Help setting up firewall (iptables)

  • Hi,


    After playing around a little bit too much with my OMV box I decided to nuke and pave.
    Before reinstalling I had taken notes of all important configurations including the firewall configurations. However, for some reason (most likely because the instructions was available here Example of OMV's firewall) I had not taken any notes of the first 3 firewall rules, the ones found in the linked forum post. Now, unfortunately it seems like the pictures from the linked post have been deleted from ImageShack.


    So I did some thinking and digging on my own, and I think I have got the first two correct:
    1. Family: IPv4, Direction: INPUT, Action: ACCEPT, Protocol: All, Extra options: -m conntrack --ctstate ESTABLISHED,RELATED
    2. Family: IPv4, Direction: INPUT, Action: ACCEPT, Protocol: All, Extra options: -i lo


    However I am not sure about the third rule, which allows clients to ping the OMV box. If I remeber I had it like this:
    2. Family: IPv4, Direction: INPUT, Action: ACCEPT, Source: 192.168.0/24, Destination: 192.168.0.163, Protocol: ICMP


    (i.e. no Extra options). However, when looking at posts and guides on other forums everybody seem to give also some parameters?


    Any one care to comment (Did I get any of them right)?

  • Make sure you use these in conjunction with the instructions from the old post. See attached. And WastlJ, it is ok to redo the old post if you want.


    Why don't you have an open port 4242 for the Crashplan engine? 4243 is AFAIK only for the config application?

  • These are just some examples to get people started. It is to help people learn. Everyone should add ideas here as you did.


    Oh ok,I thought that was your actual configuration. And then I wondered how you can run CrashPlan with this configuration.

  • You only need 548 tcp for AFP, not UDP. It says that sometimes 427 tcp is needed too. The UDP rule is probably messing it up.


    SFTP runs over SSH so it is tcp port 22 unless you moved the port for SSH.


    UDP rules do not like it when you set a destination but tcp rules if going to your omv only you can set omv io address as destination.


    PS- Filezilla is also a good SFTP client. SFTP and FTP are not related. They are very different.

  • Hi Tekkb, I rechecked everything and AFP is now working (I think I didn't really make changes following your response except removing UDP and rebooting ;-)
    On the firewall front, I have changed nf_conntrack_ftp to ip_conntrack_ftp (options ip_conntrack_ftp ports=21,40000-40100) in file /etc/modprobe.conf, rebooted OMV and it works!
    The last thing I don't explain is that on my Mac I can't open "OMV_server_name - SMB/CIFS" icon while I can open the "OMV icon" (which is in reality SMB). Strange but not really important as it eventually works
    Many thanks,

    HP Proliant Microserver N40L - 8Go RAM - ESXi 6 - 1*250Go + 2*3To + 1*650Go - OMV 2.x installed

  • I guys, thanks for the guide.


    I noticed you need to add DNS and NTP also, otherwise the updates, clamav and time don't work.


    Just wondering though, why is it not possible to add ports with a comma separatation i.e. "80, 443, 22"
    I thought that was accepted by iptables.


    Cheers

  • Hi. I worked through @tekkb 's helpful instructions above but encountered the following error while applying the new rules:


    The content of /etc/network/if-pre-up.d/openmediavault-iptables is:


    What have I done wrong? What extra information should I provide? Thanks for your help... :)

  • I thought I would share some additional output firewall rules that will work for a stock install of OMV 3.X ... I believe. Generally you don't reject outgoing traffic but it's better to be paranoid.


    I do not use SNMP or FTP on my network but from my understanding these should be covered under OUPUT ALLOWed to 192.168.0.0/24 (or whatever your private network range happens to be).


    Any OMV/OMV-Extras.org plugins are not covered, and as a final note you MUST allow:
    -port 25 TCP and UDP OUT, preferably constrained to either your relay server or just 0.0.0.0, for SMTP to work (mail)
    -ports 80,443/TCP OUT to any IP as well as 53 TCP and UDP (DNS sometimes use TCP for IPv6 & DNSSEC) for apt to work (updates). 53 is necessary for resolving ip addresses from domains (DNS)
    -port 123/UDP OUT to any IP for NTP... do not hardcode NTP service IPs, they are subject to change.
    -port 5353/UDP OUT to any IP (maybe just subnet?) for Avahi/Zeroconf (I guess because it's broadcasting to nobody in particular?)


    Those rules are all pictured, but I thought I'd point out if you miss them you'll have issues right off the bat.


    Otherwise if you follow the picture below you should be able to REJECT all OUTPUT, again, on a stock install. If you have troubles or need help let me know. If you accidentally lock yourself out you an just get a tty session (you'll need to connect a screen to your NAS) and sudo iptables -F OUTPUT which should fix any issues you're having. Just be sure to go clear out the rules from the firewall in the web UI after flushing the iptables OUTPUT chain from tty.


    Cheers,
    Have fun.

  • On my omv testbench, NFS rules ports 111 cannot be set to all with GUI. Need two rules, one in udp, one in tcp.



Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!