Topic: How do I add a custom iptables rule?

[syncmaster]

All -

I'm new to SME as I've only been running it a couple months, so far it has been awesome!  I have (what I believe to be) a quick question.  I'd like to add a custom iptables rule but am not exactly sure how to do it.

I know the templates are located at:  /etc/e-smith/templates/etc/rc.d/init.d/masq/
I know I need to create:  /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

I am NOT sure which template I need to copy to the templates-custom directory to implement the following rule:

-A INPUT -m tcp -p tcp -s 111.222.333.444 -d 192.168.x.x --dport 80 -j ACCEPT  (example IPs are bogus)

Any guidance you can provide is appreciated!

Thanks!
Sync

[Frank VB]

The Wiki and especially the manuals and FAQ's are your friend: http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall

[syncmaster]

Thanks Frank - I have already been there.  I guess my confusion lie in not knowing which template to copy to the templates-custom directory; or do I simply make a new file?  The Firewall wiki page did not address this unless I completely misunderstood the content.

Sync

[e[nt]e]

Thanks Frank - I have already been there.  I guess my confusion lie in not knowing which template to copy to the templates-custom directory; or do I simply make a new file?  The Firewall wiki page did not address this unless I completely misunderstood the content.

Then please read the part in the developers manual about the template system.
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual#Configuration_file_templates
And especially this sentence:

If the fragments in templates-custom have different names from those in templates, they are merged into the template as if they were in the templates directory.

If that doesn't help you please post here again.

Niklas

[stephen noble]

edit /etc/rc.d/init.d/masq directly to suit

test with
/etc/rc.d/init.d/masq restart/status

that is the hard part

then compare the fragments and work out where the new/modified fragment should be inserted

[CharlieBrady]

I am NOT sure which template I need to copy to the templates-custom directory to implement the following rule:

-A INPUT -m tcp -p tcp -s 111.222.333.444 -d 192.168.x.x --dport 80 -j ACCEPT  (example IPs are bogus)

That rule is quite unlikely to do what you hope it will do. Packets destined for 192.168.x.x will never be routed from any Internet address to your server's public IP.

Perhaps you should be using the portforwarding panel.

[arne]

-A INPUT -m tcp -p tcp -s 111.222.333.444 -d 192.168.x.x --dport 80 -j ACCEPT

This rule is impossible, and will not work on any packets at all. As zero packets is selected it will not do any big harm either.
(Reason: Packets passing trough the input chain/rule stack will never be addressed to a lan segment.)

If the intention is to set up a forwarding to an internal server, the sme forwarding function has been mentioned allready.

If the intention or purpose of the rule is something else, it should be explained what the rule is supposed to do.

[syncmaster]

This rule is impossible, and will not work on any packets at all. As zero packets is selected it will not do any big harm either.
(Reason: Packets passing trough the input chain/rule stack will never be addressed to a lan segment.)

If the intention is to set up a forwarding to an internal server, the sme forwarding function has been mentioned allready.

If the intention or purpose of the rule is something else, it should be explained what the rule is supposed to do.

Yes, you are correct - INPUT should be FORWARD

-A FORWARD -m tcp -p tcp -s 111.222.333.444 -d 192.168.x.x --dport 80 -j ACCEPT

The purpose is to allow forwarding from a specific external IP; the forwarding capability in SME works great but I did not see how to limit the source IP address.  Is that possible through the admin interface?

[CharlieBrady]

Yes, you are correct - INPUT should be FORWARD

-A FORWARD -m tcp -p tcp -s 111.222.333.444 -d 192.168.x.x --dport 80 -j ACCEPT

Yes, and that rule will *never* be invoked, because packets destined to 192.168.x.x will never be routed over the Internet to your server.

The purpose is to allow forwarding from a specific external IP; the forwarding capability in SME works great but I did not see how to limit the source IP address.  Is that possible through the admin interface?

No. But there is an outstanding New Feature Request for what you are asking for:

http://bugs.contribs.org/show_bug.cgi?id=2379

[arne]

The reason I asked if the purpose was another than just a forwarding is because I use forwarding with forwarding allowed from only a few addresses myself.

I have now rearanged my sme server completely, so its now a vmware virtual server running on Centos 5.1 with sme server plus Smoothwall plus Windows 2000 workstation as virtual installations. The Smoothwall does the forwarding from selected source adresses only.

On the other hand this should be possible to do via a standard sme server as well.

As a general rule modifying the existing firewall of the SME server is not a good idea because it will affect the security and the reliability of the server, and it might also lead to firewall errors that is incorrectly reported as server errors.

But with and after all warnings, things can still be done in different ways.

There will be two different "mechanisms" invoved in doing the "selected forwarding".

First there will be needed a rule that will do the forwarding, the rule that has been mentioned until now will not do that, it is just a filter.

Then after the first rule that will do the forwarding, there will be another rule to do the filtering.

One could build everytning from the bottom or use the existing rules and oportunities as an starting point.

The last alternative will/might be the simplest.

OK. Lets say one is first using the standard forwarding configuration tools ont the server-manager panel. This will give a standard forwarding from anywhere. Then on top of these automatically generated rules one will put one extra rule that will restrict the forwarded traffic to one certain source ip only. If done like this only, this should block off the ordinary lan internet traffic that is allso passing trough the forwarding chain.

So there will have to be some further modifications. Lets say it should do like this.

"Drop all packets that arrives on the external interphase (eth1 ?) and that has not source address 80.90.80.90, that is arriving to the forwarding chain, and that is not a result of the traffic sat up of statefull inspection mechanism of the standard sme gateway firewall.

So the extra filter should check packets for state and for source adresses. I guess this should be something like this:

 "iptables -I FORWARD -i eth1 -m state --state new -s ! 80.90.89.90 -j DROP"

This should mean something like this: For all packets arriving at eth1 and passing trough the forwarding chain, that has state new, and that has not source adress 80.90.89.90, drop them. The -I is important. It locates the rule on the top of the chain.

I have not tested it, but I will guess that this "ad on filter" will work.

It can be applied from shell. When rebooting the server it will be gone. Can also be implementet into the /etc/rc.d/rc.local script.

****

By the way this methos should anyhow be considered to be a "quick and dirty" way of tdoing it and the rule should NOT be implementet into the template system as a modification. I gues that it will be required to first set up the forwarding via the server-manager panel, and then to apply the "add on source ip filter" after the ordinary forwarding rules is up and running.

By the way applying an extra rule that will restrict traffic is less dangerous than applying a rule that will allow for more traffic.

 

[zatnikatel]

one thing syncmaster did not say was sme in gateway or server only as the firewall setting are different what is his router setup did he port forward with it of is it in bridge mode or DMZ mode
adding that line to the /etc/rc.d/rc.local will work with centos you would use after adding the fire setting iptables save which would save it into /etc/sysconfig/iptables the only problem with putting it in to the rc.local if he says restarts the iptables services the setting will be lost so he needs to do it the SME way

[arne]

But the sme server does not have a bridge mode option or a dmz option, and the standard Centos way of storing firewall config, etc will not work, I think.

Syncmaster says that the server runs in gateway mode here: "Yes, you are correct - INPUT should be FORWARD" (Only gateway mode will use forward chain.)

The procedure I suggested should as the short form be decribed as this:

1. Set up a standard forwarding using the server-manager panel.

2. Set an aditional filter as the new first rule: "iptables -I FORWARD -i eth1 -m state --state new -s ! 80.90.89.90 -j DROP"

The position at the top of the rule stack will be the critical parameter. If doint it the standard sme server way by modifying teplate with -A, appending new rules will not work at all, as this will apply the new rule at the bottom at the rule stack where it will have no effect.

(I would believe that to use -I in the template setup in some way would breake the logic of the sme server firewall configuration, but I have never tried it. It could be tried, but it is difficult to know if there should be some side effects as the use of -I as an replacement for -A could change some basic things)

If the situation is rather static, you have a portforwarding or two, and nothing is changed, the new rule should keep its position at the top of the rule stack when applied as suggested. If the firewall is restarted the rule is lost until it applied again, this is true.

I belive the applying the extra filter from /etc/rc.d/rc.local will work as long as things (forwardings and etc) are static and as long as it will keep its position at the top of the rule stack. (While standard sme server procedure will locate it on the bottom (?!) So it is not very secure, but most of the time I will guess it will do its job to restrict the source ip's that can be forwarded. If it does not work, the sme server will just work like normal.

Things will have to be tested and then it will show. I would not have inserted firewall rules at the top of the rule stack using the template system, I would expect it to give problems, but I might quite surely be wrong as I have not tested it.

(-A append, the rule will be at the bottom. -I insert, the rule will be at the top. The sequence of the rules is ratehr critical and in this case the rule will have to be inserted at the top to do the "add on filtering" before the other rules. If applied at standard possition, at the bottom, and after the other rules, it will have no effect.)

[zatnikatel]

the iptables rule is large if you do an iptables -L
what i meant was is his modem router in bridge mode or DMZ mode or is it portforwarding to the SME server

[arne]

In general: -L works ok for listing basic firewall setups but it does now work to well for more complex firewall setups.

Based on the input in the post above I made a few tests and foud that this command can show in a easy way if the add on filter rule is there in its right first/upper position:

iptables -L FORWARD

or

iptables -L FORWARD -n


But we are missing feedback from syncmaster if the new filter rule works at all. (It was just an idea.)

[arne]

Syncmaster -> Does it work ? Any progress ? (Have not tested it myself, just curious.)