Firewall Config
[RIGHT]2011-12-12 08:43:04 PST[/RIGHT]
I’m currently getting ready to deploy some new storage nodes and our IT security team wants to confirm our firewall configs, which means justifying every open port. So it looks like I’m going to need to document every necessary port for FOG. I was wondering if somebody might already have something like this written down somewhere that I could take a look at, otherwise I’ll just have to go through and figure it out. I can see that being useful documentation to keep on the FOG wiki though, and I’ll be sure to share whatever I find.
[RIGHT]2011-12-12 13:11:07 PST[/RIGHT]
Its not documented afaik, off the top of my head: FTP - 20 + 21 SSH - 22 Apache - 80 + 443 Portmap - 111 NFS - 2049 MySQL - 3306 UDP Send uses - 63100+ in FOG
[RIGHT]2011-12-13 08:11:21 PST[/RIGHT]
Thanks for the list Blackout! A few things to add: TFTP - 69 FOG by default doesn’t support HTTPS (though it is doable, it just took me a while and broke some things), so 443 isn’t required. If anyone notices anything else that’s missing, please go ahead and add it. And once I get the iptables config written up and confirmed I’ll go ahead and post it in the wiki, with a link to it from here.
[RIGHT]2011-12-13 16:16:38 PST[/RIGHT]
Arhh yes, i forgot TFTP! 443 (HTTPS) will be added in 0.33An iptables config would rock!
[RIGHT]2011-12-14 06:32:38 PST[/RIGHT]
Does that mean SSL will be supported by the FOG client service and the boot image?
[RIGHT]2011-12-14 09:51:30 PST[/RIGHT]
According to the UDPCast documentation, the default portbase is 9000+. Is there a reason why FOG uses a non-standard port for UDPCast?
[/LIST] -
I’ve thrown together an iptables config script that seems to work.
Flush old rules
iptables -F
Deny all incoming, allow all outgoing
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPTException for FTP
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPTException for SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Exception for TFTP
iptables -A INPUT -p udp --dport 69 -j ACCEPT
Exception for HTTP(S)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPTException for Portmap
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j ACCEPTException for NFS
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j ACCEPTException for transfer ports
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPTList rules
iptables -L[/CODE]
If anyone wants to test this, or just ask questions, please go right ahead.
At minimum the Web UI will be SSL.
We used the non default port range so we could support a large number of concurrent multicasts (50+) without running into known used ports.
I have been trying to find more information on these portsiptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPTWhy such a huge range ?
Is there a way to specify a smaller window ? I am not using UDPCast
What component needs this range ?Thanks!
The port range could probably be scaled back, but I never got around to narrowing each range. From what I’ve come to understand (keep in mind that I’m not a network admin) most protocols have designated ports for establishing connections and then use random ports from the higher port range (generally 1024+) for the actual transfer. Some applications, such as UDPCast, allow you to specify the transfer port range, but that’s not always the case. So you probably don’t need the whole range but you’ll need some of it.
Thanks for the reply.
So I would have to check iptables and tcpdump to see what protocol/service actually uses this and verify if ports can be specifically set.
I will check it out and report any findings here. -
Here is what works for me. I did a multipart all disk image, I would assume it works for the other types too. But I did have to configure NFS to run on specific ports.
I followed this
[url][/url]But I used the following… the -p one was not working for me
[CODE]RPCMOUNTDOPTS=“–manage-gids --port 4002”[/CODE]
instead of
[CODE]RPCMOUNTDOPTS=“–manage-gids -p 4002”[/CODE]Here is my iptables script now. I run this script on the FOG server. So that is why i have this entry to allow localhost communication.
I can use the browser to connect to the FOG Web console via localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
[/CODE]I found port 2070-2073 and 1758-1759 here [url][/url]
i also added
[CODE]iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT[/CODE]see here for details : [url][/url]
Hope it helps!
#!/bin/bashFlush old rules
iptables -F
Deny all incoming, allow all outgoing
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPTiptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPTException for FTP
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPTException for SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Exception for TFTP and DHCP
iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -p udp --dport 68 -j ACCEPT
iptables -A INPUT -p udp --dport 69 -j ACCEPT
iptables -A INPUT -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -p tcp --dport 68 -j ACCEPT
iptables -A INPUT -p tcp --dport 69 -j ACCEPTiptables -A INPUT -p udp --dport 4011 -j ACCEPT
iptables -A INPUT -p tcp --dport 4011 -j ACCEPTiptables -A INPUT -p tcp --dport 2070:2073 -j ACCEPT
iptables -A INPUT -p udp --dport 2070:2073 -j ACCEPTiptables -A INPUT -p tcp --dport 1758:1759 -j ACCEPT
iptables -A INPUT -p udp --dport 1758:1759 -j ACCEPTException for HTTP(S)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPTException for Portmap
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j ACCEPTException for NFS
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j ACCEPTException for NFS-common
iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
iptables -A INPUT -p udp --dport 4000 -j ACCEPTException for NFS-lockd
iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -p udp --dport 4001 -j ACCEPTException for NFS-mountd
iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
iptables -A INPUT -p udp --dport 4002 -j ACCEPTException for transfer ports
#iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPTiptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix “iptables denied:” --log-level 7
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
List rules
iptables -L
[/CODE] -
Thanks SomeOne! I’ll give this a try once things settle down here at work.
Hi guys, i’ve got a little problem with my firewall rules.
I start my iptable configuration and my computer stop in TFTP. It doesn’t show me the fog boot menu
The ports TFTP are open so what’s my problem ?[CODE]#!/bin/sh
Provides: PareFeu
Required-Start: $remote_fs $syslog
Default-Start: 2 3 4 5
Default-Stop: 0 1 6
Short-Description: Start daemon at boot time
Description: Enable service provided by daemon.
Vider les tables actuelles
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -FVider les règles personnelles
iptables -t filter -X
iptables -t mangle -X
iptables -t nat -XInterdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROPNe pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPTAutoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPTICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPTSSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPTNTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPTHTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPTFTP/TFTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 67:68 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 67:68 -j ACCEPTFTP/TFTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 67:69 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 67:69 -j ACCEPTMySQL IN/OUT
iptables -t filter -A OUTPUT -p udp --port 3306 -j ACCEPT
iptables -t filter -A INPUT -p udp --port 3306 -j ACCEPT#NFS IN/OUT
iptables -t filter -A OUTPUT -p udp --dport 2049 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2049 -j ACCEPTiptables -t filter -A OUTPUT -p udp --dport 111 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 111 -j ACCEPT
[/CODE]thanks you for your ideas.
I find my problemmodprobe ip_conntrack_tftp
modprobe ip_conntrack_ftp