Firewall Configuration Reference: Difference between revisions

From Sympl Wiki
Jump to navigation Jump to search
VisualWikitext
No edit summary
Line 32: Line 32:
|-
|-
|<code>new</code>
|<code>new</code>
|Permit new connections.
|Permit new connections. Uses the iptables <code>NEW</code> target.
|-
|-
|<code>established</code>
|<code>established</code>
Line 38: Line 38:
|-
|-
|<code>related</code>
|<code>related</code>
|Accept new connections associated with existing connections, such as DNS queries and FTP transfers.
|Accept new connections associated with existing connections, such as DNS queries and FTP transfers. Uses the iptables <code>RELATED</code> target.
|-
|-
| colspan="2" |
| colspan="2" |
Line 85: Line 85:


===Firewall Example===
===Firewall Example===
Here is an example of a basic firewall configuration for incoming traffic in Sympl. The files below all reside in /etc/sympl/firewall/incoming.d/
{| class="wikitable"
|+
!File
!Containing
!Result
|-
|<code>00-related</code>
|''empty''
|Accepts packets from sources related to any already established traffic.
|-
|<code>00-established</code>
|''empty''
|Accepts packets from any already established connections.
|-
|<code>05-essential-icmpv6</code>
|''empty''
|Allows the required [[ICMP]] traffic for IPv6 to function.
|-
|<code>05-ping</code>
|
''10.11.12.13''
|Allows ICMP ping traffic, but only from the IPv6 address <code>10.11.12.13</code>.
|-
|<code>07-ssh</code>
|
10.11.12.13
2001:0db8:85a3::/64
|Allows connections to port 22 (SSH) from IPv4 addresses between 10.11.12.13, and IPv6 traffic from the range 2001:0db8:85a3::/64
|-
|<code>10-http</code>
|''empty''
|Allows traffic to port 80 (HTTP).
|-
|<code>10-https</code>
|''empty''
|Allows traffic to port 443 (HTTPS).
|-
|<code>100-pop3</code>
|''empty''
|Allows traffic to port 110 (POP3). Note that this is processed at this point as the numbers are sorted as text.
|-
|<code>20-25</code>
|
''172.16.17.0/24''
|Allows connections to port 25 (SMTP) from the <code>172.16.17.0/24</code> range only.
|-
|<code>99-reject</code>
|''empty''
|Rejects any other traffic.
|}
You can view the generated incoming firewall rules being used by [[iptables]] with <code>sudo iptables -L INPUT -vn</code>, which for the above looks like this:<syntaxhighlight>
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target    prot opt in out source          destination
    0    0 ACCEPT    all  --  lo *  0.0.0.0/0      0.0.0.0/0
  16  1024 whitelist all  --  *  *  0.0.0.0/0      0.0.0.0/0
    0    0 blacklist all  --  *  *  0.0.0.0/0      0.0.0.0/0
    0    0 ACCEPT    all  --  *  *  0.0.0.0/0      0.0.0.0/0 state ESTABLISHED
    0    0 ACCEPT    all  --  *  *  0.0.0.0/0      0.0.0.0/0 state RELATED
    0    0 ACCEPT    icmp --  *  *  10.11.12.13    0.0.0.0/0 icmp type 8
    0    0 ACCEPT    icmp --  *  *  10.11.12.13    0.0.0.0/0 icmp type 0
    0    0 ACCEPT    icmp --  *  *  10.11.12.13    0.0.0.0/0 icmp type 11
    0    0 ACCEPT    tcp  --  *  *  10.11.12.13    0.0.0.0/0 tcp dpt:22
    0    0 ACCEPT    udp  --  *  *  10.11.12.13    0.0.0.0/0 udp dpt:22
    0    0 ACCEPT    tcp  --  *  *  0.0.0.0/0      0.0.0.0/0 tcp dpt:80
    0    0 ACCEPT    udp  --  *  *  0.0.0.0/0      0.0.0.0/0 udp dpt:80
    0    0 ACCEPT    tcp  --  *  *  0.0.0.0/0      0.0.0.0/0 tcp dpt:110
    0    0 ACCEPT    udp  --  *  *  0.0.0.0/0      0.0.0.0/0 udp dpt:110
    0    0 ACCEPT    tcp  --  *  *  172.16.17.0/24  0.0.0.0/0 tcp dpt:25
    0    0 ACCEPT    udp  --  *  *  172.16.17.0/24  0.0.0.0/0 udp dpt:25
    0    0 REJECT    all  --  *  *  0.0.0.0/0      0.0.0.0/0 reject-with icmp-port-unreachable
</syntaxhighlight><blockquote>Note in the above result, the IPv6 address is not listed. This uses the alternate <code>ip6tables</code> tool to list it's rules.</blockquote>


==Custom Firewall Additions==
==Custom Firewall Additions==

Revision as of 13:37, 17 July 2019

This article is a Stub. You can help the Sympl Project by expanding it.

Sympl contains an easy to use firewall system based on iptables which protects the server by controlling inbound and outbound connections, comprised of a set of rules as well as automatic whitelist and blacklist configuration.

Configuration changes can be made via SSH or serial/VNC console as the sympl user, and will take effect immediately.

Basic Firewall Configuration

The default configuration for Sympl should cover the majority of use cases, and caution should be taken when making any changes in case you lock yourself out. If this happens, you can still access the server via the serial or VNC console.

The configuration of the sympl-firewall package is built from a series of files and directories in the /etc/sympl/firewall/ directory, with incoming connections controlled by the files in /etc/sympl/firewall/incoming.d/ and the outgoing connections controlled by the files in /etc/sympl/firewall/outgoing.d/.

These files are in the format of index_number-service_name_or_number with the index_number controlling order of the rules, and the service_name_or_number as either a service name taken from /etc/services, a TCP/UDP port number, or one of a few special keywords.

Each of these files can either be empty, or contain a list of hostnames or IP addresses which the rule applies to, one per line.

If hostnames are used in the configuration files rather than IP addresses, they will be translated when the firewall is updated, and the result cached for up to 15 minutes. If the DNS result changes in this period then the result will not update, therefore IP addresses should be used where possible.

Firewall Keywords

Sympl uses a number of specific keywords for a number of non port-related rules, in the incoming.d/ and outgoing.d/ directories.

As with normal service name rules, these can contain a target IP address or hostname, one per line which the rule will apply to.

Keyword Action
accept Accepts all connections. Uses the iptables ACCEPT target.
allow Alias of accept.
whitelist Alias of accept.
new Permit new connections. Uses the iptables NEW target.
established Permit traffic from connections which are already established. Uses the iptables ESTABLISHED target.
related Accept new connections associated with existing connections, such as DNS queries and FTP transfers. Uses the iptables RELATED target.
reject Reject all connections. Uses the iptables REJECT target. Returns a 'TCP reset' or 'port unreachable' message.
blacklist Alias of reject.
drop Drops all traffic. Uses the iptables DROP target.
ping Permits ICMP echo-request, echo-reply and ttl-exceeded traffic, which allows the server to respond to pings and show up on traceroute tests.
icmp Permit all ICMP traffic. Applies to IPv4 only.
icmpv6 Permit all ICMP6 traffic. Applies to IPv6 only.
essential-icmpv6 Accept required ICMP traffic for IPv6 to operate. Allows destination-unreachable, packet-too-big, parameter-problem, router-solicitation, router-advertisement, neighbour-solicitation and neighbour-advertisement traffic.

If this rule is removed IPv6 will very likely cease working properly. Applies to IPv6 only.

dns Accept TCP and UDP connections from port 53 to high-numbered unprivileged ports. Designed to allow replies to DNS queries, but may be removed in favour of related. Applies to incoming connections only.
ftp Permit connections on both port 20 (ftp-data) and 21 (ftp-control).
collector Permit TCP connections on port 1919.
imager Permit TCP connections on port 5000.

Detailed definitions for these rules are contained in /usr/share/sympl/firewall/rule.d/, and new rules can be created in /usr/local/sympl/symbiosis/firewall/rule.d/ if desired.

Firewall Example

Here is an example of a basic firewall configuration for incoming traffic in Sympl. The files below all reside in /etc/sympl/firewall/incoming.d/

File Containing Result
00-related empty Accepts packets from sources related to any already established traffic.
00-established empty Accepts packets from any already established connections.
05-essential-icmpv6 empty Allows the required ICMP traffic for IPv6 to function.
05-ping 
10.11.12.13
Allows ICMP ping traffic, but only from the IPv6 address 10.11.12.13.
07-ssh 
10.11.12.13
2001:0db8:85a3::/64
Allows connections to port 22 (SSH) from IPv4 addresses between 10.11.12.13, and IPv6 traffic from the range 2001:0db8:85a3::/64
10-http empty Allows traffic to port 80 (HTTP).
10-https empty Allows traffic to port 443 (HTTPS).
100-pop3 empty Allows traffic to port 110 (POP3). Note that this is processed at this point as the numbers are sorted as text.
20-25 
172.16.17.0/24
Allows connections to port 25 (SMTP) from the 172.16.17.0/24 range only.
99-reject empty Rejects any other traffic.

You can view the generated incoming firewall rules being used by iptables with sudo iptables -L INPUT -vn, which for the above looks like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in out source          destination
    0     0 ACCEPT    all  --  lo *   0.0.0.0/0       0.0.0.0/0
   16  1024 whitelist all  --  *  *   0.0.0.0/0       0.0.0.0/0
    0     0 blacklist all  --  *  *   0.0.0.0/0       0.0.0.0/0
    0     0 ACCEPT    all  --  *  *   0.0.0.0/0       0.0.0.0/0 state ESTABLISHED
    0     0 ACCEPT    all  --  *  *   0.0.0.0/0       0.0.0.0/0 state RELATED
    0     0 ACCEPT    icmp --  *  *   10.11.12.13     0.0.0.0/0 icmp type 8
    0     0 ACCEPT    icmp --  *  *   10.11.12.13     0.0.0.0/0 icmp type 0
    0     0 ACCEPT    icmp --  *  *   10.11.12.13     0.0.0.0/0 icmp type 11
    0     0 ACCEPT    tcp  --  *  *   10.11.12.13     0.0.0.0/0 tcp dpt:22
    0     0 ACCEPT    udp  --  *  *   10.11.12.13     0.0.0.0/0 udp dpt:22
    0     0 ACCEPT    tcp  --  *  *   0.0.0.0/0       0.0.0.0/0 tcp dpt:80
    0     0 ACCEPT    udp  --  *  *   0.0.0.0/0       0.0.0.0/0 udp dpt:80
    0     0 ACCEPT    tcp  --  *  *   0.0.0.0/0       0.0.0.0/0 tcp dpt:110
    0     0 ACCEPT    udp  --  *  *   0.0.0.0/0       0.0.0.0/0 udp dpt:110
    0     0 ACCEPT    tcp  --  *  *   172.16.17.0/24  0.0.0.0/0 tcp dpt:25
    0     0 ACCEPT    udp  --  *  *   172.16.17.0/24  0.0.0.0/0 udp dpt:25
    0     0 REJECT    all  --  *  *   0.0.0.0/0       0.0.0.0/0 reject-with icmp-port-unreachable

Note in the above result, the IPv6 address is not listed. This uses the alternate ip6tables tool to list it's rules.

Custom Firewall Additions

Blocking and Allowing Hosts and Networks

Blacklisting

Whitelisting

Disabling the Firewall

Configuration Reference

File or Directory Used For More

See also Configuration Reference for other configuration files.

Retrieved from ‘https://wiki.sympl.io/w/index.php?title=Firewall_Configuration_Reference&oldid=241