How to Configure Firewall on a Nodegrid

            Version 0.1 (08 May 2018)

            Overview

            The Nodegrid platform comes with its own firewall which is based on iptables. The WebUI and the CLI provide an easy way of creating and managing the firewall.

            By default, the firewall accepts all incoming traffic. Specifically, if the Nodegrid is exposed to an internet connection either directly or indirectly is it recommended to secure the Nodegrid with a valid firewall configuration. This guide will provide a starting point for this.

            How to Configure a new Firewall rule

            The WebUI and CLI provide a simple interface to create, edit and remove firewall rules. All changes made through either interface will be effective immediately. It is therefore important that before the default policies are set to DROP that the required ACCEPT rules have been configured.

            All defined rules will persist through a reboot.

            In case that a rule prevents access to the node, the rules can be adjusted through the local console port of the node.

            Note: the following rules must always be applied to a Nodegrid as they are required for a normal operation

            Service
            Source
            Destination
            Direction
            Protocol
            Port
            Comments

            loopback

            INBOUND


            IPv4

            loopback

            OUTBOUND


            IPv4

            loopback

            INBOUND


            IPv6

            loopback

            OUTBOUND


            IPv6

            A list of commonly used Firewall Rules on a Nodegrid can be found in Firewall Rules for the Nodegrid platform.



            Create a new Rule

            Create a new Rule through CLI

            • login with an admin account
            • navigate to the desired firewall chain. By default, the following 6 Chains are available
              • IPv4 INPUT
            [admin@nodegrid /]# cd /settings/ipv4_firewall/chains/INPUT/
            • IPv4 FORWARD
            [admin@nodegrid /]# cd /settings/ipv4_firewall/chains/FORWARD/
            • IPv4 OUTPUT
            [admin@nodegrid /]# cd /settings/ipv4_firewall/chains/OUTPUT/
            • IPv6 INPUT
            [admin@nodegrid /]# cd /settings/ipv6_firewall/chains/INPUT/
            • IPv6 FORWARD
            [admin@nodegrid /]# cd /settings/ipv6_firewall/chains/FORWARD/
            • IPv6 OUTPUT
            [admin@nodegrid /]# cd /settings/ipv6_firewall/chains/OUTPUT/
            • Type add to create a new rule
            [admin@nodegrid INPUT]# add
            • Use the set command to create the new rule settings. Press TAB twice to see all available options
            [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=192.168.1.1
            • Use the save command to create and activate the new rule
            [admin@nodegrid {INPUT}]# save
            • use the show command to see the current values for the rule
            [admin@nodegrid 2]# show
            target = ACCEPT
            source_net4 = 192.168.1.1
            destination_net4 =
            protocol = tcp
            source_port =
            destination_port = 443
            tcp_flag_syn = any
            tcp_flag_ack = any
            tcp_flag_fin = any
            tcp_flag_rst = any
            tcp_flag_urg = any
            tcp_flag_psh = any
            input_interface = any
            output_interface = any
            fragments = all_packets_and_fragments
            reverse_match_for_source_ip|mask = no
            reverse_match_for_destination_ip|mask = no
            reverse_match_for_source_port = no
            reverse_match_for_destination_port = no
            reverse_match_for_protocol = no
            reverse_match_for_tcp_flags = no
            reverse_match_for_icmp_type = no
            reverse_match_for_input_interface = no
            reverse_match_for_output_interface = no
            reject_with = port_unreacheable
            log_level = debug
            log_prefix =
            log_tcp_sequence_numbers = no
            log_options_from_the_tcp_packet_header = no
            log_options_from_the_ip_packet_header = no
            • A list of currently active IPv4 rules can be see with the command shell sudo /usr/sbin/iptables -L -nvx
            [admin@nodegrid /]# shell sudo /usr/sbin/iptables -L -nvx
            
            Chain INPUT (policy ACCEPT 110 packets, 13509 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                1182   132492 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
                   0        0 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
            
            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
            
            Chain OUTPUT (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                1182   132492 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
                  59    32478 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
            • A list of currently active IPv6 rules can be see with the command shell sudo /usr/sbin/ip6tables -L -nvx
            [admin@nodegrid /]# shell sudo /usr/sbin/ip6tables -L -nvx
            
            Chain INPUT (policy DROP 1 packets, 72 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                   2      132 ACCEPT     all      lo     *       ::/0                 ::/0
                   0        0 ACCEPT     all      *      *       ::1                  ::/0
            
            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
            
            Chain OUTPUT (policy DROP 8384 packets, 428444 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                   2      132 ACCEPT     all      *      *       ::1                  ::/0

            Create a new Rule through WebUI

            • Login with an admin account
            • Go to Security::Firewall
            • Click on the desired Chain, by default the following 6 chains are available
              • INPUT - Type IPv4
              • FORWARD - Type IPv4
              • OUTPUT - Type IPv4
              • INPUT - Type IPv6
              • FORWARD - Type IPv6
              • OUTPUT - Type IPv6
            • Click on add to create a new rule
            • Enter the desired values for the new rule and click on save.
            • The new rule will saved and will be effective immediately


            Delete a Rule

            Delete a Rule through CLI

            • Login with an admin account
            • Navigate to the firewall Chain which contains the rule
            [admin@nodegrid /]# cd /settings/ipv4_firewall/chains/INPUT/
            • List all available rules with the show command
            [admin@nodegrid INPUT]# show
              rules  target  source net4     destination net4  protocol  input interface  output interface  packets  bytes
              =====  ======  ==============  ================  ========  ===============  ================  =======  =======
              0      ACCEPT  127.0.0.1                                                                      0        0
              1      ACCEPT  192.168.56.101                                                                 0        0
              2      ACCEPT  192.168.1.1                       tcp                                          104007   5150785
            • Type delete together with the rule number to delete a rule and to activate the change
            [admin@nodegrid INPUT]# delete 2
            • A list of currently active IPv4 rules can be see with the command shell sudo /usr/sbin/iptables -L -nvx
            [admin@nodegrid /]# shell sudo /usr/sbin/iptables -L -nvx
            Chain INPUT (policy ACCEPT 110 packets, 13509 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                1182   132492 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
                   0        0 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0 
            
            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
            
            Chain OUTPUT (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                1182   132492 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
                  59    32478 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
            • A list of currently active IPv6 rules can be see with the command shell sudo /usr/sbin/ip6tables -L -nvx
            [admin@nodegrid /]# shell sudo /usr/sbin/ip6tables -L -nvx
            Chain INPUT (policy DROP 1 packets, 72 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                   2      132 ACCEPT     all      lo     *       ::/0                 ::/0
                   0        0 ACCEPT     all      *      *       ::1                  ::/0
            
            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
            
            Chain OUTPUT (policy DROP 8384 packets, 428444 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                   2      132 ACCEPT     all      *      *       ::1                  ::/0

            Delete a Rule through WebUI

            • Login with an admin account
            • Go to Security::Firewall
            • Click on the Chain which contains the rule to see a list of current rules
            • Tick the rule to be deleted
            • Click on Delete
            • The rule will deleted and the change will be effective immediately


            Edit an existing Rule

            Edit an existing Rule through CLI

            • login with an admin account
            • navigate to the firewall Chain which contains the rule
            • list all available rules with the show command
            [admin@nodegrid INPUT]# show
              rules  target  source net4     destination net4  protocol  input interface  output interface  packets  bytes
              =====  ======  ==============  ================  ========  ===============  ================  =======  ======
              0      ACCEPT  127.0.0.1                                                                      3979     251243
              1      ACCEPT  192.168.56.101                                                                 0        0
              2      ACCEPT  192.168.1.1                                                                    0        0
            • Navigate into the rule to be change with it’s rule number
            [admin@nodegrid INPUT]# cd 2/
            • Use the set command to create the new rule settings. Press TAB twice to see all available options
            [admin@nodegrid 2]# set protocol=tcp destination_port=443
            • Use the commit command to save and activate the changes
            [+admin@nodegrid 2]# commit
            • use the show command to see the current values for the rule
            [admin@nodegrid 2]# show
            target = ACCEPT
            source_net4 = 192.168.1.1
            destination_net4 =
            protocol = tcp
            source_port =
            destination_port = 443
            tcp_flag_syn = any
            tcp_flag_ack = any
            tcp_flag_fin = any
            tcp_flag_rst = any
            tcp_flag_urg = any
            tcp_flag_psh = any
            input_interface = any
            output_interface = any
            fragments = all_packets_and_fragments
            reverse_match_for_source_ip|mask = no
            reverse_match_for_destination_ip|mask = no
            reverse_match_for_source_port = no
            reverse_match_for_destination_port = no
            reverse_match_for_protocol = no
            reverse_match_for_tcp_flags = no
            reverse_match_for_icmp_type = no
            reverse_match_for_input_interface = no
            reverse_match_for_output_interface = no
            reject_with = port_unreacheable
            log_level = debug
            log_prefix =
            log_tcp_sequence_numbers = no
            log_options_from_the_tcp_packet_header = no
            log_options_from_the_ip_packet_header = no
            • A list of currently active IPv4 rules can be see with the command shell sudo /usr/sbin/iptables -L -nvx
            [admin@nodegrid 2]# shell sudo /usr/sbin/iptables -L -nvx
            Chain INPUT (policy ACCEPT 38 packets, 2372 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                 385    38206 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
                   0        0 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
                   0        0 ACCEPT     tcp  --  *      *       192.168.1.1          0.0.0.0/0            tcp dpt:443
            
            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
            
            Chain OUTPUT (policy DROP 0 packets, 0 bytes)
                pkts      bytes target     prot opt in     out     source               destination
                 385    38206 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
                  24     2828 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
            • A list of currently active IPv6 rules can be see with the command shell sudo /usr/sbin/ip6tables -L -nvx
            [admin@nodegrid 2]# shell sudo /usr/sbin/ip6tables -L -nvx
            Chain INPUT (policy DROP 1 packets, 72 bytes)
                 pkts      bytes target     prot opt in     out     source               destination
                    2      132 ACCEPT     all      lo     *       ::/0                 ::/0
                    0        0 ACCEPT     all      *      *       ::1                  ::/0
            
            Chain FORWARD (policy DROP 0 packets, 0 bytes)
                 pkts      bytes target     prot opt in     out     source               destination
            
            Chain OUTPUT (policy DROP 8822 packets, 451048 bytes)
                 pkts      bytes target     prot opt in     out     source               destination
                    2      132 ACCEPT     all      *      *       ::1                  ::/0

            Edit an existing Rule through WebUI

            • Login with an admin account
            • Go to Security::Firewall
            • Click on the Chain which contains the rule to see a list of current rules
            • Tick the rule to be changed
            • Click on Edit
            • Adjusted the setting as required and click on Save
            • The new rule will saved and will be effective immediately


            Set Default Policy for a Chain

            Set default Policy for a Chain through CLI

            Before changing the default policy for a chain to drop ensure that all required accept rules have been entered. After the change takes effect all not allowed access will be dropped.

            • login with an admin account
            • navigate to the firewall policy to changed
              • IPv4 Policies are located
            [admin@nodegrid /]# cd /settings/ipv4_firewall/policy/
            • IPv6 Policies are located
            [admin@nodegrid /]# cd /settings/ipv6_firewall/policy/
            • Use the show command to list the current settings
            [admin@nodegrid policy]# show
            input = accept
            output = accept
            forward = accept
            • Change the default policy for a chain with the set command
            [admin@nodegrid policy]# set input=drop
            • Use the commit command to save and activate the changes
            [+admin@nodegrid policy]#commit

            Set default Policy for a Chain through WebUI

            Before changing the default policy for a chain to drop ensure that all required accept rules have been entered. After the change takes effect all not allowed access will be dropped.

            • Login with an admin account
            • Go to Security::Firewall
            • Tick the Chain for which the default policy should be changed
            • Click on Change Policy
            • Set the new default policy and accept the change with Save.
            • The new Policy will saved and will be effective immediately

            Updated: 07 May 2018 08:57 PM
            Helpful?  
            Help us to make this article better
            0 0