There are six default chains to configure firewall rules. Three for IPv4 and three for IPv6.
These chains are input , output and forward packets. One can make additional user chain if required. For each chain, policy can be created.
Configuration via WebUI
1. Login as admin , go to Security and select Firewall.
2. Select which chain you want IPv4 or IPv6. If you want to go for IPv4 chain select INPUT chain for IPv4.
3. To add a new rule press Add .
4. Select target which in this case is DROP
5. Enter Ip address or network you want to block in source Ip/mask.
6. Select the interface for input and output. Let's select any.
7. Now scroll down for log option and select log level for IP tables log for this rule.
One can select debug for just informing about events.
8. Click Save
Configuration via CLI
1. Login with an admin in CLI (telnet/ssh/console)
2. Select the chain you want to apply rule to.
By default, there are six chains available.- IPv4 - Input, Output, Forward
- IPv6 - Input, Output, Forward
To select particular chain type,
cd /settings/ipv4_firewall/chains/INPUT/
cd /settings/ipv4_firewall/chains/OUTPUT/
cd /settings/ipv4_firewall/chains/FORWARD/
Type add to make a new rule.
add
Use the set command to create the new rule settings. Press tab twice to see all available options.
set target=DROP source_net4=ip address
save
Use the show command to see the current value for the rule.
show
[admin@nodegrid ] # cd settings/ipv4_firewall/chains/INPUT/
[admin@nodegrid ] # add
[admin@nodegrid ] # set target=DROP
[admin@nodegrid ] # set source_net4=172.16.0.0/16
[admin@nodegrid ] # set input_interface=any
[admin@nodegrid ] # set output_interface=any
[admin@nodegrid ] # set log_level=debug
[admin@nodegrid ] # commit
current IPv4 rules can be seen with command,
shell sudo /usr/sbin/iptables -L -nvx