Articles in this section

See more

Custom firewall rules and rule ordering

Robert Waldie
  • Updated
Follow

Out of the box, your Opengear device runs a stateful netfilter/iptables firewall with a default deny input policy.  A firewall ruleset is automatically built and installed based on enabled features and per-interface service access policy.

At a high level, per-interface access through the firewall is configured under System -> Services -> Service Access.  You may also use custom firewall under System -> Firewall -> Firewall Rules for more granular control, e.g. to restrict connections to those originating from a trusted source network.

Rule order

Rule order is important as packets fall through the firewall chains top to bottom, until they hit a matching rule that allows or blocks.

Custom Firewall Rules are inserted before system rules and Service Access rules.  It is important that you do not manually add a custom "block all" rule as this will break connection tracking (system rule) and impair functionality.

Moreover, the input policy ends with a "block all" rule by default – so the solution is to disable Service Access rules so they are not matched, and unwanted packets fall through the the default "block all" rule.

iptables rules

The configured firewall ruleset in iptables-restore format is available in the filesystem at /etc/config/fw.rules (IPv4) and /etc/config/fwipv6.rules (IPv6).

You can also view rules with the standard iptables commands:

iptables -t filter -L -v
iptables -t mangle -L -v
iptables -t nat -L -v
ip6tables -t filter -L -v
ip6tables -t mangle -L -v

Custom iptables commands

Advanced users may install persistent rules using arbitrary iptables commands by adding them to /etc/config/scripts/firewall-post file.  This is a shell script that's run after fw*.rules are installed.

The firewall-post file is a bash script. It is recommended that the script should check if a rule already exists before adding it, to avoid creating a duplicate rule. The iptables (and ip6tables) -C option can be used to check whether a rule exists.

For example:

#!/bin/bash

iptables_add()
{
   if ! iptables -C $@; then
      iptables -A $@
   fi
}

LH_LHVPN_IP=10.11.12.13

iptables_add PREROUTING -t nat -i eth1 -p udp --dport 514 -j DNAT --to ${LH_LHVPN_IP}:514
iptables_add PREROUTING -t nat -i eth1 -p tcp --dport 514 -j DNAT --to ${LH_LHVPN_IP}:514
iptables_add PREROUTING -t nat -i eth1 -p udp --dport 162 -j DNAT --to ${LH_LHVPN_IP}:162

 

Here's an IPv4 example to silently DROP packets instead of sending back a RST reply (default behaviour). This does make it harder to debug connectivity issues so use it carefully.

#!/bin/bash

iptables_add()
{
   if ! iptables -C $@; then
      iptables -A $@
   fi
}

iptables -D INPUT -j Block
iptables_add INPUT -j DROP

 

Afterwards run the command below to apply the settings

config -a

 

Once that's done display the rules and make sure the last rule is DROP.

iptables -L INPUT

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk