Differences between revisions 16 and 18 (spanning 2 versions)
Revision 16 as of 2014-03-12 16:16:21
Size: 3131
Editor: ScottYoung
Comment:
Revision 18 as of 2014-07-28 12:38:30
Size: 2717
Editor: ScottYoung
Comment: RCS -> Git
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
First up is the incoming firewall for [[Murasoi]] itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it). Other things are only allowed from UCC, UWA or occasionally FREENETs. PPTP connections and SSH are allowed from SNAP, but nothing else. First up is the incoming firewall for [[Murasoi]] itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it), Iodine and PPTP. Other things are only allowed from UCC or UWA.
Line 21: Line 21:
This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to, and there's two extra targets, FREENETSIN and FREENETSOUT that jump to a long list of free networks stored using ipset. Ports like CIFS, MSSQL are blocked, as is access to machines with vulnerable OSen (like IRIX). Hosts in $UNFIREWALLED can receive charged traffic and do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world) or FREENETSIN (a smaller subsection of the whole world). Outgoing ports don't need to be unfirewalled. This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to. Hosts in $UNFIREWALLED must do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world). Outgoing ports don't need to be unfirewalled.
Line 32: Line 32:
 2. If the host isn't on the machine room network then you'll also need to add a couple of rules to the 'Incoming traffic for unfirewalled IPs' section. Have a look at what marcel and paradise are doing, as a guide.  2. Save the file.
 3. Re-run ucc-fw with `/etc/init.d/ucc-fw`.
 4. Save your changes into Git by typing `git add ucc-fw; git commit` and then entering a log message.
Line 34: Line 36:
After making changes, you should re-run ucc-fw. Have a look at what chordata is doing, as a guide.

The devil has a name, and it is ucc-fw. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall.

Contents

  1. Not just a firewall
  2. Overview
    1. [[Murasoi]] firewalling
    2. Main firewall
    3. NATting
  3. Common Tasks
    1. Letting things through

Not just a firewall

ucc-fw is located on Murasoi in /etc/init.d/ and one point it was 700 lines of arcane iptables commands and cryptic comments, responsible for keeping the baddies out, keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things.

Luckily it is now largely just a firewall.

As suggested by its location, ucc-fw is initialized at boot and changes can be applied by simply running the script again.

Overview

The firewall script has several distinct parts. Let's look at them in turn:

[[Murasoi]] firewalling

First up is the incoming firewall for Murasoi itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it), Iodine and PPTP. Other things are only allowed from UCC or UWA.

Main firewall

This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to. Hosts in $UNFIREWALLED must do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world). Outgoing ports don't need to be unfirewalled.

NATting

Then the NAT occurs. There are a few DNATs for policy purposes, followed by SNATs for the various 172.26.42 networks.

Common Tasks

Most changes to ucc-fw are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine).

Letting things through

The most common firewall maintenance task you'll come across is also the easiest. Letting a port through is as simple as a couple of well-placed lines. The exact syntax for how to allow a port through to a host is an exercise left for the reader, but in most cases you should be able to copy existing entries and modify them to suit your purposes.

  1. Find the part of the script entitled 'Inbound machine specific rules' and create a new rule for your host and port.
  2. Save the file.

  3. Re-run ucc-fw with /etc/init.d/ucc-fw.

  4. Save your changes into Git by typing git add ucc-fw; git commit and then entering a log message.

Have a look at what chordata is doing, as a guide.

CategorySystemAdministration

uccwiki: Network/Firewall (last edited 2020-04-02 11:22:11 by 61-245-140-116)

MoinMoin Powered | Python Powered
Written to be specifications compliant.

UCC

Wiki content is publicly editable, and as such does not necessarily reflect
the views of the University Computer Club, the Guild or the University of
Western Australia.

Contact the webmasters.