Knowledge Base ZPE Systems, Inc. FAQ

            Can access list be configured to only allow specific network such as 10.0.0.0/8 to access the NodeGrid box?

            Overview

            You have a complete firewall built in NodeGrid, based on iptables. The CLI and Web just wrap its configuration for consistency. In case you get locked out due to Drop rule, you can access and fix the configuration via console port (baud rate is 115200bps).
            It is important that the local addresses are accepted by the Nodegrid firewall rule. Without this setting is it possible that the unit will not start properly after a reboot

            Configuration through CLI

            • login with an admin account
            • First add local addresses to the Firewall configuration
            1. [admin@nodegrid /]# cd /settings/ipv4_firewall/chains/INPUT/
            2. [admin@nodegrid INPUT]# add
            3. [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=127.0.0.1
            4. [admin@nodegrid {INPUT}]# save
            5. [admin@nodegrid INPUT]# add
            6. [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=<Primary IPAddress>
            7. [admin@nodegrid {INPUT}]# save
            • Add the desired network range or IP addresses which should be allowed to access the Nodegrid

            1. [admin@nodegrid INPUT]# add
            2. [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=10.0.0.0/8
            3. [admin@nodegrid {INPUT}]# save
            • Set the default Rule for the INPUT to Drop all other connections

            1. [admin@nodegrid INPUT]# cd /settings/ipv4_firewall/policy/
            2. [admin@nodegrid {INPUT}]# set input=drop
            3. [+admin@nodegrid {INPUT}]# commit
            • Check the current active firewall rules

            1. [admin@nodegrid INPUT]# shell sudo /usr/sbin/iptables -L -nvx
            2. Chain INPUT (policy DROP 0 packets, 0 bytes)
            3.     pkts      bytes target     prot opt in     out     source               destination
            4.      149    18576 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
            5.        0        0 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
            6.        0        0 ACCEPT     all  --  *      *       10.0.0.0/8           0.0.0.0/0

            7. Chain FORWARD (policy DROP 0 packets, 0 bytes)
            8.     pkts      bytes target     prot opt in     out     source               destination

            9. Chain OUTPUT (policy DROP 0 packets, 0 bytes)
            10.     pkts      bytes target     prot opt in     out     source               destination
            11.      149    18576 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
            12.        6      532 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0        

            Configuration through WebUI

            • Login with an admin account
            • Go to Security::Firewall

            • click on INPUT for the IPv4 type
            • click on add to create a new rule

            • create first 2 rules for the local Nodegrid IP's with the following values.
              • Rule 1:
                • TARGET: ACCEPT
                • SOURCE: 127.0.0.1
              • Rule 2:
                • TARGET: ACCEPT
                • SOURCE: <PRIMARY IP OF NODEGRID>
              • It is important that the local addresses are accepted by the Nodegrid firewall rule. Without this setting is it possible that the unit will not start properly after a reboot
            • Add the desired network range or IP addresses which should be allowed to access the Nodegrid, and leave other parameters the default.
              • Rule 3:
                • TARGET: ACCEPT
                • SOURCE: <IP ADDRESS>/<BITMASK>
            • The Rule set should look similar to the below

            • Set the default Rule for the INPUT to Drop all other connections. Navigate to Security:Firewall highlight the INPUT Chain and Click on Change Policy

            • Change the Policy to DROP and Save


            Updated: 02 May 2018 02:55 AM
            Helpful?  
            Help us to make this article better
            0 0