UISP - Setting firewall in UISP devices
In this article, we will show several model examples for setting up firewall rules on UISP devices such as UISP-R or UISP Console.
This article applies to the following firmware and devices:
- UISP-R (FW v.1.13.0+)
- UISP Console (FW v.1.13.0+)
- In order to manage these devices, it is necessary to run UISP Application 1.4.3+
Introduction
This article covers the configuration of firewall and NAT in UISP. While these are related, it’s important to keep in mind that firewall and NAT rules are two completely separate things with different functions. NAT determines whether and how traffic is rewritten: the source and destination IP addresses and source and destination ports for TCP and UDP. NAT does not in any way determine whether traffic is passed or blocked, merely its translation. Firewall rules determine the action taken on traffic, whether to pass, drop, or reject it.
NAT
Term | Description |
Postrouting | Applies to traffic egressing an interface. The egress interface is selected based on the routing table of the firewall. |
Prerouting | Applies to traffic arriving at a given interface. |
Firewall Rules
Term | Description |
Forward | Traffic that is routed through the firewall, not destined to the firewall. Client to client routed traffic. |
Input | Used to handle packets that come in through one of the router's interfaces and have a destination IP address that is one of the router's addresses. The rules of the input chain are not applied to packets going through the firewall. DNS, DHCP server, NTP, HTTP/S, etc. |
Output | Used to handle packets that originate at the router and exit via one of the interfaces. The output chain's rules are not applied to packets traveling through the firewall. NTP, DHCP client, DNS, UISP Proxy, etc. |
Configuration Properties
Rule
Property | Description |
Chain Name | Allows the ability to change the chain in which the rule is configured. |
Description | String input to identify the rule. |
Protocol | Selectable based on a single protocol if desired. Default: All protocols. |
IP Version | Options: IPv4 (only) IPv6 (only) IPv4 and IPv6 |
Match all protocols except for this | Creates an inverse rule that will match all other protocols, sources, destinations other than that which is configured. Default: disabled |
Enabled | Allows the ability to make a rule inactive without removing the configuration. |
Source and Destination
Property | Description |
Group | Allows the selection of an address, MAC, or port group that has been previously configured. |
Address | Allows entry for a single subnet or host. Multiple entries should be configured inside of a group. |
Port | Allows for a single port number entry (1-65,535) when the protocol option is configured to TCP, UDP, or TCP and UDP. Multiple entries should be configured inside of a group. |
Inbound Interface | Matching based on a single ingress interface. not available for Postrouting |
Outbound Interface | Matching based on a single egress interface. not available for Prerouting |
Action
Property | Description |
Target (Postrouting) | Masquerade: Replaces the source IP address of a packet with the first or primary address of the egressing interface. SNAT: Replaces the source IP address of a packet with the “Translation Address” configuration. not available for Prerouting |
Target (Filter) |
Accept: Accept the packet without further processing of rules in other chains. Reject: Reject the packet and send an ICMP reject packet to the originating device. Drop: Drop the packet silently without notice to the originating device. Return: The packet processing will return to the chain in which the prior jump occurred. The matching is then subject to any rules in other chains that may have a “jump” action into other chains. If there is no match, the processing may hit the default rule of Accept or Drop. |
Translation Address | Replaces either the source (SNAT) or destination (DNAT) IP address with the specified IP address. not available for “masquerade” or Filter |
Translation Port | When the protocol option is configured to TCP, UDP, or TCP and UDP this option performs NAT on the source or destination ports. not available for Filter |
Enable Logging | Controls whether each packet matching this rule will be logged to syslog. Take care to not over-enable logging, as the number of logs generated can become unwieldy, and put significant stress on the router. For example, limiting logging to rules matching connection state “new” will generate one log per connection and is a reasonable, sometimes desirable log level. Enabling logging on a rule without a state specified will generate one log entry for each matching packet traversing the system, which is almost always extremely excessive. |
Connection State
Valid for firewall rules only. Matching is based on the connection tracking table.
Property | Description |
Established | A packet that belongs to an existing connection. |
Invalid | A packet that does not have a determined state. Typically this would be a packet that is out-of-order. Invalid packets are not subject to NAT and can egress interfaces with their original source or destination IP addresses. |
New | The packet has started a new connection or is otherwise associated with a connection that has not seen packets in both directions. |
Related | A packet related to but not parts of an existing connection, such as ICMP errors, or a packet that initiates an FTP data connection |
Untracked | In the firewall RAW table, a packet was set to avoid connection tracking. |
Groups
Firewall groups enable the creation of sets of IPs and/or IP subnets, ports, or MAC addresses. The use of groups in firewall and NAT rules enables shorter, more easily-manageable rulesets. For example, you might create a firewall group for publicly-accessible web servers listing their IP addresses, and a group for the ports which are allowed to those web servers. Then if a new web server is added or removed in the future, or an additional port must be allowed to those servers, it’s simply a matter of modifying the appropriate group, rather than potentially several firewall rules.
Examples
Dropping Bogons
Bogon IP Addresses are IP addresses not assigned to any entity by Internet Assigned Numbers Authority (IANA) and RIR (Regional Internet Registry). These IP addresses can be used in a malicious manner because they are not able to be traced back to a definitive source. To block these addresses, perform the following steps:
- Create the address group with bogon subnets 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3.
- Create a destination IP address group bogon rule in the Forward chain.
Filter rule
Screenshot
Chain name: Forward
Protocol: All protocols
IP Version: IPv4
Destination Group: Bogon_Subnets (Address group) - Create a source IP address group bogon rule in the Forward chain.
Filter rule
Screenshot
Chain name: Forward
Protocol: All protocols
IP Version: IPv4
Source Group: Bogon_Subnets (Address group) - Move the rules to your desired position in the Forward chain.
Port Forwarding
LAN Host | 192.168.1.231* |
TCP Port to Forward | 22* |
Inbound Interface | Port 9.1010 (eth8.1010)* |
Inbound Interface IP Address | 100.64.10.11* |
*This is meant as an example only. Apply configuration for your subnets, hosts, and interfaces accordingly.
Two rules must be configured to make the port forward function as desired. The NAT prerouting (DNAT) rule will translate the destination IP to the proper internal IP address. The filter rule in the forward chain will allow the packet to be accepted and pass through the firewall to the LAN host.
User Tip: For the filter rule to function properly, place the rule in the Forward chain above the predefined Drop rules.
NAT Prerouting
- Only the Prerouting rule is necessary in this case
Prerouting Rule
Screenshot
Prerouting Rule
Chain Name: Prerouting
Protocol: TCP
IP Version: IPv4
Inbound Interface: 9.1010
Destination Address: 198.51.100.1
Destination Port: 22
Translation Address: 192.168.1.231
Filter Forward
- In this case, only the filter rule needs to be created
Filter rule
Screenshot
Filter rule
Protocol: TCP
IP Version: IPv4
Inbound interface: 9.1010
Destination address: 192.168.1.231
Destination port: 22
Target: Accept
Hairpin for Port Forwarding
Two NAT rules need to be configured to achieve NAT hairpin.
- Create a DNAT (prerouting) rule to translate the public IP to the LAN IP address of the 192.168.1.231 host.
Prerouting Rule
Screenshot
Prerouting Rule
Chain Name: Prerouting
Protocol: TCP
IP Version: IPv4
Inbound Interface: br0
Source Address: 192.168.1.0/24
Destination Address: 198.51.100.1
Destination Port: 22
Translation Address: 192.168.1.231 - The second rule is a Postrouting masquerade to achieve symmetric routing. This ensures that return traffic is sent to the proper destination IP address.
Postrouting Rule
Screenshot
Postrouting Rule
Chain Name: Postrouting
Protocol: All protocols
IP version: IPv4
Source Address: 192.168.1.0/24
Outbound Interface: br0
Target: Masquerade
Source NAT (Postrouting) with multiple public IPs
Note: For this configuration to function properly, these specific rules must be placed above the default masquerade rule.
LAN whole subnet SNAT
Example configuration:
Subnet: 192.168.1.0/24
Public IP Range: 198.51.100.1 - 198.51.100.7
Desired Public IP Address: 198.51.100.7
- One postrouting rule has to be created
Postrouting Rule
Screenshot
Postrouting Rule
Chain Name: Postrouting
Protocol: All protocols
IP version: IPv4
Source Address: 192.168.1.0/24
Outbound Interface: 9.1010
Target: SNAT
Translation Address: 198.51.100.7
LAN single host SNAT
Example configuration:
LAN Host: 192.168.1.231
Public IP Range: 198.51.100.1 - 198.51.100.7
Desired Public IP Address: 198.51.100.4
- One postrouting rule needs to be created
Filter rule
Screenshot
Postrouting Rule
Chain Name: Postrouting
Protocol: All protocols
IP version: IPv4
Source Address: 192.168.1.231
Outbound Interface: 9.1010
Target: SNAT
Translation Address: 198.51.100.4