Help setting up firewall (iptables)

    • OMV 1.0

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Help setting up firewall (iptables)

      Hi,

      After playing around a little bit too much with my OMV box I decided to nuke and pave.
      Before reinstalling I had taken notes of all important configurations including the firewall configurations. However, for some reason (most likely because the instructions was available here Example of OMV's firewall) I had not taken any notes of the first 3 firewall rules, the ones found in the linked forum post. Now, unfortunately it seems like the pictures from the linked post have been deleted from ImageShack.

      So I did some thinking and digging on my own, and I think I have got the first two correct:
      1. Family: IPv4, Direction: INPUT, Action: ACCEPT, Protocol: All, Extra options: -m conntrack --ctstate ESTABLISHED,RELATED
      2. Family: IPv4, Direction: INPUT, Action: ACCEPT, Protocol: All, Extra options: -i lo

      However I am not sure about the third rule, which allows clients to ping the OMV box. If I remeber I had it like this:
      2. Family: IPv4, Direction: INPUT, Action: ACCEPT, Source: 192.168.0/24, Destination: 192.168.0.163, Protocol: ICMP

      (i.e. no Extra options). However, when looking at posts and guides on other forums everybody seem to give also some parameters?

      Any one care to comment (Did I get any of them right)?
    • Make sure you use these in conjunction with the instructions from the old post. See attached. And WastlJ, it is ok to redo the old post if you want.
      Images
      • Rule 1.jpg

        93.54 kB, 560×489, viewed 4,216 times
      • Rule 2.jpg

        85.47 kB, 551×492, viewed 3,689 times
      • Rule 3.jpg

        90.5 kB, 554×488, viewed 3,626 times
      • example rules.jpg

        169.87 kB, 1,028×510, viewed 4,327 times
      • Final Rule.jpg

        84.48 kB, 555×465, viewed 3,765 times
    • tekkb wrote:

      Make sure you use these in conjunction with the instructions from the old post. See attached. And WastlJ, it is ok to redo the old post if you want.


      Why don't you have an open port 4242 for the Crashplan engine? 4243 is AFAIK only for the config application?
      HP ProLiant N54L | 16 GB RAM | 4x4TB WD Red RAID 5 | ESXi 5.5 | OMV 2.1.x 64 bit
    • You only need 548 tcp for AFP, not UDP. It says that sometimes 427 tcp is needed too. The UDP rule is probably messing it up.

      SFTP runs over SSH so it is tcp port 22 unless you moved the port for SSH.

      UDP rules do not like it when you set a destination but tcp rules if going to your omv only you can set omv io address as destination.

      PS- Filezilla is also a good SFTP client. SFTP and FTP are not related. They are very different.

      The post was edited 5 times, last by tekkb ().

    • Hi Tekkb, I rechecked everything and AFP is now working (I think I didn't really make changes following your response except removing UDP and rebooting ;)
      On the firewall front, I have changed nf_conntrack_ftp to ip_conntrack_ftp (options ip_conntrack_ftp ports=21,40000-40100) in file /etc/modprobe.conf, rebooted OMV and it works!
      The last thing I don't explain is that on my Mac I can't open "OMV_server_name - SMB/CIFS" icon while I can open the "OMV icon" (which is in reality SMB). Strange but not really important as it eventually works
      Many thanks,
      HP Proliant Microserver N40L - 8Go RAM - ESXi 6 - 1*250Go + 2*3To + 1*650Go - OMV 2.x installed
    • Hi. I worked through @tekkb 's helpful instructions above but encountered the following error while applying the new rules:

      Source Code

      1. Error #0:
      2. exception 'OMV\ExecException' with message 'Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /etc/network/if-pre-up.d/openmediavault-iptables 2>&1' with exit code '1': iptables: No chain/target/match by that name.
      3. iptables: No chain/target/match by that name.
      4. iptables: No chain/target/match by that name.
      5. iptables: No chain/target/match by that name.
      6. iptables: No chain/target/match by that name.
      7. iptables: No chain/target/match by that name.
      8. iptables: No chain/target/match by that name.
      9. iptables: No chain/target/match by that name.
      10. iptables: No chain/target/match by that name.
      11. iptables: No chain/target/match by that name.
      12. iptables: No chain/target/match by that name.
      13. iptables: No chain/target/match by that name.
      14. iptables: No chain/target/match by that name.
      15. iptables: No chain/target/match by that name.
      16. iptables: No chain/target/match by that name.
      17. iptables: No chain/target/match by that name.
      18. iptables: No chain/target/match by that name.
      19. iptables: No chain/target/match by that name.' in /usr/share/php/openmediavault/system/process.inc:175
      20. Stack trace:
      21. #0 /usr/share/openmediavault/engined/module/iptables.inc(46): OMV\System\Process->execute()
      22. #1 /usr/share/openmediavault/engined/rpc/config.inc(189): OMVModuleIptables->startService()
      23. #2 [internal function]: OMVRpcServiceConfig->applyChanges(Array, Array)
      24. #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
      25. #4 /usr/share/php/openmediavault/rpc/serviceabstract.inc(150): OMV\Rpc\ServiceAbstract->callMethod('applyChanges', Array, Array)
      26. #5 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMV\Rpc\ServiceAbstract->OMV\Rpc\{closure}('/tmp/bgstatusi7...', '/tmp/bgoutput3G...')
      27. #6 /usr/share/php/openmediavault/rpc/serviceabstract.inc(151): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))
      28. #7 /usr/share/openmediavault/engined/rpc/config.inc(208): OMV\Rpc\ServiceAbstract->callMethodBg('applyChanges', Array, Array)
      29. #8 [internal function]: OMVRpcServiceConfig->applyChangesBg(Array, Array)
      30. #9 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
      31. #10 /usr/share/php/openmediavault/rpc/rpc.inc(84): OMV\Rpc\ServiceAbstract->callMethod('applyChangesBg', Array, Array)
      32. #11 /usr/sbin/omv-engined(516): OMV\Rpc\Rpc::call('Config', 'applyChangesBg', Array, Array, 1)
      33. #12 {main}
      Display All
      The content of /etc/network/if-pre-up.d/openmediavault-iptables is:

      Shell-Script

      1. #!/bin/sh
      2. # This configuration file is auto-generated.
      3. # WARNING: Do not edit this file, your changes will be lost.
      4. iptables -t filter -F
      5. iptables -A INPUT -p all -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
      6. iptables -A INPUT -p all -j ACCEPT -i lo
      7. iptables -A INPUT -p icmp --source 192.168.1.1/24 --destination 192.168.1.102 -j ACCEPT
      8. iptables -A INPUT -p tcp --destination 192.168.1.102 --dport 22 -j ACCEPT
      9. iptables -A INPUT -p tcp --source 192.168.1.1/24 --destination 192.168.1.102 --dport 80 -j ACCEPT
      10. iptables -A INPUT -p udp --source 192.168.1.1/24 --dport 137 -j ACCEPT
      11. iptables -A INPUT -p udp --source 192.168.1.1/24 --dport 138 -j ACCEPT
      12. iptables -A INPUT -p tcp --source 192.168.1.1/24 --destination 192.168.1.102 --dport 139 -j ACCEPT
      13. iptables -A INPUT -p tcp --destination 192.168.1.102 --dport 443 -j ACCEPT
      14. iptables -A INPUT -p tcp --source 192.168.1.1/24 --destination 192.168.1.102 --dport 445 -j ACCEPT
      15. iptables -A INPUT -p tcp --source 192.168.1.1/24 --dport 631 -j ACCEPT
      16. iptables -A INPUT -p udp --source 192.168.1.1/24 --dport 1900 -j ACCEPT
      17. iptables -A INPUT -p tcp --destination 192.168.1.102 --dport 81 -j ACCEPT
      18. iptables -A INPUT -p udp --source 192.168.1.1/24 --dport 5353 -j ACCEPT
      19. iptables -A INPUT -p tcp --destination 192.168.1.102 --dport 32400 -j ACCEPT
      20. iptables -A INPUT -p udp --source 192.168.1.1/24 --dport 32410 -j ACCEPT
      21. iptables -A INPUT -p udp --source 192.168.1.1/24 --dport 32412:32414 -j ACCEPT
      22. iptables -A INPUT -p tcp --destination 192.168.1.102 --dport 32443 -j ACCEPT
      23. iptables -A INPUT -p tcp --source 192.168.1.1/24 --destination 192.168.1.102 --dport 32469 -j ACCEPT
      24. iptables -A INPUT -p all -j REJECT
      Display All
      What have I done wrong? What extra information should I provide? Thanks for your help... :)
    • I thought I would share some additional output firewall rules that will work for a stock install of OMV 3.X ... I believe. Generally you don't reject outgoing traffic but it's better to be paranoid.

      I do not use SNMP or FTP on my network but from my understanding these should be covered under OUPUT ALLOWed to 192.168.0.0/24 (or whatever your private network range happens to be).

      Any OMV/OMV-Extras.org plugins are not covered, and as a final note you MUST allow:
      -port 25 TCP and UDP OUT, preferably constrained to either your relay server or just 0.0.0.0, for SMTP to work (mail)
      -ports 80,443/TCP OUT to any IP as well as 53 TCP and UDP (DNS sometimes use TCP for IPv6 & DNSSEC) for apt to work (updates). 53 is necessary for resolving ip addresses from domains (DNS)
      -port 123/UDP OUT to any IP for NTP... do not hardcode NTP service IPs, they are subject to change.
      -port 5353/UDP OUT to any IP (maybe just subnet?) for Avahi/Zeroconf (I guess because it's broadcasting to nobody in particular?)

      Those rules are all pictured, but I thought I'd point out if you miss them you'll have issues right off the bat.

      Otherwise if you follow the picture below you should be able to REJECT all OUTPUT, again, on a stock install. If you have troubles or need help let me know. If you accidentally lock yourself out you an just get a tty session (you'll need to connect a screen to your NAS) and sudo iptables -F OUTPUT which should fix any issues you're having. Just be sure to go clear out the rules from the firewall in the web UI after flushing the iptables OUTPUT chain from tty.

      Cheers,
      Have fun.
      Images
      • omv-output-rules.png

        33.54 kB, 1,357×419, viewed 784 times
      :cursing: Intel NUC Kit DE3815TYKHE My NAS build / ARK
      Atom E3815 1.46GHz4GB RAM • 1TB SSHD • 4GB eMMC
      OMV 3.x | OMV-Extras | Flash Memory | Pi-hole

      RPi/3 №1: LibreElec 8.xRPi/3 №2: SickRage, PiVPN, noip2

      The post was edited 8 times, last by drinks2go ().

    • On my omv testbench, NFS rules ports 111 cannot be set to all with GUI. Need two rules, one in udp, one in tcp.

      [IMG:https://zupimages.net/up/18/03/paaj.jpg]

      [IMG:https://zupimages.net/up/18/03/nstt.jpg]
      ---------------------------------------------------------------------------------------------------------------------
      French, so forgive my english
      Personal Rig: valid.x86.fr/v72uek as a test bench with Oracle VM.
      And YES, my avatar is real, i am flying "parapentes" in St Hilaire du Touvet and at la coupe icare.