Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

UISP - Setting firewall in UISP devices

In this article, we will show several model examples for setting up firewall rules on UISP devices such as UISP-R or UISP Console.

This article applies to the following firmware and devices:

  • UISP-R (FW v.1.13.0+)
  • UISP Console (FW v.1.13.0+)
  • In order to manage these devices, it is necessary to run UISP Application 1.4.3+

Introduction

This article covers the configuration of firewall and NAT in UISP. While these are related, it’s important to keep in mind that firewall and NAT rules are two completely separate things with different functions. NAT determines whether and how traffic is rewritten: the source and destination IP addresses and source and destination ports for TCP and UDP. NAT does not in any way determine whether traffic is passed or blocked, merely its translation. Firewall rules determine the action taken on traffic, whether to pass, drop, or reject it.

NAT

Term Description
Postrouting Applies to traffic egressing an interface. The egress interface is selected based on the routing table of the firewall.
Prerouting Applies to traffic arriving at a given interface.

Firewall Rules

Term Description
Forward Traffic that is routed through the firewall, not destined to the firewall.
Client to client routed traffic.
Input Used to handle packets that come in through one of the router's interfaces and have a destination IP address that is one of the router's addresses. The rules of the input chain are not applied to packets going through the firewall.
DNS, DHCP server, NTP, HTTP/S, etc.
Output Used to handle packets that originate at the router and exit via one of the interfaces. The output chain's rules are not applied to packets traveling through the firewall.
NTP, DHCP client, DNS, UISP Proxy, etc.

Configuration Properties

Rule

Property Description
Chain Name Allows the ability to change the chain in which the rule is configured. 
Description String input to identify the rule.
Protocol Selectable based on a single protocol if desired. Default: All protocols.
IP Version Options:
IPv4 (only)
IPv6 (only)
IPv4 and IPv6
Match all protocols except for this Creates an inverse rule that will match all other protocols, sources, destinations other than that which is configured. Default: disabled
Enabled Allows the ability to make a rule inactive without removing the configuration.

Source and Destination

Property Description
Group Allows the selection of an address, MAC, or port group that has been previously configured.
Address Allows entry for a single subnet or host. Multiple entries should be configured inside of a group. 
Port Allows for a single port number entry (1-65,535) when the protocol option is configured to TCP, UDP, or TCP and UDP. Multiple entries should be configured inside of a group. 
Inbound Interface Matching based on a single ingress interface.

not available for Postrouting
Outbound Interface Matching based on a single egress interface.

not available for Prerouting

Action

Property Description
Target (Postrouting) Masquerade: Replaces the source IP address of a packet with the first or primary address of the egressing interface.
SNAT: Replaces the source IP address of a packet with the “Translation Address” configuration.

not available for Prerouting
Target
(Filter)
Accept: Accept the packet without further processing of rules in other chains.
Reject: Reject the packet and send an ICMP reject packet to the originating device.
Drop: Drop the packet silently without notice to the originating device.
Return: The packet processing will return to the chain in which the prior jump occurred. The matching is then subject to any rules in other chains that may have a “jump” action into other chains. If there is no match, the processing may hit the default rule of Accept or Drop.
Translation Address Replaces either the source (SNAT) or destination (DNAT) IP address with the specified IP address.

not available for “masquerade” or Filter
Translation Port When the protocol option is configured to TCP, UDP, or TCP and UDP this option performs NAT on the source or destination ports.

not available for Filter
Enable Logging Controls whether each packet matching this rule will be logged to syslog. Take care to not over-enable logging, as the number of logs generated can become unwieldy, and put significant stress on the router. For example, limiting logging to rules matching connection state “new” will generate one log per connection and is a reasonable, sometimes desirable log level. Enabling logging on a rule without a state specified will generate one log entry for each matching packet traversing the system, which is almost always extremely excessive. 

Connection State

Valid for firewall rules only. Matching is based on the connection tracking table.

Property Description
Established A packet that belongs to an existing connection.
Invalid A packet that does not have a determined state. Typically this would be a packet that is out-of-order. Invalid packets are not subject to NAT and can egress interfaces with their original source or destination IP addresses. 
New The packet has started a new connection or is otherwise associated with a connection that has not seen packets in both directions. 
Related A packet related to but not parts of an existing connection, such as ICMP errors, or a packet that initiates an FTP data connection
Untracked In the firewall RAW table, a packet was set to avoid connection tracking.

Groups

Firewall groups enable the creation of sets of IPs and/or IP subnets, ports, or MAC addresses. The use of groups in firewall and NAT rules enables shorter, more easily-manageable rulesets. For example, you might create a firewall group for publicly-accessible web servers listing their IP addresses, and a group for the ports which are allowed to those web servers. Then if a new web server is added or removed in the future, or an additional port must be allowed to those servers, it’s simply a matter of modifying the appropriate group, rather than potentially several firewall rules. 

Examples

Dropping Bogons

Bogon IP Addresses are IP addresses not assigned to any entity by Internet Assigned Numbers Authority (IANA) and RIR (Regional Internet Registry). These IP addresses can be used in a malicious manner because they are not able to be traced back to a definitive source. To block these addresses, perform the following steps:

  1. Create the address group with bogon subnets 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3.
  2. Create a destination IP address group bogon rule in the Forward chain.

    Filter rule

    Screenshot

    Chain name: Forward
    Protocol: All protocols
    IP Version: IPv4
    Destination Group: Bogon_Subnets (Address group)

    ex001a_mod.png
  3. Create a source IP address group bogon rule in the Forward chain.

    Filter rule

    Screenshot

    Chain name: Forward
    Protocol: All protocols
    IP Version: IPv4
    Source Group: Bogon_Subnets (Address group)

    ex001b_mod.png
  4. Move the rules to your desired position in the Forward chain.

Port Forwarding

LAN Host 192.168.1.231*
TCP Port to Forward 22*
Inbound Interface Port 9.1010 (eth8.1010)*
Inbound Interface IP Address 100.64.10.11*

*This is meant as an example only. Apply configuration for your subnets, hosts, and interfaces accordingly.  

Two rules must be configured to make the port forward function as desired. The NAT prerouting (DNAT) rule will translate the destination IP to the proper internal IP address. The filter rule in the forward chain will allow the packet to be accepted and pass through the firewall to the LAN host.

User Tip: For the filter rule to function properly, place the rule in the Forward chain above the predefined Drop rules.

NAT Prerouting

  1. Only the Prerouting rule is necessary in this case

    Prerouting Rule

    Screenshot

    Prerouting Rule
    Chain Name: Prerouting
    Protocol: TCP
    IP Version: IPv4
    Inbound Interface: 9.1010
    Destination Address: 198.51.100.1
    Destination Port: 22
    Translation Address: 192.168.1.231

    ex002a_mod.png

Filter Forward

  1. In this case, only the filter rule needs to be created

    Filter rule

    Screenshot

    Filter rule
    Protocol: TCP
    IP Version: IPv4
    Inbound interface: 9.1010
    Destination address: 192.168.1.231
    Destination port: 22
    Target: Accept

    ex003a_mod.png

Hairpin for Port Forwarding

Two NAT rules need to be configured to achieve NAT hairpin.

  1. Create a DNAT (prerouting) rule to translate the public IP to the LAN IP address of the 192.168.1.231 host.

    Prerouting Rule

    Screenshot

    Prerouting Rule
    Chain Name: Prerouting
    Protocol: TCP
    IP Version: IPv4
    Inbound Interface: br0
    Source Address: 192.168.1.0/24
    Destination Address: 198.51.100.1
    Destination Port: 22
    Translation Address: 192.168.1.231

    ex004a_mod.png
  2. The second rule is a Postrouting masquerade to achieve symmetric routing. This ensures that return traffic is sent to the proper destination IP address.

    Postrouting Rule

    Screenshot

    Postrouting Rule
    Chain Name: Postrouting
    Protocol: All protocols
    IP version: IPv4
    Source Address: 192.168.1.0/24
    Outbound Interface: br0
    Target: Masquerade

    ex004b_mod.png

Source NAT (Postrouting) with multiple public IPs

Note: For this configuration to function properly, these specific rules must be placed above the default masquerade rule.

LAN whole subnet SNAT

Example configuration:

Subnet: 192.168.1.0/24
Public IP Range: 198.51.100.1 - 198.51.100.7
Desired Public IP Address: 198.51.100.7

  1. One postrouting rule has to be created

    Postrouting Rule

    Screenshot

    Postrouting Rule
    Chain Name: Postrouting
    Protocol: All protocols
    IP version: IPv4
    Source Address: 192.168.1.0/24
    Outbound Interface: 9.1010
    Target: SNAT
    Translation Address: 198.51.100.7

    ex005a_mod.png

LAN single host SNAT

Example configuration:
LAN Host: 192.168.1.231
Public IP Range: 198.51.100.1 - 198.51.100.7
Desired Public IP Address: 198.51.100.4

  1. One postrouting rule needs to be created

    Filter rule

    Screenshot

    Postrouting Rule
    Chain Name: Postrouting
    Protocol: All protocols
    IP version: IPv4
    Source Address: 192.168.1.231
    Outbound Interface: 9.1010
    Target: SNAT
    Translation Address: 198.51.100.4

    ex005b_mod.png
Was this article helpful?
21 out of 52 found this helpful