content:en_us:7_ug_firewall_custom

Custom Firewall

Though most administrators will be able to accomplish all their firewall needs using the standard ClearOS web interface, it may be necessary to add custom firewall rules in some scenarios. The Custom Firewall Tool provides a way to create advanced firewall rules. Please use with caution!

Installation

If you did not select this module to be included during the installation process, you must first install the module.

You can find this feature in the menu system at the following location:

<navigation>Network|Firewall|Custom Firewall</navigation>

Configuration

<note warning>An invalid custom rule can block remote access to ClearOS. Be prepared to use the Console to recover where you may need to remove the rule by editing /etc/clearos/firewall.d/custom. ClearOS comes with the vi and nano editors built in.</note>

Examples

Limit SSH/Webconfig Access to Specific IP Addresses

The following entries would restrict remote SSH (port 22) and Webconfig (port 81) access to specific IP address that you define (i.e. allow remote login from office, home, datacenter etc.).

# Deny all SSH connections
$IPTABLES -I INPUT -p tcp --dport 22 -j DROP
# All connections from address xyz
$IPTABLES -I INPUT -p tcp --source 1.2.3.4 --dport 22 -j ACCEPT
$IPTABLES -I INPUT -p tcp --source 5.6.7.8 --dport 22 -j ACCEPT

# Deny all webconfig connections
$IPTABLES -I INPUT -p tcp --dport 81 -j DROP
# All connections from address xyz
$IPTABLES -I INPUT -p tcp --source 1.2.3.4 --dport 81 -j ACCEPT
$IPTABLES -I INPUT -p tcp --source 5.6.7.8 --dport 81 -j ACCEPT

Always use the keyword $IPTABLES rather than “iptables” to avoid issues. If you really want to use “iptables”, use “iptables -w”. <note tip>To avoid firewall failure test your rule at the command line first using the “iptables” command. If it works as expected and does not show any error message, copy and paste it into the Custom Firewall module, substituting the word “iptables” with “$IPTABLES”.</note> <note>Note the rule processing order. The top rule is applied to the firewall first then the second and so on. In this case each successive rule is inserted above the previous one with the resulting effect that the ACCEPT rules are applied to incoming packets before the DROP rules</note>

More Examples

content/en_us/7_ug_firewall_custom.txt · Last modified: 2018/03/06 16:28 by nickh

Page Tools