Out of the box, your Opengear device runs a stateful netfilter/iptables firewall with a default deny input policy. A firewall ruleset is automatically built and installed based on enabled features and per-interface service access policy.
At a high level, per-interface access through the firewall is configured under System -> Services -> Service Access. You may also use custom firewall under System -> Firewall -> Firewall Rules for more granular control, e.g. to restrict connections to those originating from a trusted source network.
Rule order
Rule order is important as packets fall through the firewall chains top to bottom, until they hit a matching rule that allows or blocks.
Custom Firewall Rules are inserted before system rules and Service Access rules. It is important that you do not manually add a custom "block all" rule as this will break connection tracking (system rule) and impair functionality.
Moreover, the input policy ends with a "block all" rule by default – so the solution is to disable Service Access rules so they are not matched, and unwanted packets fall through the the default "block all" rule.
iptables rules
The configured firewall ruleset in iptables-restore format is available in the filesystem at /etc/config/fw.rules (IPv4) and /etc/config/fwipv6.rules (IPv6).
You can also view rules with the standard iptables commands:
iptables -t filter -L -v iptables -t mangle -L -v iptables -t nat -L -v
ip6tables -t filter -L -v
ip6tables -t mangle -L -v
Custom iptables commands
Advanced users may install persistent rules using arbitrary iptables commands by adding them to /etc/config/scripts/firewall-post file. This is a shell script that's run after fw*.rules are installed.
The firewall-post file is a bash script. It is recommended that the script should check if a rule already exists before adding it, to avoid creating a duplicate rule. The iptables (and ip6tables) -C option can be used to check whether a rule exists.
For example:
#!/bin/bash
iptables_add()
{
if ! iptables -C $@; then
iptables -A $@
fi
}
LH_LHVPN_IP=10.11.12.13
iptables_add PREROUTING -t nat -i eth1 -p udp --dport 514 -j DNAT --to ${LH_LHVPN_IP}:514
iptables_add PREROUTING -t nat -i eth1 -p tcp --dport 514 -j DNAT --to ${LH_LHVPN_IP}:514
iptables_add PREROUTING -t nat -i eth1 -p udp --dport 162 -j DNAT --to ${LH_LHVPN_IP}:162
Here's an IPv4 example to silently DROP packets instead of sending back a RST reply (default behaviour). This does make it harder to debug connectivity issues so use it carefully.
#!/bin/bash
iptables_add()
{
if ! iptables -C $@; then
iptables -A $@
fi
}
iptables -D INPUT -j Block
iptables_add INPUT -j DROP
Afterwards run the command below to apply the settings
config -a
Once that's done display the rules and make sure the last rule is DROP.
iptables -L INPUT
Comments
0 comments
Article is closed for comments.