Top Menu

Here you have links to:

• Insert new rules in advanced mode;
• Delete already inserted rules
• Order: Interface to order all the rules that exist in the firewall (Figure 5.12). This option is particularly important when new rules are created. Because the first rules the firewall does the matching will be the first to use. Then, more specific rules should be at the top and general should be at the bottom.

You can insert three types of rules:

• DNAT Rule: Redirects the traffic that comes to a port to another port/machine of the internal network. That rule here is only for TCP traffic (example at Figure 5.11);
• Disable machine access: It defines the denial of access to a port of defined network machine (example at Figure 5.10);
• General settings: Here you can add a completaly personalized rule (example at Figure 5.9). These are the affected fields:
  • Rule:

      INPUT: Data received by the firewall that aim the recipient 
             interface no matter their origin;
      OUTPUT: Data sent by the firewall;
      FORWARD: Redirects traffic from an interface to another;
      PREROUTING: Is used to change IP packets arriving to the 
                  machine before the routing decision;
      POSTROUTING: Is used to change IP packets arriving to the
                   machine after the routing decision;
    

  • Interface: You should choose which interface to apply the rule;
  • Protocol: Protocol(s) to which you want to apply the rule;
  • Module: Shows the list of iptables modems available for use;
  • Source Ip: Source IP Address of the packet;
  • Origin port: Source port of the packet;
  • Destination IP: Destination IP address of the packet;
  • Destination port: Destination port of the packet;
  • Identifier: 16 bits field that exists in the original IP packet - it is used to identify the type of packet to filter. Examples:

       ! --syn
       --state INVALID
       --icmp-type echo-request
    

  • Politics:

      ACCEPT: To accept a packet and let it pass the firewall rules;
      DELETE: Doesn't accept the packet and eliminates it;
      MARK: Saves a mark in the packet. These marks can be used to make
            decisions at the forwarding level;
      LOG: Saves a log of every packet that folows the rule.
    

  • If the PREROUTING rule is used, there are the following extra policies:

      REDIRECT: Used to redirect the traffic arriving from a port to 
                another port;
      DNAT: it allows to redirect the traffic arriving at a certain 
            port to another machine and port belonging to the internal
            network
    

  • If the POSTROUTING rule is used, there are the following extra policies:

      MASQUERADE: It allows to 'mask' the traffic 
      SNAT: It allows to redirect the traffic generated in a certain
            port to another machine and port.
      TCPMSS: It changes the MSS field (maximum packet size) from the
              TCP header. It just can be used to TCP SYN or SYN/ACK 
              packets because is just used in the beginning of
              conections.
    

  The rules that are defined by default can't be eliminated, but can be deactivated by clicking in the state of the rule and change the Deactivate option.

Figure 5.9: Network - Firewall - General settings rule

Figure 5.10: Network - Firewall - Disable access rule

Figure 5.11: Network - Firewall - DNAT rule

Figure 5.12: Network - Firewall - Order