The devil has a name, and it is ucc-fw. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall.
Contents
Not just a firewall
ucc-fw is located on madako in /etc/init.d/ and one point it was 700 lines of arcane iptables commands and cryptic comments, responsible for keeping the baddies out, keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things.
Luckily it is now largely just a firewall.
As suggested by its location, ucc-fw is initialized at boot and changes can be applied by simply running the script again.
Overview
The firewall script has several distinct parts. Let's look at them in turn:
Madako firewalling
First up is the incoming firewall for madako itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it). Other things are only allowed from UCC, UWA or occasionally FREENETs. PPTP connections and SSH are allowed from SNAP, but nothing else.
Main firewall
This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to, and there's two extra targets, FREENETSIN and FREENETSOUT that jump to a long list of free networks stored using ipset. Ports like CIFS, MSSQL are blocked, as is access to machines with vulnerable OSen (like IRIX). Hosts in $UNFIREWALLED can receive charged traffic and do their own firewalling. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to ACCEPT (the whole world) or FREENETSIN (a smaller subsection of the whole world). Outgoing ports don't need to be unfirewalled.
NATting
Then the NAT occurs. There are a few DNATs for policy purposes, followed by SNATs for the various 172.26.42 networks.
Common Tasks
Most changes to ucc-fw are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine).
Letting things through
The most common firewall maintenance task you'll come across is also the easiest. Letting a port through is as simple as a couple of well-placed lines. The exact syntax for how to allow a port through to a host is an exercise left for the reader, but in most cases you should be able to copy existing entries and modify them to suit your purposes.
- Find the part of the script entitled 'Inbound machine specific rules' and create a new rule for your host and port.
- If the host isn't on the machine room network then you'll also need to add a couple of rules to the 'Incoming traffic for unfirewalled IPs' section. Have a look at what marcel and paradise are doing, as a guide.
