Forums

Resolved
0 votes
I have been using ClearOS 6 at home for several years. I am planning to upgrade to ClearOS 7 (I know, I'm late), and I was testing the new system. While it looks good, I found something that worked on V 6 but doesn't work on V 7.

I put the following in the custom firewall rules:

#STOP ALL TRAFFIC
iptables -I FORWARD -s 192.168.1.0/8 -j DROP

#Set Host ON
iptables -I FORWARD -m mac --mac-source XX-XX-XX-XX-XX-XX -j ACCEPT

The first line would stop all traffic, and the subsequent lines would allow traffic from specific devices. This way, only the devices that I allowed would have access. I know there is an app that will control web access, I want to block ALL traffic except from devices I choose to allow.

This worked for ClearOS 6, but with ClearOS 7, the first line blocks all traffic, but the other lines have no effect. What is different? How do I get this to work with ClearOS 7?
Thursday, June 15 2017, 04:05 PM
Share this post:

Accepted Answer

Thursday, June 15 2017, 09:19 PM - #Permalink
Resolved
0 votes
The other thing I also recommend is that before, putting rules into the custom firewall module, you try them at the command line first to check for errors. You will find that your ACCEPT rule will fail even if you put in a valid MAC address because it looks like the MAC address separator is a ":" and not a "-".
[root@server ~]# iptables -I FORWARD -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
[root@server ~]# iptables -I FORWARD -m mac --mac-source 11-22-33-44-55-66 -j ACCEPT
iptables v1.4.21: ether
Try `iptables -h' or 'iptables --help' for more information.
Note the first works but the second fails.
The reply is currently minimized Show
Responses (5)
  • Accepted Answer

    Thursday, June 15 2017, 10:45 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    The other thing I also recommend is that before, putting rules into the custom firewall module, you try them at the command line first to check for errors. You will find that your ACCEPT rule will fail even if you put in a valid MAC address because it looks like the MAC address separator is a ":" and not a "-".
    [root@server ~]# iptables -I FORWARD -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
    [root@server ~]# iptables -I FORWARD -m mac --mac-source 11-22-33-44-55-66 -j ACCEPT
    iptables v1.4.21: ether
    Try `iptables -h' or 'iptables --help' for more information.
    Note the first works but the second fails.


    That did it. I had dashes in the MAC address. When I used colons, as you suggested, it works. That was the one thing that was different. Thanks for the help.

    By the way, the IP address range in my example is just an example. I am using a larger range.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 08:35 PM - #Permalink
    Resolved
    0 votes
    What is the output of:

    /usr/sbin/firewall-start -d


    B
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 08:29 PM - #Permalink
    Resolved
    0 votes
    BTW I am not sure you want 192.168.1.0/8. At most it should probably be 192.168.1.0/16 or possibly even /24. /8 can block valid internet IP's.

    Also in 7.x in the custom rules, don't use "iptables". Instead use "$IPTABLES". You still use "iptables" or "iptables -w" from the command line.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 08:28 PM - #Permalink
    Resolved
    0 votes
    Here it is:

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    DROP all -- 127.0.0.0/8 0.0.0.0/0
    DROP all -- 169.254.0.0/16 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    ACCEPT tcp -- 0.0.0.0/0 10.10.15.56 tcp dpt:81
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all -- 172.16.0.0/16 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    ACCEPT tcp -- 10.10.15.56 0.0.0.0/0 tcp spt:81
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 15 2017, 07:06 PM - #Permalink
    Resolved
    0 votes
    Can you post output of:

    iptables  -n -L


    B
    The reply is currently minimized Show
Your Reply