Beginner's Guide To ClearOS - Linux Firewall

ClearOS Firewall is one of the best Open Source Linux firewall distribution. It is an extremelyflexible Firewall App build to configure mainly for Open source platform. This firewall is mainlydesigned to prevent unauthorized access to or from a private network that uses range from onehardware to multiple sharing. Here we provide you with the complete guide to access all features ofLinux Firewall.

ClearOS firewall as the best source

Works as a command-line firewall, designed by ClearFoundation team. These Firewalls are dividedmainly into Incoming and Custom firewalls.These Apps always come pre-installed on our ClearOS Platform. To update/install it, just retrievethe App:

Custom Firewall

While carrying out the deep process as an administrator one will be able to accomplish all theirfirewall needs using the standard ClearOS web interface, though it may be necessary to add customfirewall rules in some scenarios. The Custom Firewall tool provides a way to create advancedfirewall rules. Thus to carry out all of the modules, one has to first install it from the ClearCenterMarketplace.

MarketPlace

The ClearCenter Marketplace is a service that allows administrators to browse and search for appscompatible with the platform/version and install them. Apps are applications that have beenspecifically developed and integrated into the ClearOS webconfig user-interface that extends orenhances the functionality and/or security of a system.

Your Marketplace can be customised by clicking on the 'Settings' button found among the cluster ofbuttons/links used for paginating the Marketplace apps and beginning the install process. Toenhance the process more simply let’s take an example for the same with all of the possible IPCases.

Custom Firewall Module Examples

This is an example to show all of the cases that exist for Custom firewall in ClearOS. This guidecontains examples of some useful rules. Such that how it was used to protect your server or networkfrom being unauthorized used.

For these examples we will use the network WAN network of 1.2.3.0/28 with .1 as the target routerof our ISP, .4 is our ClearOS server. The DMZ network is 5.6.7.0/27 with 5.6.7.8 as the ClearOSDMZ IP address. The HotLAN network is 172.22.22.0/24 with ClearOS as 172.22.22.22. The is192.168.1.0/24 with 192.168.1.1 as the ClearOS server and 192.168.1.10 as a third party web/fileserver.

Firewalling

Port Forwarding Restricted to Specific Public IPs

Case: 1. This case is relative to the port forwarding which is restricted to a specific Public Ips.. Theexample below allows connections to a MySQL server (TCP port 3306) on the at 192.168.4.109from the remote IPs 1.2.3.4 and 5.6.7.8

iptables -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROPiptables -t filter -I FORWARD -s 1.2.3.4 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPTiptables -t filter -I FORWARD -s 5.6.7.8 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT

Still the Port forwarding is not working. The next step goes like, is to use the Port forwarding app togenerate a port forwarding rule for the above example: TCP port 3306 to IP 192.168.4.109. Hereboth Custom Firewall and port forward comes into action by handling the restriction to specificpublic Ips and at the same time handling the rest.

Port-based Filtering

Case: 2. This example is relative to Port bases filtering. Based on passing traffic to bypass contentfilter it usually singles out all of the ports and drop them at a certain host or a range of them. Forexample, you can block SMTP for your entire DHCP range of addresses if your DHCP scope goesfrom 192.168.1.128-254

iptables -t nat -I PREROUTING -s 192.168.1.128/25 -p tcp --dport 25 -j DROP

Managing LAN-to-LAN Traffic

Case: 3. By default, the generated traffic between multiple LANs is permitted. If one like to blockit between LANs, you can use the following example.

eth1: LAN1

eth2: LAN2

# Block traffic between eth1 and eth2iptables -I FORWARD -i eth1 -o eth2 -j DROPiptables -I FORWARD -i eth2 -o eth1 -j DROP

# Allow reply trafficiptables -I FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -I FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic to web server on LAN2 networkiptables -I FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT

Logging Specific Network Traffic

Case: 4. At various circumstances, you may want to log certain types of network traffic. Then thevery first thing that you need to do is to create up a special logging firewall rule:

iptables -N log-trafficiptables -I log-traffic -j LOG --log-prefix "Traffic log: "

Next, you can add rules that can be directed to the logger. Here are some examples:

# Log traffic destined to 1.2.3.4iptables -I FORWARD -d 1.2.3.4 -j log-traffic

# Log traffic destined to port 12345iptables -I FORWARD -p tcp --dport 12345 -j log-traffic

The information is stored to the /var/log/messages log which can be viewed using the Log viewingapp.

Gateway Services

Case: 5. To bypass all gateway services except for NAT, you can use a rule like this:

iptables -t nat -I PREROUTING -s 192.168.1.99 -j ACCEPT

This rule will bypass all filtering of all types for this IP address. If you want to limit it to bypass forTCP only services, you the following:

iptables -t nat -I PREROUTING -s 192.168.1.99 -p tcp -j ACCEPT

HotLAN to LAN

Case: 6. HotLan to Lan. This is similar to a Pinhole method in the DMZ app. For this example, yournetwork is 10.1.1.0/24 and your HotLAN network is 192.168.1.0/24. In this example the service isport 25 SMTP on the server 10.1.1.10. You can even add a forwarding rule using the CustomFirewall app:

iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d 10.1.1.110 --dport 25 -j ACCEPT

Port Forwarding from selected hosts

Case: 7. This case exist such that Let us say that you want to allow only certain hosts to access yourSMTP service behind your firewall. You normally could use the Port Forwarding module for thisbut you want to get restrictive to a single IP address.

In this example, our internal server is 10.1.1.110 and is running SMTP. We want to make it so that3.2.1.0/24 can get to it but only this range.

You will need to add two rules:

iptables -t nat -A PREROUTING -p tcp -i eth0 -s 3.2.10/24 --dport 25 -j DNAT --to-destination10.1.1.110:25iptables -A FORWARD -p tcp -s 3.2.1.0/24 -d 10.1.1.110 --dport 25 -m state --stateNEW,ESTABLISHED,RELATED -j ACCEPT

Limit SSH/Webconfig Access to Specific IP Addresses

The following entries would restrict remote SSH (port 22) an Webconfig (port 81) access to specificIP address that you define (i.e. allow remote login from office, home, datacenter etc.).

# Deny all SSH connectionsiptables -I INPUT -p tcp --dport 22 -j DROP# All connections from address xyziptables -I INPUT -p tcp --source 1.2.3.4 --dport 22 -j ACCEPTiptables -I INPUT -p tcp --source 5.6.7.8 --dport 22 -j ACCEPT

# Deny all webconfig connectionsiptables -I INPUT -p tcp --dport 81 -j DROP# All connections from address xyziptables -I INPUT -p tcp --source 1.2.3.4 --dport 81 -j ACCEPTiptables -I INPUT -p tcp --source 5.6.7.8 --dport 81 -j ACCEPT

Incoming Firewall

The Firewall Incoming feature is mainly used for two primary purposes. Other following the sameMarketplace feature as used in Custom Firewall

To allow external connections to your ClearOS system

To permanently block a particular IP address or entire networks from accessing ClearOS

Installation

This feature is part of the core system and installed by default

Configuration

Incoming Connections

Whenever a firewall is enabled on your ClearOS system, the default behaviour that comes intoaction is to block all external traffic coming to your server. But what on the case if one wants to useif for other running services on your ClearOS system that can be accessed out from the Interneteither it is for Dynamic DNS or Dynamic VPN. Thus in such cases you will need to add thefirewall policy. For example, the Open VPN Feature requires UDP port 1194 to be open on thefirewall.

You can also open up ports to allow for remote management of your ClearOS system. For example,you can open up TCP port 81 to give access to Webconfigure.

There are three ways to add an incoming firewall rule:

select a standard service in the Standard Services drop down

input a protocol and single port number in the Port Number box.

input a protocol and multiple consecutive ports in a port range in the Port Range box.