...
Properties | Values (Port 77) | ||||
---|---|---|---|---|---|
INPUT Policy OUPUT Policy FORWARD Policy | Select an INPUT packet policy from one of the following options: Accept All Input/Output/Forwarding Packets Drop All Input/Output/Forwarding Packets The first actions in the firewall.sh script flush the existing contents of 'iptables' chains, using the commands: iptables -F INPUT Then the INPUT Policy, OUTPUT Policy, and FORWARD Policy rules configure the default rules for packets not explicitly defined in the remainder of the configuration. These define commands such as: iptables -P INPUT DROP All the remainder of the properties include optional tables that may include 0 or more rows with 'iptables' rules to be added to the firewall.sh script | ||||
Accept All INPUT by Interface | Enter Linux interface name(s) for which to accept all INPUT packets. This setting overrides a global Drop or Reject rule in the INPUT Policy, and defines commands such as: iptables -A INPUT -i eth0 -j ACCEPT The following rules are included by default: | ||||
Port Management | The Port Management property allows individual ports to be accepted, dropped, or rejected (with ICMP error), regardless of the above settings. Ports can be specified using the INPUT or OUTPUT chain, protocol (TCP, UDP, or ICMP), Linux interface name, and port number. Some examples of commands are: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT | ||||
Masquerade | The Masquerade property allows devices on one interface to appear as if they existed on a different interface. This is often used, for instance, where devices on a local Ethernet interface need to make outbound IP connections using a public cellular/PPP interface. The local interface is "masqueraded" to the public network side of the interface. Enter one or more rows in the Masquerade table to use this feature: Output Interface – Select the Linux network interface name, which is the network on which devices should be made to appear. Source Network – Enter the IP address range of addresses on one of the other network interfaces which should be allowed to masquerade on the other interface. IP address range should be entered in a format of "IP_network/mask_bits", such as: "192.168.1.0/24". Following are examples of a Masquerade command. In these examples, devices on the 192.168.1.x network are masquerated to the 'eth2' interface, and addresses 172.1.1.5-6 appear on the 'ppp0' interface:
When using masquerading, the following rule is added by default to enable packet forwarding between interfaces:
| ||||
Forwarding by Interface | The Forwarding by Interface option allows all packets to be freely forwarded between two Linux interfaces, which are selected from a drop-down list. There should always be two rows defined, which will forward packets in both directions. Some examples of 'iptables' commands generated by this option are:
| ||||
DNAT Pre-routing | The DNAT Pre-routing option allows IP packets to be modified as they arrive at an input interface. By checking the packet's "destination port", the packet can be modified by being assigned a new TCP/IP destination address and port number. Enter one or more rows in the DNAT Pre-routing table: Interface Name – Select the Linux interface name on which the IP packets will be arriving. Protocol – Select the protocol of packets to be routed (TCP, UDP, or ICMP). Dest Port – Enter the numeric IP port number of the incoming packets to be listening for. New IP AndOr Port – Enter the new IP address and optional port number. This should be entered as "IP_address:port", such as "10.10.10.2:161" (this field is limited to 20 characters). Some examples of 'iptables' commands generated by this option are:
| ||||
SNAT Post-routing | The SNAT Post-Routing option allows IP packets to be modified before they leave an output interface. By checking the packet's source address and destination port, the packet can then be modified by assigning a new TCP/IP source address and destination port number. Enter one or more rows in the SNAT Post-routing table: Interface Name – Select the Linux interface name on which the IP packets will be arriving. Protocol – Select the protocol of packets to be routed (TCP, UDP, or ICMP). Source IP – Enter the IP address of the outgoing packets to be modified. Dest Port – Enter the numeric destination IP port number of the incoming packets to be modified. Use only a colon instead of a number to exclude the port setting from the 'iptables' command. New IP AndOr Port – Enter the new IP address and port number. This should be entered as "IP_address:port", such as "10.10.10.2:161" (this field is limited to 20 characters). Some examples of 'iptables' commands generated by this option are:
| ||||
Drop All INPUT by Interface | This property allows for any other INPUT packets that were not caught in previous 'iptables' rules on a given interface to be dropped. Select the Interface Name to drop packets. An example of this rule is:
| ||||
Custom IPTABLES | Finally, the Custom IPTABLES option allows you to configure any other 'iptables' commands that the previous Firewall object properties didn't support. The 'iptables' utility has many options and variations that might be needed for certain networking situations. These custom rules are added to the firewall.sh script verbatim, with one qualifier: The free format table entry only allows a maximum of 80 characters per line. If the command requires more than 80 characters, use a tilde (~
See RediGate Firewall Configuration for additional security options when configuring the firewall. |
Routes
The Routes configuration defines IP route information that is used for specifying a Default Gateway and other route entries. Serial IP networks (PPP, SLIP) require this because their ACE objects do not include a Default Gateway option in their parameters. Route entries to specific addresses or subnets are occasionally used for more advanced networking options.
...