July 25, 2010 at 4:27 pm #42542
I’d like to confirm a few things for my 3 basic requirements:
a. Chain policy accept or deny? Is this a. the default action (when doesn’t match a rule) or b. chain on/off ?
b. Chain In, Fwd, Out = 3 rules for each requirement, all the identical?!
1. TCP (SMTP port 25) – Mail Incoming Mail Service (specific IP)
a. Sequence: just before any block/allow all rules?
b. Interface: incoming[eth0-WAN], out[none-locked(different for output chain?)]?
c. IP: incoming[specific from service], outgoing[blank (or LAN IP of server?)]?
d. port TCP 25, 25
e. L7 none (or SMTP, if so could block anything actually wanted from the email service, and is it processor intensive?)?
f. VS rule: eth0/MailServiceWANIP:tcp25 MailServerLANIP:25 needed for WAN to LAN IP translation?
2. UDP (ranges SIP, RTP) – VoIP
– same as above, plus…
a. L7 SIP, RTP ?
b. DiffServ DSCP (for QOS-I’ll probably do another posting when I get to QOS)?
3. TCP (various) – web interfaces (occasional remote maintenance login, usually disabled)
– same as above plus..
a. FW rule: IP all TCP 80, 443 (https works on other WAN ports with VS?)
b. VS rules: For WAN to LAN IP:Port translation?
MANY THANKS IN ADVANCE!!July 25, 2010 at 5:58 pm #50794
0.a) Depends if you want to have a firewall or a router. If you want to have a router then default is accept, if you want a firewall then the default should be drop.
0.b) I’m not sure I got that. What are 3 rules for which requirement?
1.a) I have ALLOWED policy in my FORWARD chain and I don’t know if it is necessary to add this, cause as soon as you add the VS it is added as a PREROUTING rule to change the destination IP address.
2.a) Sounds reasonable unless you have the server working in specific ports.
2.b) Are you sure the upstream provider is honoring the DSCP field?
3.a) If you allow https web-gui only on internal LAN then you can redirect https from wan to another server.
3.b) as well as for other VS, if you have a dynamic IP just declare here the input wan interface, protocol and local port, not the input wan ip. Also declare the remote IP and port of course!July 25, 2010 at 9:55 pm #50795
I should have mentioned by setup, pretty typical:
cable modem/staticIPs (eth0), ZS(router/FW), LAN 192.168.1.0(eth1)
Here is a summary of my VS rules:
eth0/IP(RemoteServer OR MyStaticWAN?):TCP25 – 192.168.1.2:5
eth0/ANY:UDP5060,10000-20000 – 192.168.1.4:5060,10000-20000
eth0/ANY:TCP444(random) – 192.168.1.10:443 [web GUI]
If the first IP address is my interface, not the server communicating with me, where can I put that (under firewall chain input)?
What firewall rules are required beyond the default rules, I have:
Input ACCEPT – default was no rules, I added
– accept eth1:22, 80, 443 (I saw in a post to put this as a safeguard in case lock yourself out of ZS)
– drop eth0 all
Forward ACCEPT – default no rules, ‘accept all from all’ would be redundant because that is the default action correct?
Output ACCEPT – same as above.July 26, 2010 at 10:03 am #50796
Since you have only one wan IP, there is no need to assign your wan IP, just leave it to any and select ETH00 as the wan interface that accepts the packet.
I think that 22 and 443 are more than enough for the ssh and https of ZS. Maybe you want to permit 1194 for OpenVPN, if you use it. Apart from that I would suggest allowing everything from ETH01, cause you may have other services, such as DNS, NTP that you need to access from the LAN side.
Finally the rule
eth0/ANY:TCP444(random) - 192.168.1.10:443 [web GUI]
is wrong if you are trying to redirect the webgui of ZS to another port.July 26, 2010 at 7:15 pm #50797
Here’s my updated setup.
VS (all Eth0-Any)
UDP 5000-5100, 10000-20000 192.168.1.4:5000-5100, 10000-20000 (VOIP)
TCP 1022, 1443 – 192.168.1.4:22, 443 (VOIP PBX SETUP)
TCP 25 – 192.168.1.2:25 (EXCHANGE EMAIL I/O)
TCP 443 – 192.168.1.2:443 (EXCHANGE WEBMAIL)
INPUT ACCEPT 1,2,3-ACCEPT Eth1 :22, 443, all, 6-DROP Eth0 all
FORWARD ACCEPT 1-ACCEPT all
OUTPUT ACCEPT 1-ACCEPT all
My confusion was, I wanted to enter the IP of our email provider service so only they can access our port 25, but I put it in VS – Interface IP, ~oops.
So this should be in a firewall rule? Do I still use the VS rule?
ie. Input 4-ACCEPT Eth0 source209.x.x.x:25 (email-spam service IP)
Not sure if it’s a good idea, or will work, to limit port range to RTP?
Input 5-ACCEPT Eth0 dest192.168.1.4:10000-20000 L7:RTP
I would like to be able to enable web access to https GUIs on WAN ports other than 443. Will my 2nd VS rule work? Also, you indicated it would be different for the ZS, how is that done?
THANKS FOR ALL YOUR HELP!July 26, 2010 at 10:11 pm #50798
It will be much easier to post a screenshot of the ZS web-gui or a paste of the iptables rules.
Regarding 1) I suggest blocking it on the mail server itself, rather that looking how to block the destination nat.
On 2) I cannot help you, it depends on what your SIP server is expecting.
3) Making https work on other ports might need a little bit of hacking an preboot scripts. However from the main setup page, https tab can create an access list of which IPs and from which interface will connect to the ZS.
You must be logged in to reply to this topic.