The Nodegrid platform comes with its own firewall which is based on iptables. The WebUI and the CLI provide an easy way of creating and managing the firewall.
By default, the firewall accepts all incoming traffic. Specifically, if the Nodegrid is exposed to an internet connection either directly or indirectly is it recommended to secure the Nodegrid with a valid firewall configuration. This guide will provide a starting point for this.
All defined rules will persist through a reboot.
In case that a rule prevents access to the node, the rules can be adjusted through the local console port of the node.
Note: the following rules must always be applied to a Nodegrid as they are required for a normal operation
Service | Source | Destination | Direction | Protocol | Port | Comments |
---|---|---|---|---|---|---|
loopback | INBOUND | IPv4 | ||||
loopback | OUTBOUND | IPv4 | ||||
loopback | INBOUND | IPv6 | ||||
loopback | OUTBOUND | IPv6 |
A list of commonly used Firewall Rules on a Nodegrid can be found in Firewall Rules for the Nodegrid platform.
[admin@nodegrid /]# cd /settings/ipv4_firewall/chains/INPUT/
[admin@nodegrid /]# cd /settings/ipv4_firewall/chains/FORWARD/
[admin@nodegrid /]# cd /settings/ipv4_firewall/chains/OUTPUT/
[admin@nodegrid /]# cd /settings/ipv6_firewall/chains/INPUT/
[admin@nodegrid /]# cd /settings/ipv6_firewall/chains/FORWARD/
[admin@nodegrid /]# cd /settings/ipv6_firewall/chains/OUTPUT/
[admin@nodegrid INPUT]# add
[admin@nodegrid {INPUT}]# set target=ACCEPT source_net4=192.168.1.1
[admin@nodegrid {INPUT}]# save
[admin@nodegrid 2]# show target = ACCEPT source_net4 = 192.168.1.1 destination_net4 = protocol = tcp source_port = destination_port = 443 tcp_flag_syn = any tcp_flag_ack = any tcp_flag_fin = any tcp_flag_rst = any tcp_flag_urg = any tcp_flag_psh = any input_interface = any output_interface = any fragments = all_packets_and_fragments reverse_match_for_source_ip|mask = no reverse_match_for_destination_ip|mask = no reverse_match_for_source_port = no reverse_match_for_destination_port = no reverse_match_for_protocol = no reverse_match_for_tcp_flags = no reverse_match_for_icmp_type = no reverse_match_for_input_interface = no reverse_match_for_output_interface = no reject_with = port_unreacheable log_level = debug log_prefix = log_tcp_sequence_numbers = no log_options_from_the_tcp_packet_header = no log_options_from_the_ip_packet_header = no
[admin@nodegrid /]# shell sudo /usr/sbin/iptables -L -nvx Chain INPUT (policy ACCEPT 110 packets, 13509 bytes) pkts bytes target prot opt in out source destination 1182 132492 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.56.101 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1182 132492 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 59 32478 ACCEPT all -- * * 192.168.56.101 0.0.0.0/0
[admin@nodegrid /]# shell sudo /usr/sbin/ip6tables -L -nvx Chain INPUT (policy DROP 1 packets, 72 bytes) pkts bytes target prot opt in out source destination 2 132 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::1 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 8384 packets, 428444 bytes) pkts bytes target prot opt in out source destination 2 132 ACCEPT all * * ::1 ::/0
[admin@nodegrid /]# cd /settings/ipv4_firewall/chains/INPUT/
[admin@nodegrid INPUT]# show rules target source net4 destination net4 protocol input interface output interface packets bytes ===== ====== ============== ================ ======== =============== ================ ======= ======= 0 ACCEPT 127.0.0.1 0 0 1 ACCEPT 192.168.56.101 0 0 2 ACCEPT 192.168.1.1 tcp 104007 5150785
[admin@nodegrid INPUT]# delete 2
[admin@nodegrid /]# shell sudo /usr/sbin/iptables -L -nvx Chain INPUT (policy ACCEPT 110 packets, 13509 bytes) pkts bytes target prot opt in out source destination 1182 132492 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.56.101 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1182 132492 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 59 32478 ACCEPT all -- * * 192.168.56.101 0.0.0.0/0
[admin@nodegrid /]# shell sudo /usr/sbin/ip6tables -L -nvx Chain INPUT (policy DROP 1 packets, 72 bytes) pkts bytes target prot opt in out source destination 2 132 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::1 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 8384 packets, 428444 bytes) pkts bytes target prot opt in out source destination 2 132 ACCEPT all * * ::1 ::/0
[admin@nodegrid INPUT]# show rules target source net4 destination net4 protocol input interface output interface packets bytes ===== ====== ============== ================ ======== =============== ================ ======= ====== 0 ACCEPT 127.0.0.1 3979 251243 1 ACCEPT 192.168.56.101 0 0 2 ACCEPT 192.168.1.1 0 0
[admin@nodegrid INPUT]# cd 2/
[admin@nodegrid 2]# set protocol=tcp destination_port=443
[+admin@nodegrid 2]# commit
[admin@nodegrid 2]# show target = ACCEPT source_net4 = 192.168.1.1 destination_net4 = protocol = tcp source_port = destination_port = 443 tcp_flag_syn = any tcp_flag_ack = any tcp_flag_fin = any tcp_flag_rst = any tcp_flag_urg = any tcp_flag_psh = any input_interface = any output_interface = any fragments = all_packets_and_fragments reverse_match_for_source_ip|mask = no reverse_match_for_destination_ip|mask = no reverse_match_for_source_port = no reverse_match_for_destination_port = no reverse_match_for_protocol = no reverse_match_for_tcp_flags = no reverse_match_for_icmp_type = no reverse_match_for_input_interface = no reverse_match_for_output_interface = no reject_with = port_unreacheable log_level = debug log_prefix = log_tcp_sequence_numbers = no log_options_from_the_tcp_packet_header = no log_options_from_the_ip_packet_header = no
[admin@nodegrid 2]# shell sudo /usr/sbin/iptables -L -nvx Chain INPUT (policy ACCEPT 38 packets, 2372 bytes) pkts bytes target prot opt in out source destination 385 38206 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.56.101 0.0.0.0/0 0 0 ACCEPT tcp -- * * 192.168.1.1 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 385 38206 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 24 2828 ACCEPT all -- * * 192.168.56.101 0.0.0.0/0
[admin@nodegrid 2]# shell sudo /usr/sbin/ip6tables -L -nvx Chain INPUT (policy DROP 1 packets, 72 bytes) pkts bytes target prot opt in out source destination 2 132 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::1 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 8822 packets, 451048 bytes) pkts bytes target prot opt in out source destination 2 132 ACCEPT all * * ::1 ::/0
Before changing the default policy for a chain to drop ensure that all required accept rules have been entered. After the change takes effect all not allowed access will be dropped.
[admin@nodegrid /]# cd /settings/ipv4_firewall/policy/
[admin@nodegrid /]# cd /settings/ipv6_firewall/policy/
[admin@nodegrid policy]# show input = accept output = accept forward = accept
[admin@nodegrid policy]# set input=drop
[+admin@nodegrid policy]#commit
Before changing the default policy for a chain to drop ensure that all required accept rules have been entered. After the change takes effect all not allowed access will be dropped.