19.3. Allowing and Denying Network Traffic
To restrict the types of connections and packets that your firewall will accept or forward, you need to create additional firewall rules. The best place for these rules is the Packet filtering table, in either the Incoming packets or Forwarded packets chain. If your firewall is acting as a router and you want to protect systems on the secure network that it is attached to but not the firewall itself, the Forwarded packets chain should be used. However, if you want to protect both the firewall and other systems that it routes to, rules should be added to the Incoming packets chain.
It is also possible to restrict data being sent out by your system, which may come from local processes or be forwarded from other hosts. To do this, you can add rules to the Outgoing packets chain. This can be useful for limiting what addresses and ports local users can connect to, if you desire.
To create a new rule to block traffic, the steps to follow are:
1. | |
2. | To add a rule that applies to all incoming traffic, click the Add Rule button in the Incoming packets section. If you want to restrict only forwarded traffic, click the button under Forwarded packets instead. Either way, you will be taken to the rule creation form, shown in Figure 19.3. Figure 19.3. The rule creation form.
|
3. | Change the Action to take to Drop, so that packets matching this rule are silently discarded by the firewall. |
4. | In the Rule comment field enter a short explanation for this rule if you wish. |
5. | In the Condition details section, select the conditions that determine which packets will be matched and thus dropped. Only packets matching all conditions that are not set to <Ignore> will be dropped. Some examples of the conditions to select to block certain kinds of traffic are: Blocking all connections to a certain TCP port Set the Network protocol field to Equals and select TCP. To block a port, a protocol must always be selected. Set the Destination TCP or UDP port to Equals and enter a port number into the Port(s) field next to it. You can block several ports by entering a list of numbers separated by commas into the Port(s) field, or block an entire range by selecting Port range and entering the start and end ports into the fields next to it. Blocking all traffic from a particular address Set the Source address or network to Equals and enter the IP address to block into the field next to it. You can also block an entire network by entering a network/prefix pair like 130.194.164.0/24 into the field. Set the Connection state to Does not equal and select Existing connection from the menu next to it. This step will allow your system to connect to the blocked addresses, but not vice-versa. Blocking traffic to a particular address Set the Destination address or network to Equals and enter the IP address or network to block into the field next to it. Because this will effectively stop the blocked system from connecting to yours as well, it may be a good idea to set the Connection state to Does not equal and select Existing connection from the menu next to it. In all cases, it is usually a good idea to set the Incoming interface to the network interface that is connected to the Internet (such as ppp0), so that the restriction does not apply to connections from your local LAN. |
6. | When you are done selecting conditions, click the Create button. As long as there are no errors in your input, you will be returned to the module's main page on which the new rule will be listed. |
7. | To make the new rule active, click the Apply Configuration button at the bottom of the page. |
The rules in each chain are evaluated in order from top to bottom, and the action taken is determined by whichever one matches first. If none match, then the chain's default action is taken, which is usually to accept the packet. You can make use of this evaluation order to create a rule that allows a single IP address, followed by a rule to deny an entire network. The final effect will be that every host within the network is denied except one.
Because the ordering of rules is important, you may sometimes want to add a rule in the middle of an existing chain. To do this, use one of the arrow buttons under a chain's Add column on the module's main page to create a new rule either before or after an existing one.
The most common actions and their meanings are listed below. Not all are available in all chains and tables.
Do nothing If a rule with this action is matched, nothing will be done and processing will continue to the next rule.
Accept Matching packets will be immediately accepted, and no further processing will be done in the chain. However, rules in other tables may still affect the packet.
Drop Matching packets will be silently discarded, as though they were never received at all. No further processing will take place in this chain or any other.
Userspace Packets will be passed to a normal userspace process. This action is rarely used.
Exit chain Jump immediately to the end of the chain, and execute its default action instead. If this is used in a user-defined chain, processing will return to the rule that called it.
Masquerade Matching packets will have their source address changed to appear to come from the firewall system, and no further rules in the chain will be processed. When this action is selected, you can use the Source ports for masquerading field to control which ports the firewall will use for masqueraded connections. See Section 19.7 “Setting Up Network Address Translation” for more details.
The Masquerade option is available only in the Network address translation table, in the Packets after routing chain.
Source NAT Similar to the Masquerade option, but better suited to systems that have a fixed Internet IP address. If selected, you can use the IPs and ports for SNAT field to control which addresses and ports are used for NAT, as explained in Section 19.7 “Setting Up Network Address Translation”.
This option is only available in the Network address translation table, in the Packets after routing chain.
Destination NAT Matching packets will have their destination address and port modified based on the IPs and ports for DNAT field. This is the basis for transparent proxying, so to learn more, see Section 19.8 “Setting Up a Transparent Proxy”.
This action is available only in the Network address translation table, in the Packets before routing and Output chains.
Redirect This action redirects all matching packets to a port or ports on the firewall box, specified by the Target ports for redirect field. It can also be used for transparent proxying, although Destination NAT is more flexible.
The redirect action is available only in the Network address translation table, in the Packets before routing and Output chains.
You can also choose the Run chain option for the Action to take, which will pass the packet on to the user-defined chain or custom target entered into the field next to it. See Section 19.6 “Creating Your Own Chain” for more information on user-defined chains. Some of the targets available are LOG (for logging packets to syslog), MIRROR (for reflecting packets back to their sender), and MARK (for marking a packet for later conditions).
For each condition, the options <Ignored>, Equals, and Does not equal can be selected. The first means that the condition is not used at all when checking if a packet matches the rule. The second means that a packet must match the condition for it to match the entire rule, and the third means that the packet must NOT match the condition for the rule to be executed. If for example the Incoming interface condition was set to Does not equal and eth0 selected, the rule would match only packets coming in on any interface except the primary Ethernet card.
Because almost all network protocols involve traffic flowing in two directions, attempting to block just incoming traffic from some address using the Source address or network condition will also block connections to the address as well, because reply packets that are part of the connection will be dropped. The same goes for blocking incoming data on a particular port using the Destination TCP or UDP port condition—if in the unlikely case that the randomly chosen source port of a connection from your system matches the blocked port, any replies to it will be dropped. For these reasons, it is usually a good idea when creating deny rules to set the Connection state condition to Does not equal and select Existing connection from the menu next to it. This will cause IPtables to keep track of outgoing connections made by your server, and not block them.
As you can see, there are many different conditions available which can be combined to create quite complex rules. To learn more about what each of the available conditions do, see Section 19.10 “Firewall Rule Conditions”. Because there are so many conditions, Webmin allows you to create new rules that are almost identical to existing ones. To do this, click on an existing rule to edit it and use the Clone rule button at the bottom of the page to go to the rule creation form, with all conditions and actions set based on the original rule.