Block all traffic except some ports

firewall

(Gosch Christian) #1

Hi there,

My nethserver is on a hosting provider and has a public fix ip address. Now i want to block all traffic coming to my nethserver except SSH, SSL and some other ports.

Can anyone tell me a quick link where i can manage this things easily?


(Dan) #2

All inbound traffic is already blocked, except for services that are told to listen on the red interface. Does that do what you’re looking for?


(Gosch Christian) #3

Thank you for the quick reply! Yes that was the answer i was looking for.

Can you tell me where can i tell that incoming on SSH port is only allowed from an specific IP?

And where i can block port 80 incoming?

EDIT: I have just one GREEN interface where the public IP is set.


(Dan) #4

Then you should probably look at the how-to on setting up a dummy interface, put the outside world on red, and maybe set up a VPN connection for management (or, perhaps, set your home IP address as a trusted network).

Why would you want to? Neth will redirect traffic to HTTPS for you, and blocking port 80 entirely will keep you from getting a cert from Let’s Encrypt.

Other blocking would use the firewall module, but I think the bulk of what you need can be done without it by setting up your network correctly.


(Gosch Christian) #5

Ok but is this necessary for security to set up a dummy interface?
Now a portscan shows only the ports 80 143 443 465 993 the others are closed says the scanner.


(Michael Träumner) #6

The green interface is firewalled too, but for some reasons (for example VPN) you need the red interface

The roles of “colours” are described here

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-firewall-base.html#roles-and-zones

for a description.


(Gosch Christian) #7

Ok i don’t need a VPN now.

Can i filter the SSH and 980 port only to answer on my public IP address?


(Michael Träumner) #8

I think you only can set a full network to trusted networks, with a public ip this is not a good idea. So you need a vpn to get an internal ip.


(Andreas Schloegl) #9

Yes you can. It only depends on your firewall settings. All networkservices are reflected in the settings.
More easy it is to do this directly on the webinterface under security networkservices. Change those you do not want to be available on public side to localhost.
If you want to restrict your managemend port 980 (which you need public without having VPN) to a specific public IP or range this can be done in Firewall settings, too:
First define a host with IP (or if needed a host-group of allowed IPs), then set up a new rule accepting traffic from this host or group to port 980 TCP and finally delete the existing rule for httpd-admin. Be careful to not lock out yourself!


(Gosch Christian) #10

Hi Andreas!
Thx, which file should i edit on the nethserver? i have already tried iptables but that won’t work…


(Michael Träumner) #11

I think Andreas means at the web gui. There is a menu called “Firewall Rules”

Can you explain me, why it is needed without vpn?


(Gosch Christian) #12

Hi Michael!
I have no Firewall Rules in the web gui, do i have to install this package?
For me it’s ok to implement the rules in the shell if i know which file i have to edit :wink:

image


(Michael Träumner) #13

Yes this looks good


(Andreas Schloegl) #14

yes this one


(Gosch Christian) #15

Thanks a lot, it works.

image


(Michael Träumner) #16

Could you mark the topic as solved please.


(Gosch Christian) #17

Last question: Can anyone tell me in which file these settings are stored, so if i make a mistake in the config i have only a VNC connection to the console of the server and no web gui…


(Markus Neuberger) #18

Here are some docs:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-firewall-base.html#rules