top of page
Search

Beginner's Guide To ClearOS - Linux Firewall

  • technick-martin
  • Apr 6, 2016
  • 6 min read



ClearOS Firewall is one of the best Open Source Linux firewall distribution. It is an extremely flexible Firewall App build to configure mainly for Open source platform. This firewall is mainly designed to prevent unauthorized access to or from a private network that uses range from one hardware to multiple sharing. Here we provide you with the complete guide to access all features of Linux Firewall.

ClearOS firewall as the best source


Works as a command-line firewall, designed by ClearFoundation team. These Firewalls are divided mainly into Incoming and Custom firewalls. These Apps always come pre-installed on our ClearOS Platform. To update/install it, just retrieve the App:

Custom Firewall

While carrying out the deep process as an administrator one will be able to accomplish all their firewall needs using the standard ClearOS web interface, though it may be necessary to add custom firewall rules in some scenarios. The Custom Firewall tool provides a way to create advanced firewall rules. Thus to carry out all of the modules, one has to first install it from the ClearCenter Marketplace.

MarketPlace

The ClearCenter Marketplace is a service that allows administrators to browse and search for apps compatible with the platform/version and install them. Apps are applications that have been specifically developed and integrated into the ClearOS webconfig user-interface that extends or enhances the functionality and/or security of a system.

Your Marketplace can be customised by clicking on the 'Settings' button found among the cluster of buttons/links used for paginating the Marketplace apps and beginning the install process. To enhance the process more simply let’s take an example for the same with all of the possible IP Cases.

Custom Firewall Module Examples

This is an example to show all of the cases that exist for Custom firewall in ClearOS. This guide contains examples of some useful rules. Such that how it was used to protect your server or network from being unauthorized used.

For these examples we will use the network WAN network of 1.2.3.0/28 with .1 as the target router of our ISP, .4 is our ClearOS server. The DMZ network is 5.6.7.0/27 with 5.6.7.8 as the ClearOS DMZ IP address. The HotLAN network is 172.22.22.0/24 with ClearOS as 172.22.22.22. The is 192.168.1.0/24 with 192.168.1.1 as the ClearOS server and 192.168.1.10 as a third party web/file server.

Firewalling

Port Forwarding Restricted to Specific Public IPs

Case: 1. This case is relative to the port forwarding which is restricted to a specific Public Ips.. The example below allows connections to a MySQL server (TCP port 3306) on the at 192.168.4.109 from the remote IPs 1.2.3.4 and 5.6.7.8

iptables -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROP iptables -t filter -I FORWARD -s 1.2.3.4 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT iptables -t filter -I FORWARD -s 5.6.7.8 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT

Still the Port forwarding is not working. The next step goes like, is to use the Port forwarding app to generate a port forwarding rule for the above example: TCP port 3306 to IP 192.168.4.109. Here both Custom Firewall and port forward comes into action by handling the restriction to specific public Ips and at the same time handling the rest.

Port-based Filtering

Case: 2. This example is relative to Port bases filtering. Based on passing traffic to bypass content filter it usually singles out all of the ports and drop them at a certain host or a range of them. For example, you can block SMTP for your entire DHCP range of addresses if your DHCP scope goes from 192.168.1.128-254

iptables -t nat -I PREROUTING -s 192.168.1.128/25 -p tcp --dport 25 -j DROP

Managing LAN-to-LAN Traffic


Case: 3. By default, the generated traffic between multiple LANs is permitted. If one like to block it between LANs, you can use the following example.


eth1: LAN1 eth2: LAN2

# Block traffic between eth1 and eth2 iptables -I FORWARD -i eth1 -o eth2 -j DROP iptables -I FORWARD -i eth2 -o eth1 -j DROP

# Allow reply traffic

iptables -I FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic to web server on LAN2 network iptables -I FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT

Logging Specific Network Traffic

Case: 4. At various circumstances, you may want to log certain types of network traffic. Then the very first thing that you need to do is to create up a special logging firewall rule:

iptables -N log-traffic iptables -I log-traffic -j LOG --log-prefix "Traffic log: "

Next, you can add rules that can be directed to the logger. Here are some examples:

# Log traffic destined to 1.2.3.4 iptables -I FORWARD -d 1.2.3.4 -j log-traffic

# Log traffic destined to port 12345 iptables -I FORWARD -p tcp --dport 12345 -j log-traffic

The information is stored to the /var/log/messages log which can be viewed using the Log viewing app.

Gateway Services

Case: 5. To bypass all gateway services except for NAT, you can use a rule like this:

iptables -t nat -I PREROUTING -s 192.168.1.99 -j ACCEPT

This rule will bypass all filtering of all types for this IP address. If you want to limit it to bypass for TCP only services, you the following:

iptables -t nat -I PREROUTING -s 192.168.1.99 -p tcp -j ACCEPT

HotLAN to LAN


Case: 6. HotLan to Lan. This is similar to a Pinhole method in the DMZ app. For this example, your network is 10.1.1.0/24 and your HotLAN network is 192.168.1.0/24. In this example the service is port 25 SMTP on the server 10.1.1.10. You can even add a forwarding rule using the Custom Firewall app:

iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d 10.1.1.110 --dport 25 -j ACCEPT

Port Forwarding from selected hosts

Case: 7. This case exist such that Let us say that you want to allow only certain hosts to access your SMTP service behind your firewall. You normally could use the Port Forwarding module for this but you want to get restrictive to a single IP address.

In this example, our internal server is 10.1.1.110 and is running SMTP. We want to make it so that 3.2.1.0/24 can get to it but only this range.

You will need to add two rules:

iptables -t nat -A PREROUTING -p tcp -i eth0 -s 3.2.10/24 --dport 25 -j DNAT --to-destination 10.1.1.110:25 iptables -A FORWARD -p tcp -s 3.2.1.0/24 -d 10.1.1.110 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Limit SSH/Webconfig Access to Specific IP Addresses

The following entries would restrict remote SSH (port 22) an Webconfig (port 81) access to specific IP address that you define (i.e. allow remote login from office, home, datacenter etc.).

# Deny all SSH connections iptables -I INPUT -p tcp --dport 22 -j DROP # All connections from address xyz iptables -I INPUT -p tcp --source 1.2.3.4 --dport 22 -j ACCEPT iptables -I INPUT -p tcp --source 5.6.7.8 --dport 22 -j ACCEPT

# Deny all webconfig connections iptables -I INPUT -p tcp --dport 81 -j DROP # All connections from address xyz iptables -I INPUT -p tcp --source 1.2.3.4 --dport 81 -j ACCEPT iptables -I INPUT -p tcp --source 5.6.7.8 --dport 81 -j ACCEPT

Incoming Firewall

The Firewall Incoming feature is mainly used for two primary purposes. Other following the same Marketplace feature as used in Custom Firewall


To allow external connections to your ClearOS system


To permanently block a particular IP address or entire networks from accessing ClearOS

Installation

This feature is part of the core system and installed by default

Configuration

Incoming Connections

Whenever a firewall is enabled on your ClearOS system, the default behaviour that comes into action is to block all external traffic coming to your server. But what on the case if one wants to use if for other running services on your ClearOS system that can be accessed out from the Internet either it is for Dynamic DNS or Dynamic VPN. Thus in such cases you will need to add the firewall policy. For example, the Open VPN Feature requires UDP port 1194 to be open on the firewall.

You can also open up ports to allow for remote management of your ClearOS system. For example, you can open up TCP port 81 to give access to Webconfigure.

There are three ways to add an incoming firewall rule:

  • select a standard service in the Standard Services drop down

  • input a protocol and single port number in the Port Number box.

  • input a protocol and multiple consecutive ports in a port range in the Port Range box.

 
 
 

Comments

Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Search By Tags
Connect
  • Google+ Social Icon
  • Facebook Social Icon
  • LinkedIn Social Icon
  • Twitter Social Icon

© 2016by TechNick

bottom of page