Next: Route management Up: Network Previous: Network Contents
This section deals with the IPBrick firewall management. Some of the pre-defined rules were already mentioned in the section Firewall in the chapter IPBrick.C (rules that can't be changed by the user, only deactivated). In the meantime the configuration of some other services demands some other rules. These rules can only be managed in part by the user in the Order section. Nevertheless, IPBrick offers the administrator an advanced interface for the firewall management. There, he can define a group of rules with high personalization (Figure 7.16).
Here you have links to:
Insert new rules in advanced mode;
Delete already inserted rules
Order: Interface to order all the rules that exist in the firewall (Figure 7.20). This option is particularly important when new rules are created. Because the first rules the firewall does the matching will be the first to use. Then, more specific rules should be at the top and general should be at the bottom.
You can insert three types of rules:
DNAT Rule: Redirects the traffic that comes to a port to another port/machine of the internal network. That rule here is only for TCP traffic (example at Figure 7.19);
Disable machine access: It defines the denial of access to a port of defined network machine (example at Figure 7.18);
General settings: Here you can add a completely personalized rule (example at Figure 7.17). These are the affected fields:
Rule:
INPUT: Data received by the firewall that aim the recipient
interface no matter their origin;
OUTPUT: Data sent by the firewall;
FORWARD: Redirects traffic from an interface to another;
PREROUTING: Is used to change IP packets arriving to the
machine before the routing decision;
POSTROUTING: Is used to change IP packets arriving to the
machine after the routing decision;
Interface: You should choose which interface to apply the rule (eth0, eth1, eth2... and the loopback interface - lo);
Protocol: Protocol(s) to which you want to apply the rule;
Module: Shows the list of iptables modules available for use;
Source MAC Address: The packet source's MAC Address;
Source IP: Source IP Address of the packet;
Origin port: Source port of the packet;
Destination IP: Destination IP address of the packet;
Destination port: Destination port of the packet;
Parameters: 16 bits field that exists in the original IP packet - it is used to identify the type of packet to filter. Examples:
! --syn --state INVALID --state ESTABLISHED,RELATED --icmp-type echo-request
Policy:
ACCEPT: To accept a packet and let it pass the firewall rules;
DROP: Doesn't accept the packet and eliminates it;
MARK: Saves a mark in the packet. These marks can be used to make
decisions at the forwarding level;
LOG: Saves a log of every packet that folows the rule.
REDIRECT: Used to redirect the traffic arriving from a port to
another port;
DNAT: it allows to redirect the traffic arriving at a certain
port to another machine and port belonging to the internal
network
MASQUERADE: It allows to 'mask' the traffic
SNAT: It allows to redirect the traffic generated in a certain
port to another machine and port.
TCPMSS: It changes the MSS field (maximum packet size) from the
TCP header. It just can be used to TCP SYN or SYN/ACK
packets because is just used in the beginning of
conections.
The rules that are defined by default can't be eliminated, but can be deactivated by clicking in the state of the rule and change the Deactivate option.
At body there's a list of all the rules controled by the user (Figure 7.16). A rule can be switched between enabled and disable state. To eliminate rules is necessary to click Delete, select the rule or rules that you want to remove and click the button Delete. The rules defined by default cannot be deleted, however they can be deactivated, all you have to do is click the state of the rule and change the option to disable.
iPortalMais
