Topic: creating firewall rule

[jgnac]

Hello,

I work at a charity with a SME server 7.5.1 running to supply net access and file serving. I have been asked to setup a firewall rule (NAT) to a "gateway" PC which is on our network with a fixed IP address (10.0.1.254).

So any traffic coming from 209.xxx.xxx.0/19 on port 40001 TCP needs to be redirected to 10.0.1.254 on port 40001 TCP

I am not sure how to get this configuration into the Configure Port Forwarding panel in the server-manager if that is the right place to create this; any advice would be appreciated, thanks,
James.

[cactus]

Wouldn't a simple port forward in the portforwrding panel in server-manager not do? It might not be as specific as you would like it (no filtering on source address), but it should be able to forward the traffic to the desired host and port.

See also: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Port_forwarding

[jgnac]

Thanks, I was not reading the panel carefully enough - I think I have created an adequate rule, I will see if it works.

[mmccarn]

[edit]
Note: See note from Cactus below -- this post is irrelevant...
[/edit]


If want to allow remote access only from 209.xxx.xxx.xxx/19, you may also need to define a custom service with restricted access -- I *think* this will cause any unwanted traffic on the specified port to be dropped when combined with a port forwarding rule.

Code: [Select]

config set UDP40001 service UDPPort 40001 status enabled access public AllowHosts 209.xxx.xxx.xxx/19
signal-event remoteaccess-update


Reference:
http://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables

Undo:

Code: [Select]

config delete UDP40001
signal-event remoteaccess-update

Testing:
If this rule works, you should see denied traffic from undesirable remote locations in /var/log/iptables/current

[cactus]

If want to allow remote access only from 209.xxx.xxx.xxx/19, you may also need to define a custom service with restricted access -- I *think* this will cause any unwanted traffic on the specified port to be dropped when combined with a port forwarding rule.

The panel seems to suggest that this is not required since there is a field called Allow Hosts (at least in SME Server . IMHO that is where you should be able to specify the source filtering. Since SME Server is quite complete in it's configuration I doubt that for port-forwarding (a core functionality) additional manual instructions are required.

Doing a quick test this is what I get in /etc/rc.d/init.d/masq (among a lot of other things):

Code: [Select]

    /sbin/iptables --table nat --append PortForwarding_$$ --proto tcp --destination-port 40001 --src 209.0.0.0/19 -j DNAT --to-destination 10.0.10.2:40001
    /sbin/iptables -A ForwardedTCP_$$ --proto tcp --dport 40001 \
         --destination 10.0.10.2 --src 209.0.0.0/19 --jump ACCEPT
    /sbin/iptables -A ForwardedTCP_$$ --proto tcp --dport 40001 \
         --destination 10.0.10.2 --src 0.0.0.0/0 --jump denylog

Isn't that enough?

[mmccarn]

Isn't that enough?

Doh!  That's what I get for going straight to the command line all the time...

Comment added to my previous post...