Firewall Config



  • [LIST=1]
    [*][CENTER][URL=‘https://sourceforge.net/users/brycez/’][SIZE=13px][COLOR=#555555]brycez[/COLOR][/SIZE][/URL]

    [URL=‘https://sourceforge.net/users/brycez’][SIZE=13px][COLOR=#0077aa][IMG]https://secure.gravatar.com/avatar/77846d7ed0f7675ee6553ce27c377080.png?s=48&r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fsf%2Fimages%2Fdevelop%2Fsf-profile-blank.gif[/IMG][/COLOR][/SIZE][/URL][/CENTER]
    [RIGHT]2011-12-12 08:43:04 PST[/RIGHT]
    I’m currently getting ready to deploy some new storage nodes and our IT security team wants to confirm our firewall configs, which means justifying every open port. So it looks like I’m going to need to document every necessary port for FOG. I was wondering if somebody might already have something like this written down somewhere that I could take a look at, otherwise I’ll just have to go through and figure it out. I can see that being useful documentation to keep on the FOG wiki though, and I’ll be sure to share whatever I find.
    [*][CENTER][URL=‘https://sourceforge.net/users/blackout48/’][SIZE=13px][COLOR=#555555]blackout48[/COLOR][/SIZE][/URL]

    [URL=‘https://sourceforge.net/users/blackout48’][SIZE=13px][COLOR=#0077aa][IMG]https://secure.gravatar.com/avatar/2707a107d74393360d75969a887c914d.png?s=48&r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fsf%2Fimages%2Fdevelop%2Fsf-profile-blank.gif[/IMG][/COLOR][/SIZE][/URL][/CENTER]
    [RIGHT]2011-12-12 13:11:07 PST[/RIGHT]
    Its not documented afaik, off the top of my head: FTP - 20 + 21 SSH - 22 Apache - 80 + 443 Portmap - 111 NFS - 2049 MySQL - 3306 UDP Send uses - 63100+ in FOG
    [*][CENTER][URL=‘https://sourceforge.net/users/brycez/’][SIZE=13px][COLOR=#555555]brycez[/COLOR][/SIZE][/URL]

    [URL=‘https://sourceforge.net/users/brycez’][SIZE=13px][COLOR=#0077aa][IMG]https://secure.gravatar.com/avatar/77846d7ed0f7675ee6553ce27c377080.png?s=48&r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fsf%2Fimages%2Fdevelop%2Fsf-profile-blank.gif[/IMG][/COLOR][/SIZE][/URL][/CENTER]
    [RIGHT]2011-12-13 08:11:21 PST[/RIGHT]
    Thanks for the list Blackout! A few things to add: TFTP - 69 FOG by default doesn’t support HTTPS (though it is doable, it just took me a while and broke some things), so 443 isn’t required. If anyone notices anything else that’s missing, please go ahead and add it. And once I get the iptables config written up and confirmed I’ll go ahead and post it in the wiki, with a link to it from here.
    [*][CENTER][URL=‘https://sourceforge.net/users/blackout48/’][SIZE=13px][COLOR=#555555]blackout48[/COLOR][/SIZE][/URL]

    [URL=‘https://sourceforge.net/users/blackout48’][SIZE=13px][COLOR=#0077aa][IMG]https://secure.gravatar.com/avatar/2707a107d74393360d75969a887c914d.png?s=48&r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fsf%2Fimages%2Fdevelop%2Fsf-profile-blank.gif[/IMG][/COLOR][/SIZE][/URL][/CENTER]
    [RIGHT]2011-12-13 16:16:38 PST[/RIGHT]
    Arhh yes, i forgot TFTP! 443 (HTTPS) will be added in 0.33 :) An iptables config would rock!
    [*][CENTER][URL=‘https://sourceforge.net/users/brycez/’][SIZE=13px][COLOR=#555555]brycez[/COLOR][/SIZE][/URL]

    [URL=‘https://sourceforge.net/users/brycez’][SIZE=13px][COLOR=#0077aa][IMG]https://secure.gravatar.com/avatar/77846d7ed0f7675ee6553ce27c377080.png?s=48&r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fsf%2Fimages%2Fdevelop%2Fsf-profile-blank.gif[/IMG][/COLOR][/SIZE][/URL][/CENTER]
    [RIGHT]2011-12-14 06:32:38 PST[/RIGHT]
    Does that mean SSL will be supported by the FOG client service and the boot image?
    [*][CENTER][URL=‘https://sourceforge.net/users/brycez/’][SIZE=13px][COLOR=#555555]brycez[/COLOR][/SIZE][/URL]

    [URL=‘https://sourceforge.net/users/brycez’][SIZE=13px][COLOR=#0077aa][IMG]https://secure.gravatar.com/avatar/77846d7ed0f7675ee6553ce27c377080.png?s=48&r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fsf%2Fimages%2Fdevelop%2Fsf-profile-blank.gif[/IMG][/COLOR][/SIZE][/URL][/CENTER]
    [RIGHT]2011-12-14 09:51:30 PST[/RIGHT]
    According to the UDPCast documentation, the default portbase is 9000+. Is there a reason why FOG uses a non-standard port for UDPCast?
    [/LIST]



  • Hi guys, i’ve got a little problem with my firewall rules.
    I start my iptable configuration and my computer stop in TFTP. It doesn’t show me the fog boot menu
    The ports TFTP are open so what’s my problem ?

    [CODE]#!/bin/sh

    BEGIN INIT INFO

    Provides: PareFeu

    Required-Start: $remote_fs $syslog

    Required-Stop:

    Default-Start: 2 3 4 5

    Default-Stop: 0 1 6

    Short-Description: Start daemon at boot time

    Description: Enable service provided by daemon.

    END INIT INFO

    Vider les tables actuelles

    iptables -t filter -F
    iptables -t mangle -F
    iptables -t nat -F

    Vider les règles personnelles

    iptables -t filter -X
    iptables -t mangle -X
    iptables -t nat -X

    Interdire toute connexion entrante et sortante

    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT DROP

    Ne pas casser les connexions etablies

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    Autoriser loopback

    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT

    ICMP (Ping)

    iptables -t filter -A INPUT -p icmp -j ACCEPT
    iptables -t filter -A OUTPUT -p icmp -j ACCEPT

    SSH In

    iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

    SSH Out

    iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

    DNS In/Out

    iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

    NTP Out

    iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

    HTTP + HTTPS Out

    iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

    HTTP + HTTPS In

    iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT

    FTP/TFTP Out

    iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 67:68 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 67:68 -j ACCEPT

    FTP/TFTP In

    iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 67:69 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 67:69 -j ACCEPT

    MySQL IN/OUT

    iptables -t filter -A OUTPUT -p udp --port 3306 -j ACCEPT
    iptables -t filter -A INPUT -p udp --port 3306 -j ACCEPT

    #NFS IN/OUT
    iptables -t filter -A OUTPUT -p udp --dport 2049 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 2049 -j ACCEPT

    iptables -t filter -A OUTPUT -p udp --dport 111 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 111 -j ACCEPT
    [/CODE]

    thanks you for your ideas.

    EDIT :
    I find my problem

    modprobe ip_conntrack_tftp
    modprobe ip_conntrack_ftp

    ;)



  • Thanks SomeOne! I’ll give this a try once things settle down here at work.



  • Hi,

    Here is what works for me. I did a multipart all disk image, I would assume it works for the other types too. But I did have to configure NFS to run on specific ports.
    I followed this
    [url]http://bryanw.tk/2012/specify-nfs-ports-ubuntu-linux/[/url]

    But I used the following… the -p one was not working for me
    [CODE]RPCMOUNTDOPTS="–manage-gids --port 4002"[/CODE]
    instead of
    [CODE]RPCMOUNTDOPTS="–manage-gids -p 4002"[/CODE]

    Here is my iptables script now. I run this script on the FOG server. So that is why i have this entry to allow localhost communication.
    I can use the browser to connect to the FOG Web console via localhost
    [CODE]
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    [/CODE]

    I found port 2070-2073 and 1758-1759 here [url]http://www.symantec.com/business/support/index?page=content&id=HOWTO3401[/url]

    i also added
    [CODE]iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT[/CODE]

    see here for details : [url]https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions[/url]

    Hope it helps!

    script:
    [CODE]
    #!/bin/bash

    Flush old rules

    iptables -F

    Deny all incoming, allow all outgoing

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    Exception for FTP

    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    Exception for SSH

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    Exception for TFTP and DHCP

    iptables -A INPUT -p udp --dport 67 -j ACCEPT
    iptables -A INPUT -p udp --dport 68 -j ACCEPT
    iptables -A INPUT -p udp --dport 69 -j ACCEPT
    iptables -A INPUT -p tcp --dport 67 -j ACCEPT
    iptables -A INPUT -p tcp --dport 68 -j ACCEPT
    iptables -A INPUT -p tcp --dport 69 -j ACCEPT

    iptables -A INPUT -p udp --dport 4011 -j ACCEPT
    iptables -A INPUT -p tcp --dport 4011 -j ACCEPT

    iptables -A INPUT -p tcp --dport 2070:2073 -j ACCEPT
    iptables -A INPUT -p udp --dport 2070:2073 -j ACCEPT

    iptables -A INPUT -p tcp --dport 1758:1759 -j ACCEPT
    iptables -A INPUT -p udp --dport 1758:1759 -j ACCEPT

    Exception for HTTP(S)

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    Exception for Portmap

    iptables -A INPUT -p tcp --dport 111 -j ACCEPT
    iptables -A INPUT -p udp --dport 111 -j ACCEPT

    Exception for NFS

    iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
    iptables -A INPUT -p udp --dport 2049 -j ACCEPT

    Exception for NFS-common

    iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
    iptables -A INPUT -p udp --dport 4000 -j ACCEPT

    Exception for NFS-lockd

    iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
    iptables -A INPUT -p udp --dport 4001 -j ACCEPT

    Exception for NFS-mountd

    iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
    iptables -A INPUT -p udp --dport 4002 -j ACCEPT

    Exception for transfer ports

    #iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    #iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT

    iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix “iptables denied:” --log-level 7

    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    List rules

    iptables -L
    [/CODE]



  • Thanks for the reply.

    So I would have to check iptables and tcpdump to see what protocol/service actually uses this and verify if ports can be specifically set.
    I will check it out and report any findings here.



  • The port range could probably be scaled back, but I never got around to narrowing each range. From what I’ve come to understand (keep in mind that I’m not a network admin) most protocols have designated ports for establishing connections and then use random ports from the higher port range (generally 1024+) for the actual transfer. Some applications, such as UDPCast, allow you to specify the transfer port range, but that’s not always the case. So you probably don’t need the whole range but you’ll need some of it.



  • Hi
    I have been trying to find more information on these ports

    iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT

    Why such a huge range ?
    Is there a way to specify a smaller window ? I am not using UDPCast
    What component needs this range ?

    Thanks!


  • Developer

    We used the non default port range so we could support a large number of concurrent multicasts (50+) without running into known used ports.


  • Developer

    At minimum the Web UI will be SSL.



  • I’ve thrown together an iptables config script that seems to work.

    [CODE]#!/bin/bash

    Flush old rules

    iptables -F

    Deny all incoming, allow all outgoing

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    Exception for FTP

    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    Exception for SSH

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    Exception for TFTP

    iptables -A INPUT -p udp --dport 69 -j ACCEPT

    Exception for HTTP(S)

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    Exception for Portmap

    iptables -A INPUT -p tcp --dport 111 -j ACCEPT
    iptables -A INPUT -p udp --dport 111 -j ACCEPT

    Exception for NFS

    iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
    iptables -A INPUT -p udp --dport 2049 -j ACCEPT

    Exception for transfer ports

    iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT

    List rules

    iptables -L[/CODE]

    If anyone wants to test this, or just ask questions, please go right ahead.


Log in to reply
 

426
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.