Difference between revisions of "ASL firewall"
m (→How to allow connections to a TCP port) |
m (→How to block all incoming connections to a TCP port) |
||
Line 115: | Line 115: | ||
Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank. | Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank. | ||
− | Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to | + | Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-". |
Step 9: Set the "Jump Target" to "DROP". | Step 9: Set the "Jump Target" to "DROP". |
Revision as of 08:52, 8 June 2012
Contents |
Access the firewall rule manager
Step 1: Log into the ASL GUI
Step 2: Click on the Firewall Tab.
Step 3: Click on the firewall rules menu item.
This will open the firewall rules window.
Rule Types
Linux supports three types of firewall rules:
NAT
Network Address Translation Rules: These rules are used to change the source and/or destination of packets.
Mangle
This types of rules are used to modify or "mangle" packets before they are processed
Filter
These types of rules are used to filter or "block" packets. These are the most common rules and are probably the type of rule you want if you want to allow or block traffic to specific port.
Filter subtypes
INPUT
These are rules for traffic going to the server itself. These are the most common subtype, and are what you want if you are looking to allow traffic to a port, or to block traffic to a port.
OUTPUT
There are rule for traffic coming out of the server, and being generated by the server.
FORWARD
This subtype is for all all other traffic that is not INPUT or OUTPUT. Specifically, this would be traffic that is passing through the server if the server were acting as a classic firewall for another system. FORWARD rules have nothing to do with the server itself.
Jump Targets
In Linux these tell the rule to jump to an action. This is a way of telling Linux what to do, such as to allow, deny or do something else if the rule is triggered.
ACCEPT
Accept the traffic. This will allow the traffic.
DROP
Silently drop the packet. The client will get no response from the server.
REJECT
Reject the packet. The client will get a reject at the TCP or UDP layer from the server.
Rule options
Using the firewall manager
Adding a firewall rule
Step 1: Select the type of rule you want to add from the list above
Step 2: Select the subtype of the rule you want to add from the list above
Step 3: From the firewall rule manager, select the subtype. For example, to add a filter -> INPUT rule select "INPUT" under the filter tree branch.
this will pull up any INPUT rules you have on the system. To add a new rule select "Add Rule".
Step 4: Select the subtype by selecting it under "Chain". For example, if you want to add an INPUT rule select Table "filter", this should autoselect "INPUT". If it does not just select INPUT as the "Chain".
Step 5: Select the command, Append or Insert. In the Linux, Append means to add the rule after all other rules. Linux firewalling is linear, that means it processes the rules in order "first come first served". Appending places it last. Insert places the rule first, and with insert you can also set the rule number in case you prefer that the rule run second, third, etc.
Step 6: Select the protocol by clicking on the "n/a" drop down. The drop down before this allows you to add a "negative", for example if you want to add a rule to say "not tcp". If you want this rule to be for TCP, just select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.
Step 8: Type in the destination for this rule. If you are creating a rule for the server itself, for example to allow connections to a specific port, just leave this blank.
Step 9: Type in the source port. If you are a creating a rule to allow connections to the server from another server, leave this blank.
Step 10: Type in the Destination port. For example, if you want to allow connections to port 22, type in 22.
Step 11: Set the interface. If you want to set this rule for all interfaces, leave the default of "n/a".
Step 12: Set the "Jump Target". In the link this is sort of like the "action". You will see a number of options described above, such as ACCEPT, REJECT. Please see above for more information about these. In general, if you want to allow a connection, select "ACCEPT".
Step 13: Select Add Rule.
Your new rule is now implemented.
Examples
How to block all incoming connections to a TCP port
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.
Step 8: In the Destination port window type in the port number you wish to block. For example, if you want to block connections to port 22, type in 22. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "DROP".
Step 10: Then press the Add Rule button.
Your new rule is now implemented.
How to allow connections to a TCP port
Step 1: Log into the ASL GUI
Step 2: Click the Firewall Tab
Step 3: Select the Firewall Rules menu option.
Step 4: Click the "Add Rule" button.
Step 5: For table, select filter.
Step 6: For Chain select "INPUT"
Step 7: For command select "Insert"
Step 6: For protocol select tcp in the drop down, and leave the first drop down as "-".
Step 7: Type in the source IP/Network for this rule. If you want to allow any network, just leave this blank.
Step 8: In the Destination port window type in the port number you wish to allow. For example, if you want to allow connections to port 22, type in 22. Leave the first drop down as "-".
Step 9: Set the "Jump Target" to "ACCEPT".
Step 10: Then press the Add Rule button.
Your new rule is now implemented.