Firewall Config



  • [/CENTER]
    [RIGHT]2011-12-14 09:51:30 PST[/RIGHT]
    According to the UDPCast documentation, the default portbase is 9000+. Is there a reason why FOG uses a non-standard port for UDPCast?



  • Hi guys, i’ve got a little problem with my firewall rules.
    I start my iptable configuration and my computer stop in TFTP. It doesn’t show me the fog boot menu
    The ports TFTP are open so what’s my problem ?

    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides:          PareFeu
    # Required-Start:    $remote_fs $syslog
    # Required-Stop: 
    # Default-Start:    2 3 4 5
    # Default-Stop:      0 1 6
    # Short-Description: Start daemon at boot time
    # Description:      Enable service provided by daemon.
    ### END INIT INFO
     
    # Vider les tables actuelles
    iptables -t filter -F
    iptables -t mangle -F
    iptables -t nat -F
     
     
    # Vider les règles personnelles
    iptables -t filter -X
    iptables -t mangle -X
    iptables -t nat -X
     
    # Interdire toute connexion entrante et sortante
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT DROP
     
    # Ne pas casser les connexions etablies
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     
    # Autoriser loopback
    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT
     
    # ICMP (Ping)
    iptables -t filter -A INPUT -p icmp -j ACCEPT
    iptables -t filter -A OUTPUT -p icmp -j ACCEPT
     
    # SSH In
    iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # SSH Out
    iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
     
    # DNS In/Out
    iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
     
    # NTP Out
    iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
     
    # HTTP + HTTPS Out
    iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
     
    # HTTP + HTTPS In
    iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
     
    # FTP/TFTP Out
    iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 67:68 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 67:68 -j ACCEPT
     
    # FTP/TFTP In
    iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 67:69 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 67:69 -j ACCEPT
     
    # MySQL IN/OUT
    iptables -t filter -A OUTPUT -p udp --port 3306 -j ACCEPT
    iptables -t filter -A INPUT -p udp --port 3306 -j ACCEPT
     
    #NFS IN/OUT
    iptables -t filter -A OUTPUT -p udp --dport 2049 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 2049 -j ACCEPT
     
    iptables -t filter -A OUTPUT -p udp --dport 111 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 111 -j ACCEPT
    
    

    thanks you for your ideas.

    EDIT :
    I find my problem

    modprobe ip_conntrack_tftp
    modprobe ip_conntrack_ftp

    ;)



  • Thanks SomeOne! I’ll give this a try once things settle down here at work.



  • Hi,

    Here is what works for me. I did a multipart all disk image, I would assume it works for the other types too. But I did have to configure NFS to run on specific ports.
    I followed this
    http://bryanw.tk/2012/specify-nfs-ports-ubuntu-linux/

    But I used the following… the -p one was not working for me
    http://www.symantec.com/business/support/index?page=content&id=HOWTO3401

    i also added
    https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions

    Hope it helps!

    script:

    
    #!/bin/bash
     
    # Flush old rules
    iptables -F
     
    # Deny all incoming, allow all outgoing
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
     
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
     
    # Exception for FTP
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
     
    # Exception for SSH
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # Exception for TFTP and DHCP
    iptables -A INPUT -p udp --dport 67 -j ACCEPT
    iptables -A INPUT -p udp --dport 68 -j ACCEPT
    iptables -A INPUT -p udp --dport 69 -j ACCEPT
    iptables -A INPUT -p tcp --dport 67 -j ACCEPT
    iptables -A INPUT -p tcp --dport 68 -j ACCEPT
    iptables -A INPUT -p tcp --dport 69 -j ACCEPT
     
    iptables -A INPUT -p udp --dport 4011 -j ACCEPT
    iptables -A INPUT -p tcp --dport 4011 -j ACCEPT
     
    iptables -A INPUT -p tcp --dport 2070:2073 -j ACCEPT
    iptables -A INPUT -p udp --dport 2070:2073 -j ACCEPT
     
    iptables -A INPUT -p tcp --dport 1758:1759 -j ACCEPT
    iptables -A INPUT -p udp --dport 1758:1759 -j ACCEPT
     
     
    # Exception for HTTP(S)
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
     
    # Exception for Portmap
    iptables -A INPUT -p tcp --dport 111 -j ACCEPT
    iptables -A INPUT -p udp --dport 111 -j ACCEPT
     
    # Exception for NFS
    iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
    iptables -A INPUT -p udp --dport 2049 -j ACCEPT
    # Exception for NFS-common
    iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
    iptables -A INPUT -p udp --dport 4000 -j ACCEPT
    # Exception for NFS-lockd
    iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
    iptables -A INPUT -p udp --dport 4001 -j ACCEPT
    # Exception for NFS-mountd
    iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
    iptables -A INPUT -p udp --dport 4002 -j ACCEPT
     
    # Exception for transfer ports
    #iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    #iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
     
    iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
     
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     
    # List rules
    iptables -L
    
    


  • Thanks for the reply.

    So I would have to check iptables and tcpdump to see what protocol/service actually uses this and verify if ports can be specifically set.
    I will check it out and report any findings here.



  • The port range could probably be scaled back, but I never got around to narrowing each range. From what I’ve come to understand (keep in mind that I’m not a network admin) most protocols have designated ports for establishing connections and then use random ports from the higher port range (generally 1024+) for the actual transfer. Some applications, such as UDPCast, allow you to specify the transfer port range, but that’s not always the case. So you probably don’t need the whole range but you’ll need some of it.



  • Hi
    I have been trying to find more information on these ports

    iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT

    Why such a huge range ?
    Is there a way to specify a smaller window ? I am not using UDPCast
    What component needs this range ?

    Thanks!


  • Developer

    We used the non default port range so we could support a large number of concurrent multicasts (50+) without running into known used ports.


  • Developer

    At minimum the Web UI will be SSL.



  • I’ve thrown together an iptables config script that seems to work.

    #!/bin/bash
     
    # Flush old rules
    iptables -F
     
    # Deny all incoming, allow all outgoing
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
     
    # Exception for FTP
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
     
    # Exception for SSH
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # Exception for TFTP
    iptables -A INPUT -p udp --dport 69 -j ACCEPT
     
    # Exception for HTTP(S)
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
     
    # Exception for Portmap
    iptables -A INPUT -p tcp --dport 111 -j ACCEPT
    iptables -A INPUT -p udp --dport 111 -j ACCEPT
     
    # Exception for NFS
    iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
    iptables -A INPUT -p udp --dport 2049 -j ACCEPT
     
    # Exception for transfer ports
    iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
     
    # List rules
    iptables -L
    

    If anyone wants to test this, or just ask questions, please go right ahead.


Log in to reply
 

431
Online

38918
Users

10688
Topics

101398
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.