I would recommend you to avoid the underlying files. It looks like Webconfig rules go in /etc/clearos/firewall.conf, except custom rules which go in /etc/clearos/firewall.d/custom. The default set up is in /usr/sbin/firewall-start.

If you want to add your own rules it is best in the Custom Firewall module or /etc/clearos/firewall.d/local and note that each time you edit /etc/clearos/firewall.d/local, the firewall will restart. In reality, /etc/clearos/firewall.d/local can contain any command and it will get fired off at the last bit of the firewall startup.

Be careful when adding rules. If you get them wrong you can put the firewall into a restart loop and the only way to break out of it may be to resort to the console to edit the file. My recommendation is to try the rule at the command line first. Then, if there are no errors, copy and paste it into the Custom Firewall module or /etc/clearos/firewall.d/local, changing "iptables" to "$IPTABLES".

You can write rules for any interface using the "-i" and "-o" switches. If you don't like any ClearOS rule but cannot get to it from the Webconfig, you can use a custom or local rule to override it as they fire later, so, if added with the "-I" switch, take precedence, but I really suggest you leave all the default rules except for the webconfig, which you can remove through the webconfig.

For learning try these references: http://www.faqs.org/docs/iptables/traversingoftables.html and http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables. Also google "man iptables"

Nick-

Thanks for the reply. I am working through reading and still digesting it. It looks promising though.

The sparse documentation is what is hindering me right now. If I could figure out where the config files are and the prorer way to modify them, I could probably do more myself. The disappointing thing is most of the ClearOS documentation is still for version 5.

EDIT: I am stuck trying to find the iptables rule files. I want to copy them and then use something like fwbuilder to go through them to better understand them. Where can I find the list of files the package installs? I am hesitant to install any non-ClearOS app on my machine.


I do want to have the outside locked down with the exception of OpenVPN and then have the access from the outside to the box only via the OpenVPN side.

As far as ports and services go, I am using ClearOS as a gateway box with 2 nics. I thought we could have different rules for each interface, the WAN side and the LAN side.


Dennis

As on your previous post, almost everything on the WAN side is closed by default. All that is normally allowed is DHCP on ports 67/68, a few ICMP types (for pings and the like), tcp:81 for the Webconfig and tcp:1875 for the ClearSDN remote system audit. Also all replies to outgoing requests are allowed. Personally I'd close tcp:81 and, like you, use OpenVPN, but I'd leave 1875 open for the daily audit where you get sent an e-mail if Clearcenter detect any system file changes (generally, but not always, caused by automatic updates).

Be a little bit wary of what you do on the LAN side. If you use ClearOS as a DHCP server or DNS server you need to leave those ports open. Same for file serving and e-mail serving. You will also want it open for SSH and Webconfig unless you always connect by OpenVPN and use the OpenVPN base address (10.8.0.1) to access the server, in which case you may want to have the OpenVPN port open as well.

With regards to Geoblocking, it is certainly possible and I have a script to do it. As I'm in Europe, I have it open for a number of countries for when I travel. As such it is a bit OTT for what you want. I use ipset sets for my country list, but you need a few files for this to work:

1 - Create a file /etc/sysconfig/modules/ip_set.modules, an in it put:

modprobe ip_set

Make the file executable.

2 - In /etc/rc.d/rc.local put:

ipset restore <  /usr/src/ipset_country-list.save

Again, make the file executable.

3 - Create an executable file /etc/cron.monthly/country_block (for monthly updates, elsewhere for a different frequency):

# Put your country codes here

ISO="es eu fr gb"



WORKDIR="/usr/tmp"

OUTFILE="$WORKDIR/zone.out"



cd "$WORKDIR"



rm -f *.zone

rm -f all-zones.tar.gz

rm -f zone.*



# Download the file

if ! wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz -q ;

then

  exit 1

fi

tar xzf all-zones.tar.gz --wildcards '*.zone' > /dev/null



# Assemble the required country files into one file

for COUNTRY in $ISO ; do 

  if [ -f $COUNTRY.zone ] ; then

    # Load the country list

    cat $COUNTRY.zone >> $OUTFILE

  fi

done





# Destroy non-ripe-list-temp in case it exists and is populated

ipset destroy -q country-list-temp



# Make sure the new lists exist

ipset create country-list nethash -exist

ipset create country-list-temp nethash -exist





# Load the ipset set

while read line

do

	ipset -A -exist country-list-temp $line

done < $OUTFILE



# Make the temp list current

ipset swap country-list country-list-temp



# Destroy the new temp list

ipset destroy -q country-list-temp



rm -f *.zone

rm -f all-zones.tar.gz

rm -f zone.*



ipset save country-list > /usr/src/ipset_country-list.save

sed -i 's/create/create -exist/g' /usr/src/ipset_country-list.save

sed -i 's/add/add -exist/g' /usr/src/ipset_country-list.save

Presumably change the ISO to just US for you.

4 - Lastly create your firewall rule as a custom rule, or in /etc/clearos/firewall.local or, as I do, in an executable file like /etc/clearos/firewall.d/20-ipset_blocks:

ipset create country-list nethash -exist

$IPTABLES -I INPUT -i enp2s0 -m set ! --match-set country-list src -p tcp -m multiport ! --dports 25,80,443,1875 -m state --state NEW -j DROP

$IPTABLES -I INPUT -i enp2s0 -m set ! --match-set country-list src -p udp ! --dport  51413 -m state --state NEW -j DROP

My rules are a bit more complicated as I run a web server and mail server and I don't want those geoblocked. You may get away with a single rule if you don't need to specify the protocol, but make sure you only block NEW packets.

You should be able to simplify my bigger script because ipdeny.com also has single country files. You could get away with just pulling in a single file rather than the full all-zone file and unpacking it.

First time round, execute the cron script manually to initially produce the country list otherwise you'll need to wait until cron.monthly next fires.

Note this is slightly untested as I've removed some of the bits I do as well, so I hope it still runs.

At some point I aim to get this into a python script as the bit which I've cut out (which consolidates the subnet list where possible) takes up to 10min to run in bash.