859
edits
Changes
From SME Server
Jump to navigationJump to search→Block incoming IP address
{{usefulnote}}
The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.
The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.
If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, '''incorrect settings will compromise security on your server.'''
If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, '''incorrect settings will compromise security on your server.'''
==FAQs==
*I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".
*I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".
This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.
This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.
==DB Settings==
*How do I allow public access to a service I've added to SME Server 7?
*How do I allow public access to a service I've added to SME Server?
For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:
config set manta service access public status enabled TCPPort nnn
config set manta service access public status enabled TCPPort nnn
signal-event post-upgrade
signal-event post-upgrade
signal-event reboot
signal-event reboot
===Additional information on customizing iptables===
Create a custom-named service definition in the configuration database. you can see the [[DB_Variables_Configuration#Additional_information_on_customizing_iptables|DB configuration]]
db configuration set <servicename> service
Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.
db configuration setprop <servicename> TCPPort <portnumber>
db configuration setprop <servicename> TCPPorts <portnumbers>
db configuration setprop <servicename> UDPPort <portnumber>
db configuration setprop <servicename> UDPPorts <portnumbers>
db configuration setprop <servicename> status enabled|disabled
db configuration setprop <servicename> access public|private
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24
Effectuate the changes you have made
signal-event remoteaccess-update
{| border="1" width="100%" cellspacing="0" cellpadding="5"
|+Affected file: /etc/rc.d/init.d/masq
!Variable
!Target
!Default
!Expected values
|-
|TCPPort
| --proto tcp --dport <Ports>
|Pre-configured for default services; no default for custom services
|empty or a numerical or coma separated numbers
|-
|TCPPorts
| --proto tcp --dports <Ports>
|No default for custom services; Ranges of ports are defined with a : not a -
|empty or a numerical or coma separated numbers
|-
|UDPPort
| --proto udp --dport <Ports>
|Pre-configured for default services; no default for custom services
|empty or a numerical or coma separated numbers
|-
|UDPPorts
| --proto udp --dports <Ports>
|No default for custom services; Ranges of ports are defined with a : not a -
|empty or a numerical or coma separated numbers
|-
|status
| enabled | disabled
|AllowHosts is set to "" (an empty string) unless the status is 'enabled'
|'enabled' or 'disabled'
|-
|access
| public | private
|AllowHosts is set to "" (an empty string) unless access is 'public'
|'private' for localhost and local network only (Server and gateway mode), 'public' for everywhere, 'localhost' for localhost only
|-
|AllowHosts
| --src ..... --jump ACCEPT
|Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is ''enabled'' and ''public''.
|IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements
|-
|DenyHosts
| --src ..... --jump denylog
|Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq.
|IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements
|}
==Custom templates==
===Block incoming IP address===
*I want to block All traffic from some ip-addresses to my server.
*I want to block All traffic from some ip-addresses to my server.
====Manual Method====
Create a custom template and list the IP's
Create a custom template and list the IP's
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
iptables -L INPUT -v -n
iptables -L INPUT -v -n
====Block outgoing IPs or mac addresses====
====Automated method====
The above can be automated slightly.
First lets create a key where we can add IPs that we want to block:
config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled
As above, create the following template:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
Paste this code:
{
use esmith::ConfigDB;
my $db = esmith::ConfigDB->open_ro || die 'Could not open configuration database';
# Completely block any riff raff
if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' ) {
my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) || '';
my $logging = $db->get_prop( 'ipblock', 'logging' ) || 'disabled';
foreach my $host ( split( ',', $DenyHosts ) ) {
$OUT .= "\n";
$OUT .= " # Simple IP block for riff raff\n\n";
if ( $logging eq 'enabled' ) {
$OUT .= " /sbin/iptables -A INPUT -s $host -j denylog\n";
}
else {
$OUT .= " /sbin/iptables -A INPUT -s $host -j DROP\n";
}
$OUT .= "\n";
}
}
}
You can add multiple addresses separated by commas:
config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16
You can disable this blocking with:
config setprop ipblock status disabled
If you want to log the dropped packets rather than just drop them:
config setprop ipblock logging enabled
Then expand and restart your firewall:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
===Block outgoing IPs or mac addresses===
This section needs improvement.
This section needs improvement.
iptables -L
iptables -L
===Block outgoing ports===
*I want to block outgoing traffic from my server.
*I want to block outgoing traffic from my server.
/etc/init.d/masq restart
/etc/init.d/masq restart
===Bypass Proxy===
*You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.
*You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.
signal-event reboot
signal-event reboot
==Open Ports in Private Server/Gateway Mode==
*I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.
*I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.
<noinclude>
<noinclude>
----
----
[[Category:Howto]]
[[Category:Howto]]
[[Category:Administration]]</noinclude>
[[Category:Administration]]
[[Category:Security]]
</noinclude>
