Setting up Airwave firewall rules (iptables)

Aruba Employee

Airwave uses CentOS 5.5 which supports iptables rules for controlling network access to your Airwave Server.

You can modify the iptables rules file directly at /etc/sysconfig/iptables. However, this runs the risk of any mistakes you make persisting after a reboot. So be sure to have console access or check carefully that you do not lock yourself out of your server while crafting the rules. (The alternative method is to add each iptables rule by hand at the CLI and excuting a 'service iptables save' to make your changes persistant.)

Quick overview of iptables and the concept of chains, iptables works via a forked rule table that allows you to create chains for processing inbound traffic, the default chains are INPUT and OUTPUT. The concept of chains is useful for shortening the number of rules that traffic needs to hit against before an ACCEPT or REJECT determination is made.

Using -j we can create rules to direct iptables to jump to another chain to continue processing rules against inbound traffic

Example:

INPUT
->CUSTOM-INTERNAL-FW-IN
->classify traffic from internal networks
->CUSTOM-EXTERNAL-FW-IN
->classify traffic from external networks
->acct~i
->classify localhost communication

Airwave has custom rules in place for internal services and these are contained within two comment lines. Any custom rules MUST be placed OUTSIDE these two comment lines, either before or after. Otherwise any rules placed inside these lines can and will be overwritten.

# BEGIN AMP IPTABLES RULES
# END AMP IPTABLES RULES

If you are editing the file it is generally a good idea to create a separate chain for custom iptables rules:

:CUSTOM-FW-IN - [0:0]
:CUSTOM-FW-OUT - [0:0]

And we'll need to specify a jump to this chain from the primary iptables chains of INPUT and OUTPUT. Our use of the -A indicates these rules will be appended to the bottom of any existing iptables rules or any rules that are added using -I which inserts them at the top 

Example:

-I CUSTOM-FW-IN 5 -i eth0 -p tcp -s 10.10.10.0/24 --dport 443 -j ACCEPT

will insert an ACCEPT rule in the CUSTOM-FW-IN chain at position 5 for inbound traffic from eth0 using the TCP protocol sourced from the 10.10.10.0/24 network with a destination port of 443

NOTE: While using -A the ORDER of the rules is VERY IMPORTANT, you can use -I and specify what line (defaults to line 1 of INPUT/OUTPUT), but -A just sticks it at the end of the chain

For the purposes of our example, we'll specify simple -j rules that will jump all traffic to our custom rules for simplicity

-A INPUT -j CUSTOM-FW-IN
-A OUTPUT -j CUSTOM-FW-OUT

We now need to identify what services we want to protect. Common services are SSH(22), HTTPS/SSL(443), HTTP(80), TFTP (69), SNMP (162).

Keep in mind that unless we specify an explicit deny all statement at the end of our iptables, all other services are allowed through. Verify what services are listening on what ports and determine if you need to protect these services. It is also a good idea to add comments to document your custom rules.

Example HTTP/HTTPS Rules:

# Allow HTTPS from 10.10.10.0/24, block everyone else

-A CUSTOM-FW-IN -i eth0 -p tcp -s 10.10.10.0/24 --dport 443 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p tcp --dport 80 -j REJECT
-A CUSTOM-FW-IN -i eth0 -p tcp --dport 443 -j REJECT

Example SSH Rules:

# Allow SSH from 10.10.10.0/24, block everyone else

-A CUSTOM-FW-IN -i eth0 -p tcp -s 10.10.10.0/24 --dport 22 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p tcp --dport 22 -j REJECT

# Allow 10.10.10.0/24 TFTP from APs and Controllers to transfer configuration files/firmware, block everyone else

-A CUSTOM-FW-IN -i eth0 -p udp -s 10.10.10.0/24 --dport 69 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp --dport 69 -j REJECT

# Allow SNMP from APs and Controllers in 10.10.10.0/24, block everyone else

-A CUSTOM-FW-IN -i eth0 -p udp -s 10.10.10.0/24 --dport 162 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp --dport 162 -j REJECT

Note the -j REJECT statement at the end of each block of rules, we're default rejecting all traffic that hasn't hit an ACCEPT rule.

Tips for troubleshooting:

You can check the current list of applied rules

# iptables -L

You can check the firewall status by doing:

# service iptables status

You can start/stop/restart iptables by doing:

# service iptables start/stop/restart

Example of a complete iptables file:

*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CUSTOM-FW-IN - [0:0]
:CUSTOM-FW-OUT - [0:0]


# =========BEGIN CUSTOM Rules=========

-A INPUT -j CUSTOM-FW-IN
-A OUTPUT -j CUSTOM-FW-OUT

# Allow localhost - Use these rules if we experience issues with VisualRF communicating with AMP
#-A CUSTOM-FW-IN -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#-A CUSTOM-FW-OUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# Block HTTP/HTTPS, allow HTTPS from 128.1.0.0/16, 140.2.0.0/16, and 164.1.0.0/16

-A CUSTOM-FW-IN -i eth0 -p tcp -s 128.1.0.0/16 --dport 443 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p tcp -s 140.2.0.0/16 --dport 443 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p tcp -s 164.1.0.0/16 --dport 443 -j ACCEPT

-A CUSTOM-FW-IN -i eth0 -p tcp --dport 80 -j REJECT
-A CUSTOM-FW-IN -i eth0 -p tcp --dport 443 -j REJECT

# Allow SSH from 128.1.222.0/24

-A CUSTOM-FW-IN -i eth0 -p tcp -s 128.1.222.0/24 --dport 22 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p tcp --dport 22 -j REJECT

# Allow TFTP from APs and Controllers to transfer configuration files/firmware

-A CUSTOM-FW-IN -i eth0 -p udp -s 10.1.0.0/16 --dport 69 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 140.2.6.128/25 --dport 69 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 140.2.3.192/26 --dport 69 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 164.1.1.128/25 --dport 69 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp --dport 69 -j REJECT

# Allow SNMP from APs and Controllers

-A CUSTOM-FW-IN -i eth0 -p udp -s 10.1.0.0/16 --dport 162 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 140.2.6.128/25 --dport 162 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 140.2.3.192/26 --dport 162 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 164.1.1.128/25 --dport 162 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp -s 128.1.2.0/24 --dport 162 -j ACCEPT
-A CUSTOM-FW-IN -i eth0 -p udp --dport 162 -j REJECT

# Allow RTLS location feed

-A CUSTOM-FW-IN -i eth0 -p udp --dport 5050 -j ACCEPT

# Allow PAPI

-A CUSTOM-FW-IN -i eth0 -p udp --dport 8211 -j ACCEPT

# =========END CUSTOM Rules=========



# BEGIN AMP IPTABLES RULES
:acct~i - [0:0]
:acct~o - [0:0]
-I INPUT -j acct~i
-I OUTPUT -j acct~o

# INPUT (traffic clients initiated)
-A acct~i -i eth0 -p tcp -m tcp --dport 23
-A acct~i -i eth0 -p tcp -m tcp --dport 22
-A acct~i -i eth0 -p tcp -m tcp --dport 80
-A acct~i -i eth0 -p tcp -m tcp --dport 443
-A acct~i -i eth0 -p udp -m udp --dport 161
-A acct~i -i eth0 -p udp -m udp --dport 162
# INPUT (traffic we initiated)
-A acct~i -i eth0 -p tcp -m tcp --sport 23
-A acct~i -i eth0 -p tcp -m tcp --sport 22
-A acct~i -i eth0 -p tcp -m tcp --sport 80
-A acct~i -i eth0 -p tcp -m tcp --sport 443
-A acct~i -i eth0 -p udp -m udp --sport 161
-A acct~i -i eth0 -p udp -m udp --sport 162
# OUTPUT (traffic clients initiated)
-A acct~o -o eth0 -p tcp -m tcp --sport 23
-A acct~o -o eth0 -p tcp -m tcp --sport 22
-A acct~o -o eth0 -p tcp -m tcp --sport 80
-A acct~o -o eth0 -p tcp -m tcp --sport 443
-A acct~o -o eth0 -p udp -m udp --sport 161
-A acct~o -o eth0 -p udp -m udp --sport 162
# OUTPUT (traffic we initiated)
-A acct~o -o eth0 -p tcp -m tcp --dport 23
-A acct~o -o eth0 -p tcp -m tcp --dport 22
-A acct~o -o eth0 -p tcp -m tcp --dport 80
-A acct~o -o eth0 -p tcp -m tcp --dport 443
-A acct~o -o eth0 -p udp -m udp --dport 161
-A acct~o -o eth0 -p udp -m udp --dport 162
# Airbus access: root, apache, visualrf, radiusd
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 101 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8558 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 8558 -d 127.0.0.1 -j REJECT
# Tuplespace access

-I OUTPUT -m owner -p tcp --dport 9999 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 9999 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 9999 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 9999 -d 127.0.0.1 -j REJECT

-I OUTPUT -m owner -p tcp --dport 8888 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8888 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 8888 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 8888 -d 127.0.0.1 -j REJECT

-I OUTPUT -m owner -p tcp --dport 7777 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 7777 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 7777 --uid-owner 95 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 7777 -d 127.0.0.1 -j REJECT

# Postgresql access
-I OUTPUT -m owner -p tcp --dport 5432 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 5432 --uid-owner 101 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 5432 -d 127.0.0.1 -j REJECT

# VisualRF access
-I OUTPUT -m owner -p tcp --dport 6654 --uid-owner 0 -d 127.0.0.1 -j ACCEPT
-I OUTPUT -m owner -p tcp --dport 6654 --uid-owner 48 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp --dport 6654 -d 127.0.0.1 -j REJECT

# END AMP IPTABLES RULES
COMMIT

Version history
Revision #:
1 of 1
Last update:
‎06-06-2014 03:45 PM
Updated by:
 
Labels (1)
Contributors