Newbie Firewall help (not LAN)

Thanks for making this far...

Background:

I am a complete noob when it comes to OMV and Linux in general. I found a server at SoYouStart (SYS) with a 6TB drive, and thought it time to give this a go.

With OMV the main config seems quite easy, via the Web GUI, but I am struggling with the Firewall.

Most of the posts here and around the internet are focused on rules which will apply to a home / office install on a LAN. (List of posts below)

Obviously with the SYS server is in a datacenter, along with a million other servers, some of which are also mine.

I'd like to setup some rules so that I can access WebGUI / SMB-CIFS / FTP from a selection of IP Addresses (explicitly not blocks).

The problem is that however I define a rule to allow access to my Home IP (fixed) I end up locking myself out.

Can someone please help me define a set of rules to lock-down this server to my few IP addresses.

Home IP: 88.XXX.XXX.214
OMV Srv IP: 213.XXX.XXX.105
Server running Win requires SMB: 37.XXX.XXX.111
Server running Win requires SMB: 91.XXX.XXX.194

Posts already followed:

OMV security recommendations?
Help setting up firewall (iptables)
Secure OMV
Network Config
messed up firewall

The images from tekkb are really good, but I cannot seem to modify them to my setup.

Thanks in advance,

~Trap

PS. I am not using a VPN, this is to be a direct connection, which will be secured either end by firewall settings.

So I tried a fourteenth time, and just put a few test rules in.

The only block should be for a specific IP (of mine).

This IP can still access everything, without any blocks... What am I doing wrong?

~Trap

Thank you for your suggestion, this has made no difference though.

I am still able to connect...?

(Changed order of rules, Saved, Applied, Confirmed, then re-started OMV, then took the screenshot to ensure everything is right.)

Edit: I can still access OMV by HTTP, HTTPS and SMB/CIFS.

Zitat von gderf

I don't think you can leave the Destination Port blank.

I'm following tekkb's "Final Rule" from this post:

Help setting up firewall (iptables)

Coming from a Windows background, where I am quite confident with Firewalls, this is a little confusing.

I read somewhere (maybe not on this site) that IP Table rules are from the top-down. So you open specifics, and then slam the rest shut at the end.

Surely the REJECT rule I have should block something?

~Trap

Thanks for taking time with me.

The ultimate goal is to secure the OMV, as it is in a datacenter. I have some other servers there which will need access, and also I want access from home & office.

Since the server is connected directly to the internet, it could be attacked by the server next-door.

So I am trying to prevent access to FTP and SMB/CIFS from anything but a few specified IP's (The IP's are in different A Classes).

I have setup an SMB/CIFS accessible folder on OVM, and I am trying to figure how the Firewall works, by blocking one of two servers that currently have access.

So if the rules work from the top down, I need the most specific one at the top, and then matching REJECT's below to stop everyone else. Is that right?
(Put another way: Open port 21 for a single IP, then close it for all IP's)...

~Trap

So like this:
(I can still connect SMB from both IP's)

No, the first two rules have the extra "options" as per tekkb's original post.

The first one is to allow already established connections to connect (also on related ports?)
-m conntrack --ctstate ESTABLISHED,RELATED

The second is to allow local traffic (127.0.0.1..?)
-i lo

I note however although pics 1,2,3 setup the initial rules they are not shown in pic 4...

Any ideas?

Zitat von _DD_

before you give poor old gderf an aneurysm lol

Not my intention honest..!

Zitat von _DD_

Personally, since it sounds like you only have 3 or 4 IPs that need access. I would just allow all TCP/UDP ports to each IP source then drop everything else instead of setting up custom ports for each service. But either way works.

OK, so I tried this, and it works...!

Thank you so much for this, you confirmed some of the things I thought were right, but had been contradicted elsewhere. (Top down esp.)

Simple rules for those who follow:

I need to add rules for the other IP's, but this is now preventing access from IP's not listed.

Zitat von subzero79

The 4 rules for samba are unnecessary since the last one reject alls.

These were added as it did not look like the last rule was working.

Zitat von subzero79

Also is 445/tcp not udp

Entered as TCP on attempt 1 through 999... Then must have got stir-crazy...

Thanks Again

~Trap