * * 0.0.0.0/0 192.168.1.165 udp dpt:5060

    Any packet coming in from the outside will have a destination IP of XX.XX.XXX.XXX. In order for it to get to 192.168.1.165, it must be either a return packet or it must go through a PREROUTING DNAT rule to change its destination IP from XX.XX.XXX.XXX to 192.168.1.165 or it won't match the rules in the FORWARD chain. Either that or I have completely missed something.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 16 2019, 03:24 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick!

    If I disable/delete the rules I have, no one can dial in to my FreePBX server.

    Let me ask you this.... with what I have, should I add a port forwarding rule in the ClearOS WebGUI? Not quite understanding or getting what I should do with what I have. Should I elliminate one of my rules.

    BTW, I actually got the drop and accept rules from a prior post from you some year(s) ago.Wish I could find the post. But I don't recall if you stated then to add a standard webgui port forward rule.

    John
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 16 2019, 08:24 AM - #Permalink
    Resolved
    0 votes
    I can't give you a best practices. All I can give is how I would do it. Not even how I do it as I don't have any port forwards. I youldn't even like to judge what the best practice is. To me, for a single external IP, a ClearOS port forward with a Custom FORWARD block is the easiest way to go, but it only works for a single IP because you can do a not equals. There is no concept of an IP not in a list in iptables. You can put a number of IP's in a comma separated list, but when iptables interprets it, it creates individual rules for each IP and this does not work with negation.

    If you have multiple IP's you need a blanket drop rule and multiple accept rules manually in the FORWARD chain. You also need a PREROUTING rule and POSTROUTING rule. They can all be done through custom rules, or if you use ClearOS port forwarding, it will do the PREROUTING and POSTROUTING rules for you. If you go down the Custom route, you can target the PREROUTING rule to specific source IP's

    Thinking about it while writing this post, you may be able to do a single FORWARD rule, multiple PREROUTING rules (which you may get into one line with a comma separated list of IP's) and a single POSTROUTING rule.

    It is really up to you.

    @John,
    If your rules are working then you don't need port forwarding. I can't make a judgement call unless you know what you requirements are. Does you SIP provider ask for port forwarding (so will he initiate a connection) or does he just need to be able to reply to those ports, in which case no rules are necessary? The rules which you have restrict replies, but as you control the IP's which are contacted how would you be contacting other IP's anyway? As you don't have any PREROUTING rules, any unsolicited contact from the outside will be dropped.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 15 2019, 09:34 PM - #Permalink
    Resolved
    0 votes
    Hi Nick!

    Port 5160, if one is using both PJSIP and SIP, is now a nonstandard port for SIP. PJSIP has taken over 5060.

    Let's start from square one... or maybe we should move this to a new forum post. But how about a good step by step best practices tutorial on proper port forwarding from a specific, singular, Internet IP for any singular port, or multiple ports.

    Somehow I am surely missing something! Not fully understanding.

    AM I to make a standard port forwarding rule as well in the ClearOS WebGIU?

    Thanks!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 15 2019, 08:42 AM - #Permalink
    Resolved
    0 votes
    How you do the rules is up to you. One way you should create a single Port Forward in the Webconfig, and than one custom rule (or perhaps 2 if you can't negate the source IP) or you create three custom rules to emulate the Port Forwarding rules, but target specific IP's.

    I don't see how your rules work as port forwarding rules as there are no DNAT rules. The only place I see them working is if 192.168.1.165 is initiating contact and your rules are blocking return packets. Effectively you are overriding the rule:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    3172K 3405M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    I don't see a way for anyone externally to initiate a connection to 192.168.1.165 on udp:5060 or udp:5160. Or, perhaps I am missing something.

    BTW is udp:5160 correct? Typically 5061 goes with 5060 with VoIP.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 15 2019, 04:23 AM - #Permalink
    Resolved
    0 votes
    Thanks Nick..

    Just trying to learn more and it is great to pick the brains of experts!

    So... am I doing this wrong? SHould I have also setup a standard port forwarding rule in the WebGUI? This would be under Network -> Port Forwarding? Or is what I have good? Just wanting best practices but I assure you this seems to work with no other rules.

    Here is a dump of port forwarding that seems to work well. Even the results seem to show things as good. Oh... I did ask about the dollar sign in iptables and you repsonded some time ago, just FYI.


    [root@jcits ~]# iptables -nvL
    Chain INPUT (policy DROP 21338 packets, 937K bytes)
    pkts bytes target prot opt in out source destination
    161 12236 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    1250 63914 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    78 6692 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
    0 0 DROP all -- eth0 * 169.254.0.0/16 0.0.0.0/0
    5873 783K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    29318 2539K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    709 20561 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
    0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
    8 303 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
    0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
    321 106K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    12845 1923K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    4 776 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- * * 216.115.69.144 192.168.1.165 udp dpt:5160
    0 0 ACCEPT udp -- * * 34.226.36.32/28 192.168.1.165 udp dpt:5060
    0 0 ACCEPT udp -- * * 147.75.60.160/28 192.168.1.165 udp dpt:5060
    737 344K ACCEPT udp -- * * 34.210.91.112/28 192.168.1.165 udp dpt:5060
    0 0 DROP udp -- * * 0.0.0.0/0 192.168.1.165 udp dpt:5160
    0 0 DROP udp -- * * 0.0.0.0/0 192.168.1.165 udp dpt:5060
    260 15248 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.50 tcp dpt:80
    277 16132 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.51 tcp dpt:80
    10 580 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.52 tcp dpt:80
    5134 287K ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.53 tcp dpt:80
    0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.222 tcp dpts:4525:4529
    199 9804 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.222 tcp dpt:81
    145 9262 ACCEPT tcp -- * eth1 0.0.0.0/0 192.168.1.20 tcp dpt:443
    6173 888K ACCEPT udp -- * eth1 0.0.0.0/0 192.168.1.165 udp dpt:4569
    112 12257 ACCEPT udp -- * eth1 0.0.0.0/0 192.168.1.165 udp dpts:10000:20000
    0 0 ACCEPT udp -- * eth1 0.0.0.0/0 192.168.1.240 udp dpts:50000:52000
    0 0 ACCEPT 47 -- eth0 eth1 0.0.0.0/0 192.168.1.5
    2 80 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.1.5 tcp dpt:1723
    3172K 3405M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    53722 4460K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    5880 784K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    20531 3402K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
    855 34824 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
    1 328 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    13021 888K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
    [root@jcits ~]#


    [root@jcits ~]# iptables -nvL -t nat
    Chain PREROUTING (policy ACCEPT 122K packets, 13M bytes)
    pkts bytes target prot opt in out source destination
    5 260 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:8084 to:192.168.1.50:80
    5 260 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:8085 to:192.168.1.51:80
    4 220 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:8086 to:192.168.1.52:80
    86 4588 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:8090 to:192.168.1.53:80
    0 0 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpts:4525:4529 to:192.168.1.222
    49 2408 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:81 to:192.168.1.222:81
    25 1148 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:443 to:192.168.1.20:443
    0 0 DNAT udp -- * * 0.0.0.0/0 XX.XX.XXX.XXX udp dpt:4569 to:192.168.1.165:4569
    1 44 DNAT udp -- * * 0.0.0.0/0 XX.XX.XXX.XXX udp dpts:10000:20000 to:192.168.1.165
    0 0 DNAT udp -- * * 0.0.0.0/0 XX.XX.XXX.XXX udp dpts:50000:52000 to:192.168.1.240
    0 0 DNAT 47 -- * * 0.0.0.0/0 XX.XX.XXX.XXX to:192.168.1.5
    1 40 DNAT tcp -- * * 0.0.0.0/0 XX.XX.XXX.XXX tcp dpt:1723 to:192.168.1.5

    Chain POSTROUTING (policy ACCEPT 701 packets, 52772 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    3 180 SNAT tcp -- * * 192.168.1.0/24 192.168.1.50 tcp dpt:80 to:192.168.1.1
    3 180 SNAT tcp -- * * 192.168.1.0/24 192.168.1.51 tcp dpt:80 to:192.168.1.1
    3 180 SNAT tcp -- * * 192.168.1.0/24 192.168.1.52 tcp dpt:80 to:192.168.1.1
    9 540 SNAT tcp -- * * 192.168.1.0/24 192.168.1.53 tcp dpt:80 to:192.168.1.1
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.222 tcp dpts:4525:4529 to:192.168.1.1
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.222 tcp dpt:81 to:192.168.1.1
    0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.20 tcp dpt:443 to:192.168.1.1
    0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.165 udp dpt:4569 to:192.168.1.1
    0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.165 udp dpts:10000:20000 to:192.168.1.1
    0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.240 udp dpts:50000:52000 to:192.168.1.1
    59976 4677K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 14321 packets, 957K bytes)
    pkts bytes target prot opt in out source destination
    [root@jcits ~]#
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 04:48 PM - #Permalink
    Resolved
    0 votes
    Can I suggest you give a dump of:
    iptables -nvL
    iptables -nvL -t nat
    between code tags.

    The purpose of the DNAT rule in the PREROUTING chain is to redirect IP packets that were destined to your external IP address to your internal IP address. It is only when the packets hit the firewall that such a redirection can take place. Externally your SIP provider knows nothing about your LAN. Your forward rules make no sense without the PREROUTING.

    Then, in order to get the rule into one line I drop everything from anywhere except the single IP form being forwarded. The reason you need your DROP rule is because you probably already have a proper port forwarding rule further down the FORWARD chain which you are trying to negate.

    The purpose of $IPTABLES in v7 is that it evaluates to "/usr/sbin/iptables -w" and the -w is important if you want to avoid table locking problems. The -w switch does not exist in v6 and you can hit race conditions because of it, so there is no need to use $IPTABLES. I guess it also gives the devs some flexibility as they can tweak the meaning of "$IPTABLES" if anything changes upstream.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 04:44 PM - #Permalink
    Resolved
    0 votes
    My use:

    iptables -t filter -I FORWARD -d 192.168.1.165 -p udp --dport 5060 -j DROP
    iptables -t filter -I FORWARD -s 34.210.91.112/28 -d 192.168.1.165 -p udp --dport 5060 -j ACCEPT

    What is the difference? If mine work for SIP and PJSIP, why won't they work for RDP for the OP? These are in Custom Firewall only and I do not use a standard port forward under Network Port Forwarding.


    You could swap the order of the two rules or maybe change the -I to a -A on the second rule. Or insert a 1 after -I in the first rule and a 2 after the -I in the second rule. Seems to me the way you have the rules written, the first rule would be inserted at line 1, first. Then the second rule would be inserted at line 1, second. So since iptables works from rule 1 on down, the port accept rule would run first, then the drop rule. An append on the second rule would put it at the end of the table.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 04:29 PM - #Permalink
    Resolved
    0 votes
    Hi Nick!

    Just for my understanding, I use his (OP's) rules for my port forwarding of SIP traffic from my SIP provider to my internal FreePBX. Works like a charm. I do not use a DROP rule with IPTABLES -, but IPTABLES -t. I've asked and posted a couple of my rules in other posts, more recently over COS 6 and COS7 use of $IPTABLES.

    My use:

    iptables -t filter -I FORWARD -d 192.168.1.165 -p udp --dport 5060 -j DROP
    iptables -t filter -I FORWARD -s 34.210.91.112/28 -d 192.168.1.165 -p udp --dport 5060 -j ACCEPT

    What is the difference? If mine work for SIP and PJSIP, why won't they work for RDP for the OP? These are in Custom Firewall only and I do not use a standard port forward under Network Port Forwarding.

    Thanks!

    John
    The reply is currently minimized Show
  • Accepted Answer

    Eg Mu
    Eg Mu
    Offline
    Saturday, January 12 2019, 05:10 PM - #Permalink
    Resolved
    0 votes
    Perfect!

    The iptables approach blocking the unwanted ip's there fixed it.

    Thank you very much!
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 12 2019, 01:58 PM - #Permalink
    Resolved
    0 votes
    You're missing a PREROUTING (DNAT) rule and possibly a POSTROUTING rule (SNAT). If you set up a normal port forward, do an "iptables -nvL -t nat" to see how it is done.

    You may find it easier to set up a standard port forwarding rule and then filter the unwanted IP's with an extra custom rule. Custom rules load after Port Forwards when the firewall starts so any custom rule inserted into a table (-I) will take precedence ofer the port forward. Try something like:
    $IPTABLES -I FORWARD ! -s OFFICEIP -d 192.168.4.109 -p tcp --dport 3306 -j DROP


    Personally I don't like allowing access this way. I always prefer connecting to ClearOS by OpenVPN then you can do the RDP directly by the machine's LAN IP or FQDN.
    The reply is currently minimized Show
Your Reply