Difference between revisions of "Firewall: iptables"

From Amahi Wiki
Jump to: navigation, search
(Created page with "{{MessageBox| backgroundcolor = red| image =Warning.png| heading =WARNING| message = This is recommended only for advanced users, proceed with caution.}} = iptables tutorial = I...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{MessageBox|
 
{{MessageBox|
backgroundcolor = red|
+
backgroundcolor = #faa|
 
image =Warning.png|
 
image =Warning.png|
 
heading =WARNING|
 
heading =WARNING|
Line 17: Line 17:
 
* 80 - HTTP
 
* 80 - HTTP
 
* 139 - NetBIOS port for Samba
 
* 139 - NetBIOS port for Samba
* 443 - HTTPS if you optionally [[Access_HDA_over_SSL]].
+
* 443 - HTTPS if you optionally [[Access HDA over SSL]].
 
* 445 - Samba File Sharing (port for your network shares)
 
* 445 - Samba File Sharing (port for your network shares)
 
* 1194 - VPN
 
* 1194 - VPN
Line 23: Line 23:
  
 
Here is the minimum iptables firewall rules required for your HDA to still function as an HDA.  These rules do not include any extra services you have enabled such as SSH (port 22), VNC (port 5902), MiniDLNA (port 8200), etc.  For extra apps and services you'll have to look up documentation on the App you're using.
 
Here is the minimum iptables firewall rules required for your HDA to still function as an HDA.  These rules do not include any extra services you have enabled such as SSH (port 22), VNC (port 5902), MiniDLNA (port 8200), etc.  For extra apps and services you'll have to look up documentation on the App you're using.
 
+
<pre style="white-space: pre-wrap; word-break: keep-all;"> <nowiki>*filter
{{Text|Text=
 
<pre><nowiki>*filter
 
 
:INPUT ACCEPT [0:0]
 
:INPUT ACCEPT [0:0]
 
:FORWARD ACCEPT [0:0]
 
:FORWARD ACCEPT [0:0]
Line 58: Line 56:
 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
COMMIT</nowiki></pre>
 
COMMIT</nowiki></pre>
}}
 
  
 
= Modify iptables state =
 
= Modify iptables state =
 
Start the firewall.
 
Start the firewall.
{{Code|service iptables start}}
+
service iptables start
 
Stop the firewall.
 
Stop the firewall.
{{Code|service iptables stop}}
+
service iptables stop
 
Show the current rules.
 
Show the current rules.
{{Code|service iptables status}}
+
service iptables status
 
Service command usage.
 
Service command usage.
{{Text|Text=Usage: <nowiki>iptables {start|stop|restart|condrestart|status|panic|save}</nowiki>}}
+
Usage: <nowiki>iptables {start|stop|restart|condrestart|status|panic|save}</nowiki>
  
 
= List of ports needed for current Amahi Apps =
 
= List of ports needed for current Amahi Apps =
 
TO BE UPDATED!
 
TO BE UPDATED!

Latest revision as of 01:55, 23 June 2020

Warning.png WARNING
This is recommended only for advanced users, proceed with caution.



iptables tutorial

If you're looking for a tutorial for how to use iptables there are better ones out there such as this one. The purpose of this article is to provide Amahi users with a basic set of core rules in which they can enable the iptables firewall on their Amahi HDA without disrupting network services.

Edit the firewall to allow core services

You can edit your firewall rules by editing /etc/sysconfig/iptables or run the command system-config-firewall.

First you need to understand what ports must be open in your HDA.

  • 53 - DNS
  • 67,68 - DHCP
  • 80 - HTTP
  • 139 - NetBIOS port for Samba
  • 443 - HTTPS if you optionally Access HDA over SSL.
  • 445 - Samba File Sharing (port for your network shares)
  • 1194 - VPN
  • 5353 - Multicast DNS

Here is the minimum iptables firewall rules required for your HDA to still function as an HDA. These rules do not include any extra services you have enabled such as SSH (port 22), VNC (port 5902), MiniDLNA (port 8200), etc. For extra apps and services you'll have to look up documentation on the App you're using.

 *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#multicast dns
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#dns
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#dhcp
-A INPUT -m state --state NEW -m tcp -p tcp --dport 67 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 68 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT
#netbios
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
#Samba Share
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
#hda web serving
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#VPN Server
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -i tap0 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Modify iptables state

Start the firewall.

service iptables start

Stop the firewall.

service iptables stop

Show the current rules.

service iptables status

Service command usage.

Usage: iptables {start|stop|restart|condrestart|status|panic|save}

List of ports needed for current Amahi Apps

TO BE UPDATED!