Difference between revisions of "ASL firewall"

From Atomicorp Wiki
Jump to: navigation, search
m (How to allow connections to a TCP port)
m (How to block all incoming connections to a TCP port)
Line 115: Line 115:
 
Step 7:  Type in the source IP/Network for this rule.  If you want to allow any network, just leave this blank.
 
Step 7:  Type in the source IP/Network for this rule.  If you want to allow any network, just leave this blank.
  
Step 8:  In the Destination port window type in the port number you wish to block.  For example, if you want to allow connections to port 22, type in 22.  Leave the first drop down as "-".   
+
Step 8:  In the Destination port window type in the port number you wish to block.  For example, if you want to block connections to port 22, type in 22.  Leave the first drop down as "-".   
  
 
Step 9:  Set the "Jump Target" to "DROP".   
 
Step 9:  Set the "Jump Target" to "DROP".   

Revision as of 08:52, 8 June 2012

Contents

Access the firewall rule manager

Step 1: Log into the ASL GUI

Step 2: Click on the Firewall Tab.

Step 3: Click on the firewall rules menu item.

This will open the firewall rules window.

Rule Types

Linux supports three types of firewall rules:

NAT

Network Address Translation Rules: These rules are used to change the source and/or destination of packets.

Mangle

This types of rules are used to modify or "mangle" packets before they are processed

Filter

These types of rules are used to filter or "block" packets. These are the most common rules and are probably the type of rule you want if you want to allow or block traffic to specific port.

Filter subtypes
INPUT

These are rules for traffic going to the server itself. These are the most common subtype, and are what you want if you are looking to allow traffic to a port, or to block traffic to a port.

OUTPUT

There are rule for traffic coming out of the server, and being generated by the server.

FORWARD

This subtype is for all all other traffic that is not INPUT or OUTPUT. Specifically, this would be traffic that is passing through the server if the server were acting as a classic firewall for another system. FORWARD rules have nothing to do with the server itself.

Jump Targets

In Linux these tell the rule to jump to an action. This is a way of telling Linux what to do, such as to allow, deny or do something else if the rule is triggered.

ACCEPT

Accept the traffic. This will allow the traffic.

DROP

Silently drop the packet. The client will get no response from the server.

REJECT

Reject the packet. The client will get a reject at the TCP or UDP layer from the server.

Rule options

Using the firewall manager

Adding a firewall rule

Step 1: Select the type of rule you want to add from the list above

Step 2: Select the subtype of the rule you want to add from the list above

Step 3: From the firewall rule manager, select the subtype. For example, to add a filter -> INPUT rule select "INPUT" under the filter tree branch.

this will pull up any INPUT rules you have on the system. To add a new rule select "Add Rule".

Step 4: Select the subtype by selecting it under "Chain". For example, if you want to add an INPUT rule select Table "filter", this should autoselect "INPUT". If it does not just select INPUT as the "Chain".

Step 5: Select the command, Append or Insert. In the Linux, Append means to add the rule after all other rules. Linux firewalling is linear, that means it processes the rules in order "first come first served". Appending places it last. Insert places the rule first, and with insert you can also set the rule number in case you prefer that the rule run second, third, etc.

Step 6: Select the protocol by clicking on the "n/a" drop down. The drop down before this allows you to add a "negative", for example if you want to add a rule to say "not tcp". If you want this rule to be for TCP, just select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

Step 8: Type in the destination for this rule. If you are creating a rule for the server itself, for example to allow connections to a specific port, just leave this blank.

Step 9: Type in the source port. If you are a creating a rule to allow connections to the server from another server, leave this blank.

Step 10: Type in the Destination port. For example, if you want to allow connections to port 22, type in 22.

Step 11: Set the interface. If you want to set this rule for all interfaces, leave the default of "n/a".

Step 12: Set the "Jump Target". In the link this is sort of like the "action". You will see a number of options described above, such as ACCEPT, REJECT. Please see above for more information about these. In general, if you want to allow a connection, select "ACCEPT".

Step 13: Select Add Rule.

Your new rule is now implemented.

Examples

How to block all incoming connections to a TCP port

Step 1: Log into the ASL GUI

Step 2: Click the Firewall Tab

Step 3: Select the Firewall Rules menu option.

Step 4: Click the "Add Rule" button.

Step 5: For table, select filter.

Step 6: For Chain select "INPUT"

Step 7: For command select "Insert"

Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".

Step 9: Set the "Jump Target" to "DROP".

Step 10: Then press the Add Rule button.

Your new rule is now implemented.

How to allow connections to a TCP port

Step 1: Log into the ASL GUI

Step 2: Click the Firewall Tab

Step 3: Select the Firewall Rules menu option.

Step 4: Click the "Add Rule" button.

Step 5: For table, select filter.

Step 6: For Chain select "INPUT"

Step 7: For command select "Insert"

Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".

Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.

Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections to port 22, type in 22. Leave the first drop down as "-".

Step 9: Set the "Jump Target" to "ACCEPT".

Step 10: Then press the Add Rule button.

Your new rule is now implemented.

Personal tools