Incoming Firewall

The Incoming Firewall app is used for two primary purposes:

To allow external (Internet) connections to your ClearOS system
To permanently block a particular IP address or entire networks from accessing your system

Installation
If your system does not have this app available, you can install it via the Marketplace.

Menu
You can find this feature in the menu system at the following location:

Network|Firewall|Incoming Firewall

Configuration
Incoming Connections
When the firewall is enabled on your ClearOS system, the default behavior is to block all external
(Internet) traffic. If you plan on running services on your ClearOS system that can be accessible from the
Internet, then you will need to add the firewall policy to do so. For example, the OpenVPN server requires
UDP port 1194 to be open on the firewall.

You can also open up ports to allow for remote management of your ClearOS system. For example, you
can open up TCP port 81 to give access to the web-based administration tool (webconfig).

There are three ways to add an incoming firewall rule:

Select a standard service in the Standard Services form.

Input a protocol and single port number in the Port form.
Input a protocol and multiple consecutive ports in a port range in the Port Range form.
Unlike some other firewall systems you do not need to open a port on the incoming page if you
are forwarding the port to an internal server on your network.

Block External Hosts

In some circumstances, you may want to block particularly annoying systems from ever connecting to
your ClearOS system. For example, you may notice a lot of network traffic from a virus infested remote
network. You can block this traffic by specifying an IP or network in the Block External Hosts tool.

Links
Port Forwarding
Intrusion Prevention
Intrusion Protection Updates
Port Forwarding
The Port Forwarding app is required if you plan to have publicly available servers running on your local
network. For example, you may need use the port forward tool to send voice traffic to a PBX (phone
system) running on your local network.
The ClearOS Port Forwarding module takes packets destined for a port on the ClearOS firewall's external
IP and translates that to an internal IP address. If you wish to add additional public IP addresses and
forward those ports you will want to use the 1 to 1 NAT app which takes care of the IP addressing,
firewalling, and NAT translations in a simple way.

Installation
If your system does not have this app available, you can install it via the Marketplace.

Menu
You can find this feature in the menu system at the following location:

Network|Firewall|Port Forwarding

Configuration
If you run servers behind your ClearOS gateway, you can use the Port Forwarding page to forward ports
to a system on your local network. There are three ways to add a port forwarding firewall rule:
Select a standard service in the Standard Services form.
Input a protocol and single port number in the Port form.
Input a protocol and multiple consecutive ports in a port range in the Port Range form.

Troubleshooting
In order for port forwarding to work properly, the target system on your local network must have the
default gateway set to ClearOS system.

Links
1 to 1 NAT
Custom Firewall
Though most administrators will be able to accomplish all their firewall needs using the standard ClearOS
web interface, it may be necessary to add custom firewall rules in some scenarios. The Custom Firewall
Tool provides a way to create advanced firewall rules. Please use with caution!

Installation
If you did not select this module to be included during the installation process, you must first install the
module.

Menu
You can find this feature in the menu system at the following location:

Network|Firewall|Custom

Configuration
An invalid custom rule can block remote access to webconfig.

Examples
Limit SSH/Webconfig Access to Specific IP Addresses
The following entries would restrict remote SSH (port 22) an Webconfig (port 81) access to specific IP
address that you define (i.e. allow remote login from office, home, datacenter etc.).

# Deny all SSH connections

iptables -I INPUT -p tcp --dport 22 -j DROP
# All connections from address xyz
iptables -I INPUT -p tcp --source 1.2.3.4 --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --source 5.6.7.8 --dport 22 -j ACCEPT

# Deny all webconfig connections

iptables -I INPUT -p tcp --dport 81 -j DROP
# All connections from address xyz
iptables -I INPUT -p tcp --source 1.2.3.4 --dport 81 -j ACCEPT
iptables -I INPUT -p tcp --source 5.6.7.8 --dport 81 -j ACCEPT

More Examples
You can find more examples here.
Custom Firewall Module Examples
This Howto will give specific examples to help you craft appropriate firewall rules that work well with
ClearOS. ClearOS has a Custom Firewall app that allows raw IPTables rules that can be used in
conjunction with the rest of the firewall. This guide contains examples of some useful rules. Be careful
making rules. Iptables can deny your connection to the server if malformed.

For these examples we will use the network WAN network of 1.2.3.0/28 with .1 as the target router of our
ISP, .4 is our ClearOS server. The DMZ network is 5.6.7.0/27 with 5.6.7.8 as the ClearOS DMZ IP
address. The HotLAN network is 172.22.22.0/24 with ClearOS as 172.22.22.22. The LAN is
192.168.1.0/24 with 192.168.1.1 as the ClearOS server and 192.168.1.10 as a third party web/file server.

Content Filter
Bypass
If you are running a gateway ClearOS system and wish to bypass the content filter for a single IP address
you can create a rule so that it surfs the web normally.

iptables -t nat -I PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT

Same as above but for a group of computers from .16 through .31.

iptables -t nat -I PREROUTING -s 192.168.1.16/28 -p tcp --dport 80 -j ACCEPT

Another example of a content filter bypass method is to bypass a certain URL for a everyone. This can
come in handy if the content filter is having difficulty processing a non-standard web object. Certain
authentication types from a large OS vendor in Redmond, Washington (for example) sometimes get
crushed by the content filter. The following will bypass the filter for that site:

iptables -t nat -I PREROUTING -d site.example.com -p tcp --dport 80 -j ACCEPT

Proxy Server
Bypass
If you are running a gateway ClearOS system and wish to bypass the proxy server for a single IP address
you can create a rule so that it surfs the web normally. This is the same method for the content filter.

iptables -t nat -I PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT

Same as above but for a group of computers from .16 through .31.

iptables -t nat -I PREROUTING -s 192.168.1.16/28 -p tcp --dport 80 -j ACCEPT

Another example of a proxy bypass method is to bypass a certain URL for a everyone. This can come in
handy if the proxy is having difficulty processing a certain web object:

iptables -t nat -I PREROUTING -d site.example.com -p tcp --dport 80 -j ACCEPT

Firewalling
Port Forwarding Restricted to Specific Public IPs
If you need to create a port forwarding rule but restrict it to a particular remote network or IP address, you
can follow this procedure. First, add the custom firewall rules to restrict access. The example below allows
connections to a MySQL server (TCP port 3306) on the LAN at 192.168.4.109 from the remote IPs 1.2.3.4
and 5.6.7.8

iptables -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROP

iptables -t filter -I FORWARD -s 1.2.3.4 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT
iptables -t filter -I FORWARD -s 5.6.7.8 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT
Port forwarding is not yet working at this point. The next step is to use the Port Forwarding app to create
the generic port forwarding rule for the above example: TCP port 3306 to IP 192.168.4.109. The custom
firewall rules handles the restriction to specific public IPs, while the port forward rule handles the rest.

Port-based Filtering
Much like passing traffic to bypass the content filter, you can single out ports that are normally passed and
drop them for certain hosts or a range of hosts. For example, you can block SMTP for your entire DHCP
range of addresses if your DHCP scope goes from 192.168.1.128-254

iptables -t nat -I PREROUTING -s 192.168.1.128/25 -p tcp --dport 25 -j DROP

Managing LAN-to-LAN Traffic

By default, network traffic between multiple LANs is permitted. If you would like to restrict between LANs,
you can use the following example as a guideline.

eth1: LAN1
eth2: LAN2

# Block traffic between eth1 and eth2

iptables -I FORWARD -i eth1 -o eth2 -j DROP
iptables -I FORWARD -i eth2 -o eth1 -j DROP

# Allow reply traffic

iptables -I FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic to web server on LAN2 network

iptables -I FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT

Logging Specific Network Traffic

In some circumstances, you may want to log certain types of network traffic. The first thing that you need
to do is create a special logging firewall rule:

iptables -N log-traffic
iptables -I log-traffic -j LOG --log-prefix "Traffic log: "

Next, you can add rules that can be directed to the logger. Here are some examples:
# Log traffic destined to 1.2.3.4
iptables -I FORWARD -d 1.2.3.4 -j log-traffic
# Log traffic destined to port 12345
iptables -I FORWARD -p tcp --dport 12345 -j log-traffic

The information is logged to the /var/log/messages log which can be viewed in the web-based interface
using the Log Viewer app. Please be careful with this tool since it doesn't take long to fill up the log file if
too much traffic is caught!

Gateway Services
To bypass all gateway services except for NAT, you can use a rule like this:

iptables -t nat -I PREROUTING -s 192.168.1.99 -j ACCEPT

This rule will bypass all filtering of all types for this IP address. If you want to limit it to bypass for TCP only
services, you the following:

iptables -t nat -I PREROUTING -s 192.168.1.99 -p tcp -j ACCEPT

HotLAN to LAN
Let us say that there is a service on a server inside your LAN that you wish for users on the HotLAN to
access. This is similar to a Pinhole method in the DMZ app. For this example your LAN network is
10.1.1.0/24 and your HotLAN network is 192.168.1.0/24. In this example the service is port 25 SMTP on
the server 10.1.1.10. You can add a forwarding rule using the Custom Firewall app:

iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d 10.1.1.110 --dport 25 -j ACCEPT

Port Forwarding from selected hosts

Let us say for example that you want to only allow certain hosts to access your SMTP service behind your
firewall from the outside Internet. You normally could use the Port Forwarding module for this but you
want to get restrictive to a single IP address or perhaps a range of addresses.

In this example, our internal server is 10.1.1.110 and is running SMTP. We want to make it so that
3.2.1.0/24 can get to it but only this range.

You will need to add two rules:

iptables -t nat -A PREROUTING -p tcp -i eth0 -s 3.2.10/24 --dport 25 -j DNAT --to-destina

tion 10.1.1.110:25
iptables -A FORWARD -p tcp -s 3.2.1.0/24 -d 10.1.1.110 --dport 25 -m state --state NEW,ES
TABLISHED,RELATED -j ACCEPT

Tips for Making Your Custom Rules

- If you want your rules to appear at the top of your rules use the '-I' instead of '-A' in order to take
effect before the rest of the ClearOS firewall rules.
- There are two main tables in ClearOS (nat, and mangle). When you don't specify a table, it is using
the 'mangle' table.
 - If your rule is similar to some function in ClearOS already, take a snapshot of the output of your
tables (iptables -L > /tmp/currentmangle.1, and/or iptables -t nat -L /tmp/currentnat.1). Then make
the rule in ClearOS Webconfig UI and then take another snapshot (iptables -L >
/tmp/currentmangle.2, and/or iptables -t nat -L /tmp/currentnat.2). Then run a diff of the results (diff
/tmp/currentmangle.1 /tmp/currentmangle.2, and/or diff /tmp/currentnat.1 /tmp/currentnat.2).

Links