Can access list be configured to only allow specific network such as 10.0.0.0/8 to access the NodeGrid box?

Can access list be configured to only allow specific network such as 10.0.0.0/8 to access the NodeGrid box?

Overview

You have a complete firewall built in NodeGrid, based on iptables. The CLI and Web just wrap its configuration for consistency. In case you get locked out due to Drop rule, you can access and fix the configuration via console port (baud rate is 115200bps).
It is important that the local addresses are accepted by the Nodegrid firewall rule. Without this setting is it possible that the unit will not start properly after a reboot

Configuration through CLI

  • login with an admin account
  • First add local addresses to the Firewall configuration
  1. [admin@nodegrid /]# cd /settings/ipv4_firewall/chains/INPUT/
  2. [admin@nodegrid INPUT]# add
  3. [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=127.0.0.1
  4. [admin@nodegrid {INPUT}]# save
  5. [admin@nodegrid INPUT]# add
  6. [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=<Primary IPAddress>
  7. [admin@nodegrid {INPUT}]# save
  • Add the desired network range or IP addresses which should be allowed to access the Nodegrid

  1. [admin@nodegrid INPUT]# add
  2. [admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=10.0.0.0/8
  3. [admin@nodegrid {INPUT}]# save
  • Set the default Rule for the INPUT to Drop all other connections

  1. [admin@nodegrid INPUT]# cd /settings/ipv4_firewall/policy/
  2. [admin@nodegrid {INPUT}]# set input=drop
  3. [+admin@nodegrid {INPUT}]# commit
  • Check the current active firewall rules

  1. [admin@nodegrid INPUT]# shell sudo /usr/sbin/iptables -L -nvx
  2. Chain INPUT (policy DROP 0 packets, 0 bytes)
  3.     pkts      bytes target     prot opt in     out     source               destination
  4.      149    18576 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
  5.        0        0 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0
  6.        0        0 ACCEPT     all  --  *      *       10.0.0.0/8           0.0.0.0/0

  8. Chain FORWARD (policy DROP 0 packets, 0 bytes)
  9.     pkts      bytes target     prot opt in     out     source               destination

  11. Chain OUTPUT (policy DROP 0 packets, 0 bytes)
  12.     pkts      bytes target     prot opt in     out     source               destination
  13.      149    18576 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
  14.        6      532 ACCEPT     all  --  *      *       192.168.56.101       0.0.0.0/0        

Configuration through WebUI

  • Login with an admin account
  • Go to Security::Firewall

  • click on INPUT for the IPv4 type
  • click on add to create a new rule

  • create first 2 rules for the local Nodegrid IP's with the following values.
    • Rule 1:
      • TARGET: ACCEPT
      • SOURCE: 127.0.0.1
    • Rule 2:
      • TARGET: ACCEPT
      • SOURCE: <PRIMARY IP OF NODEGRID>
    • It is important that the local addresses are accepted by the Nodegrid firewall rule. Without this setting is it possible that the unit will not start properly after a reboot
  • Add the desired network range or IP addresses which should be allowed to access the Nodegrid, and leave other parameters the default.
    • Rule 3:
      • TARGET: ACCEPT
      • SOURCE: <IP ADDRESS>/<BITMASK>
  • The Rule set should look similar to the below

  • Set the default Rule for the INPUT to Drop all other connections. Navigate to Security:Firewall highlight the INPUT Chain and Click on Change Policy

  • Change the Policy to DROP and Save


    • Related Articles

    • How to: Enable Remote Access

      Remote access is one of the multiple ZPE Cloud features. It allows you to access your Nodegrid device and target devices from anywhere in the world, as long as you have an internet connection.. Here's how to enable Remote Access on your Nodegrid ...

    • Role Based Access Administration

      Role Based Access Administration & User Configuration On the Nodegrid, you could give limited access to certain users based on their roles within certain groups. Let's say, you want give the Cisco managers access only the Cisco Routers & Switches, ...

    • How to Configure Nodegrid Serial Ports

      To configure the serial ports of your Nodegrid Serial Console, follow the guideline steps below.   WebUI Log in as admin to the Nodegrid Serial Console Web interface. Go to Managed Devices page. Select the serial ports you want to configure, or check ...

    • Network Failover with Huawei E3276 USB Wireless Modem

      The E3276 USB wireless modem reports itself as a network device. So you will have to add a network connection in Nodegrid that binds to it. Here are the steps: 1. Login as admin in the Web UI and browse to Network, then Connections. Click Add and ...

    • Nodegrid Manager Installation in ESXi 5

      Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...