Firewall Config

Discussion in 'General' started by BryceZ, Dec 16, 2011.

  1. BryceZ Community Manager

    1. 2011-12-12 08:43:04 PST
      I'm currently getting ready to deploy some new storage nodes and our IT security team wants to confirm our firewall configs, which means justifying every open port. So it looks like I'm going to need to document every necessary port for FOG. I was wondering if somebody might already have something like this written down somewhere that I could take a look at, otherwise I'll just have to go through and figure it out. I can see that being useful documentation to keep on the FOG wiki though, and I'll be sure to share whatever I find.
    2. 2011-12-12 13:11:07 PST
      Its not documented afaik, off the top of my head: FTP - 20 + 21 SSH - 22 Apache - 80 + 443 Portmap - 111 NFS - 2049 MySQL - 3306 UDP Send uses - 63100+ in FOG
    3. 2011-12-13 08:11:21 PST
      Thanks for the list Blackout! A few things to add: TFTP - 69 FOG by default doesn't support HTTPS (though it is doable, it just took me a while and broke some things), so 443 isn't required. If anyone notices anything else that's missing, please go ahead and add it. And once I get the iptables config written up and confirmed I'll go ahead and post it in the wiki, with a link to it from here.
    4. 2011-12-13 16:16:38 PST
      Arhh yes, i forgot TFTP! 443 (HTTPS) will be added in 0.33 :) An iptables config would rock!
    5. 2011-12-14 06:32:38 PST
      Does that mean SSL will be supported by the FOG client service and the boot image?
    6. 2011-12-14 09:51:30 PST
      According to the UDPCast documentation, the default portbase is 9000+. Is there a reason why FOG uses a non-standard port for UDPCast?
  2. BryceZ Community Manager

    I've thrown together an iptables config script that seems to work.

    Code:
    #!/bin/bash
     
    # Flush old rules
    iptables -F
     
    # Deny all incoming, allow all outgoing
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
     
    # Exception for FTP
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
     
    # Exception for SSH
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # Exception for TFTP
    iptables -A INPUT -p udp --dport 69 -j ACCEPT
     
    # Exception for HTTP(S)
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
     
    # Exception for Portmap
    iptables -A INPUT -p tcp --dport 111 -j ACCEPT
    iptables -A INPUT -p udp --dport 111 -j ACCEPT
     
    # Exception for NFS
    iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
    iptables -A INPUT -p udp --dport 2049 -j ACCEPT
     
    # Exception for transfer ports
    iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
     
    # List rules
    iptables -L
    If anyone wants to test this, or just ask questions, please go right ahead.
  3. Blackout Developer

    At minimum the Web UI will be SSL.
  4. Chuck Syperski Project Lead

    We used the non default port range so we could support a large number of concurrent multicasts (50+) without running into known used ports.
  5. SomeOne New Member

    Hi
    I have been trying to find more information on these ports

    iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT

    Why such a huge range ?
    Is there a way to specify a smaller window ? I am not using UDPCast
    What component needs this range ?

    Thanks!
  6. BryceZ Community Manager

    The port range could probably be scaled back, but I never got around to narrowing each range. From what I've come to understand (keep in mind that I'm not a network admin) most protocols have designated ports for establishing connections and then use random ports from the higher port range (generally 1024+) for the actual transfer. Some applications, such as UDPCast, allow you to specify the transfer port range, but that's not always the case. So you probably don't need the whole range but you'll need some of it.
  7. SomeOne New Member

    Thanks for the reply.

    So I would have to check iptables and tcpdump to see what protocol/service actually uses this and verify if ports can be specifically set.
    I will check it out and report any findings here.
    chad-bisd and BryceZ like this.
  8. SomeOne New Member

    Hi,

    Here is what works for me. I did a multipart all disk image, I would assume it works for the other types too. But I did have to configure NFS to run on specific ports.
    I followed this
    http://bryanw.tk/2012/specify-nfs-ports-ubuntu-linux/

    But I used the following.. the -p one was not working for me
    Code:
    RPCMOUNTDOPTS="--manage-gids --port 4002"
    instead of
    Code:
    RPCMOUNTDOPTS="--manage-gids -p 4002"
    Here is my iptables script now. I run this script on the FOG server. So that is why i have this entry to allow localhost communication.
    I can use the browser to connect to the FOG Web console via localhost
    Code:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    I found port 2070-2073 and 1758-1759 here http://www.symantec.com/business/support/index?page=content&id=HOWTO3401

    i also added
    Code:
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    see here for details : https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions

    Hope it helps!

    script:
    Code:
    #!/bin/bash
     
    # Flush old rules
    iptables -F
     
    # Deny all incoming, allow all outgoing
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
     
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
     
    # Exception for FTP
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
     
    # Exception for SSH
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # Exception for TFTP and DHCP
    iptables -A INPUT -p udp --dport 67 -j ACCEPT
    iptables -A INPUT -p udp --dport 68 -j ACCEPT
    iptables -A INPUT -p udp --dport 69 -j ACCEPT
    iptables -A INPUT -p tcp --dport 67 -j ACCEPT
    iptables -A INPUT -p tcp --dport 68 -j ACCEPT
    iptables -A INPUT -p tcp --dport 69 -j ACCEPT
     
    iptables -A INPUT -p udp --dport 4011 -j ACCEPT
    iptables -A INPUT -p tcp --dport 4011 -j ACCEPT
     
    iptables -A INPUT -p tcp --dport 2070:2073 -j ACCEPT
    iptables -A INPUT -p udp --dport 2070:2073 -j ACCEPT
     
    iptables -A INPUT -p tcp --dport 1758:1759 -j ACCEPT
    iptables -A INPUT -p udp --dport 1758:1759 -j ACCEPT
     
     
    # Exception for HTTP(S)
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
     
    # Exception for Portmap
    iptables -A INPUT -p tcp --dport 111 -j ACCEPT
    iptables -A INPUT -p udp --dport 111 -j ACCEPT
     
    # Exception for NFS
    iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
    iptables -A INPUT -p udp --dport 2049 -j ACCEPT
    # Exception for NFS-common
    iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
    iptables -A INPUT -p udp --dport 4000 -j ACCEPT
    # Exception for NFS-lockd
    iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
    iptables -A INPUT -p udp --dport 4001 -j ACCEPT
    # Exception for NFS-mountd
    iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
    iptables -A INPUT -p udp --dport 4002 -j ACCEPT
     
    # Exception for transfer ports
    #iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
    #iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
     
    iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
     
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     
    # List rules
    iptables -L
    
    BryceZ likes this.
  9. BryceZ Community Manager

    Thanks SomeOne! I'll give this a try once things settle down here at work.
  10. CARREIRA New Member

    Hi guys, i've got a little problem with my firewall rules.
    I start my iptable configuration and my computer stop in TFTP. It doesn't show me the fog boot menu
    The ports TFTP are open so what's my problem ?

    Code:
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides:          PareFeu
    # Required-Start:    $remote_fs $syslog
    # Required-Stop: 
    # Default-Start:    2 3 4 5
    # Default-Stop:      0 1 6
    # Short-Description: Start daemon at boot time
    # Description:      Enable service provided by daemon.
    ### END INIT INFO
     
    # Vider les tables actuelles
    iptables -t filter -F
    iptables -t mangle -F
    iptables -t nat -F
     
     
    # Vider les r├Ęgles personnelles
    iptables -t filter -X
    iptables -t mangle -X
    iptables -t nat -X
     
    # Interdire toute connexion entrante et sortante
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT DROP
     
    # Ne pas casser les connexions etablies
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     
    # Autoriser loopback
    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT
     
    # ICMP (Ping)
    iptables -t filter -A INPUT -p icmp -j ACCEPT
    iptables -t filter -A OUTPUT -p icmp -j ACCEPT
     
    # SSH In
    iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # SSH Out
    iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
     
    # DNS In/Out
    iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
     
    # NTP Out
    iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
     
    # HTTP + HTTPS Out
    iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
     
    # HTTP + HTTPS In
    iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
     
    # FTP/TFTP Out
    iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 67:68 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 67:68 -j ACCEPT
     
    # FTP/TFTP In
    iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 67:69 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 67:69 -j ACCEPT
     
    # MySQL IN/OUT
    iptables -t filter -A OUTPUT -p udp --port 3306 -j ACCEPT
    iptables -t filter -A INPUT -p udp --port 3306 -j ACCEPT
     
    #NFS IN/OUT
    iptables -t filter -A OUTPUT -p udp --dport 2049 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 2049 -j ACCEPT
     
    iptables -t filter -A OUTPUT -p udp --dport 111 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 111 -j ACCEPT
    
    thanks you for your ideas.

    EDIT :
    I find my problem

    modprobe ip_conntrack_tftp
    modprobe ip_conntrack_ftp

    ;)

Share This Page