Simple Firewall implemented through IP tables
Version 1.3.0 - Early deployment
Version 1.1.0 - General deployment
- Feature: Add the ssh profile (M15708)
Version 1.0.0 - Early deployment
- Feature: Ability to configure the firewall default policy. (M9472)
- Feature: Ability to select the configuration type of your device. (M0)
- Feature: Ability to define an front-end and back-end interface. (M0)
- Feature: Ability to define pre and post custom rules for filter. (M0)
- Feature: Ability to define post custom rules for nat. (M0)
- Feature: Split the firewall packet from SMP base (M9756)
Module configuration interface
This module will install a simple firewall for easy protection of your device. It is based on blocks of rules that you can add according to the topology of your network. Custom rules are also available.
Module configuration interface
Module configuration parameters
- version < 3.0.0 : Select the firewall default policy. This should be DROP, otherwise it will be like you have not any firewall.
- version >= 3.0.0:The default policy has been removed for security reasons. Now the default policy in incoming, outgoing and forwarding is set to DROP. To open the outgoing, you need to use the “sop” profile.
: Your device configuration type.
version < 3.0.0
- SOP: This configuration will allow all traffic required for SOP (Default rtp ports are also opened)..
- ISAP: This configuration will allow traffic required for ISAP.
- SMP: This configuration will allow traffic required for SMP.
- None: No rules will be added. Warning: don't select default policy "DROP" if you have not finished all custom rules. Else you might lost connectivity.
: The interface exposed to public access.
: The interface which will be used for management access.
Generic Rules Allow (version >= 3.0.0)
: list rules provided by this module separated by a comma. I.e.: “sop,relax_ssh”. Each policy group is described in detail:
Module Rules Allow
: list of rules provided by a module installed. The format is module’s name separated by a comma. I.e.: “Communication Server, NTP Server”. Each module can generate firewall rules based on it configuration. These rules can be taken into account or not by using this field. If the field is filled up by “all”, the firewall will use all module rules installed on your SOP.
: These are rules that will be added by the user, to customize firewall policies. Attention! Rules defined here will override those defined in rules related to your device configuration type.
: These are rules that will be added by the user to customize some firewall policies. Rules defined here will be applied if the request does not match foregoing rules.
Additional rules syntax
Rules must respect iptables
syntax without the command iptables
(see example below).
-A INPUT -i eth0 --dport 21 -j DROP
-P OUTPUT DROP
- The first line will drop all incoming ftp traffic on interface eth0.
- The second line will drop default for outgoing traffic.
This feature must be used carefully! Use it only if you know what you are doing, otherwise there is a risk to lock your device.
Post installation actions
For changes to take effect, an apply changes
action is required after the installation of this module.
It is not possible to unban IPs with the currently used version of fail2ban. The banned IPs will be blocked for about 24 hours !
A way to clear the banned IP list is to reload fail2ban:
$ /etc/init.d/fail2ban reload
In order to check if fail2ban is correctly configured use this on the SOP:
$ fail2ban-client status
root@00012051:~# fail2ban-client status
|- Number of jail: 1
`- Jail list: escaux-asterisk
To see the list of banned IPs use:
$ fail2ban-client status escaux-asterisk
root@00012050:~# fail2ban-client status escaux-asterisk
Status for the jail: escaux-asterisk
| |- File list: /var/log/asterisk/events
| |- Currently failed: 0
| `- Total failed: 5
|- Currently banned: 1
| `- IP list: 18.104.22.168
`- Total banned: 1
Get the unban command:
root@00012050:~# fail2ban-client get escaux-asterisk actionunban iptables-allports
iptables -D fail2ban-<name> -s <ip> -j DROP
Command must then be run, but list in fail2ban will then be incorrect
Reloading only the escaux-asterisk jail will also clear banned ip for that jail:
root@00012050:~# fail2ban-client reload escaux-asterisk