Beginner's Guide To ClearOS - Linux Firewall

ClearOS Firewall is one of the best Open Source Linux firewall distribution. It is an extremely
flexible Firewall App build to configure mainly for Open source platform. This firewall is mainly
designed to prevent unauthorized access to or from a private network that uses range from one
hardware to multiple sharing. Here we provide you with the complete guide to access all features of
Linux Firewall.
ClearOS firewall as the best source
Works as a command-line firewall, designed by ClearFoundation team. These Firewalls are divided
mainly into Incoming and Custom firewalls.
These Apps always come pre-installed on our ClearOS Platform. To update/install it, just retrieve
the App:
Custom Firewall
While carrying out the deep process as an administrator one will be able to accomplish all their
firewall needs using the standard ClearOS web interface, though it may be necessary to add custom
firewall rules in some scenarios. The Custom Firewall tool provides a way to create advanced
firewall rules. Thus to carry out all of the modules, one has to first install it from the ClearCenter
Marketplace.
MarketPlace
The ClearCenter Marketplace is a service that allows administrators to browse and search for apps
compatible with the platform/version and install them. Apps are applications that have been
specifically developed and integrated into the ClearOS webconfig user-interface that extends or
enhances the functionality and/or security of a system.

Your Marketplace can be customised by clicking on the 'Settings' button found among the cluster of
buttons/links used for paginating the Marketplace apps and beginning the install process. To
enhance the process more simply lets take an example for the same with all of the possible IP
Cases.
Custom Firewall Module Examples

This is an example to show all of the cases that exist for Custom firewall in ClearOS. This guide
contains examples of some useful rules. Such that how it was used to protect your server or network
from being unauthorized used.
For these examples we will use the network WAN network of 1.2.3.0/28 with .1 as the target router
of our ISP, .4 is our ClearOS server. The DMZ network is 5.6.7.0/27 with 5.6.7.8 as the ClearOS
DMZ IP address. The HotLAN network is 172.22.22.0/24 with ClearOS as 172.22.22.22. The is
192.168.1.0/24 with 192.168.1.1 as the ClearOS server and 192.168.1.10 as a third party web/file
server.
Firewalling

Port Forwarding Restricted to Specific Public IPs

Case: 1. This case is relative to the port forwarding which is restricted to a specific Public Ips.. The
example below allows connections to a MySQL server (TCP port 3306) on the at 192.168.4.109
from the remote IPs 1.2.3.4 and 5.6.7.8
iptables -t filter -I FORWARD -d 192.168.4.109 -p tcp --dport 3306 -j DROP
iptables -t filter -I FORWARD -s 1.2.3.4 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT
iptables -t filter -I FORWARD -s 5.6.7.8 -d 192.168.4.109 -p tcp --dport 3306 -j ACCEPT
Still the Port forwarding is not working. The next step goes like, is to use the Port forwarding app to
generate a port forwarding rule for the above example: TCP port 3306 to IP 192.168.4.109. Here
both Custom Firewall and port forward comes into action by handling the restriction to specific
public Ips and at the same time handling the rest.

Port-based Filtering
Case: 2. This example is relative to Port bases filtering. Based on passing traffic to bypass content
filter it usually singles out all of the ports and drop them at a certain host or a range of them. For
example, you can block SMTP for your entire DHCP range of addresses if your DHCP scope goes
from 192.168.1.128-254
iptables -t nat -I PREROUTING -s 192.168.1.128/25 -p tcp --dport 25 -j DROP

Managing LAN-to-LAN Traffic

Case: 3. By default, the generated traffic between multiple LANs is permitted. If one like to block
it between LANs, you can use the following example.
eth1: LAN1
eth2: LAN2
# Block traffic between eth1 and eth2
iptables -I FORWARD -i eth1 -o eth2 -j DROP
iptables -I FORWARD -i eth2 -o eth1 -j DROP
# Allow reply traffic
iptables -I FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i eth2 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic to web server on LAN2 network
iptables -I FORWARD -i eth1 -o eth2 -p tcp --dport 80 -j ACCEPT
Logging Specific Network Traffic
Case: 4. At various circumstances, you may want to log certain types of network traffic. Then the
very first thing that you need to do is to create up a special logging firewall rule:
iptables -N log-traffic
iptables -I log-traffic -j LOG --log-prefix "Traffic log: "
Next, you can add rules that can be directed to the logger. Here are some examples:
# Log traffic destined to 1.2.3.4
iptables -I FORWARD -d 1.2.3.4 -j log-traffic
# Log traffic destined to port 12345
iptables -I FORWARD -p tcp --dport 12345 -j log-traffic
The information is stored to the /var/log/messages log which can be viewed using the Log viewing
app.

Gateway Services
Case: 5. To bypass all gateway services except for NAT, you can use a rule like this:
iptables -t nat -I PREROUTING -s 192.168.1.99 -j ACCEPT
This rule will bypass all filtering of all types for this IP address. If you want to limit it to bypass for
TCP only services, you the following:
iptables -t nat -I PREROUTING -s 192.168.1.99 -p tcp -j ACCEPT

HotLAN to LAN
Case: 6. HotLan to Lan. This is similar to a Pinhole method in the DMZ app. For this example, your
network is 10.1.1.0/24 and your HotLAN network is 192.168.1.0/24. In this example the service is
port 25 SMTP on the server 10.1.1.10. You can even add a forwarding rule using the Custom
Firewall app:
iptables -I FORWARD -p tcp -s 192.168.1.0/24 -d 10.1.1.110 --dport 25 -j ACCEPT

Port Forwarding from selected hosts

Case: 7. This case exist such that Let us say that you want to allow only certain hosts to access your
SMTP service behind your firewall. You normally could use the Port Forwarding module for this
but you want to get restrictive to a single IP address.
In this example, our internal server is 10.1.1.110 and is running SMTP. We want to make it so that
3.2.1.0/24 can get to it but only this range.
You will need to add two rules:
iptables -t nat -A PREROUTING -p tcp -i eth0 -s 3.2.10/24 --dport 25 -j DNAT --to-destination
10.1.1.110:25
iptables -A FORWARD -p tcp -s 3.2.1.0/24 -d 10.1.1.110 --dport 25 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
Limit SSH/Webconfig Access to Specific IP Addresses
The following entries would restrict remote SSH (port 22) an Webconfig (port 81) access to specific
IP address that you define (i.e. allow remote login from office, home, datacenter etc.).
# Deny all SSH connections
iptables -I INPUT -p tcp --dport 22 -j DROP
# All connections from address xyz
iptables -I INPUT -p tcp --source 1.2.3.4 --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --source 5.6.7.8 --dport 22 -j ACCEPT
# Deny all webconfig connections
iptables -I INPUT -p tcp --dport 81 -j DROP
# All connections from address xyz
iptables -I INPUT -p tcp --source 1.2.3.4 --dport 81 -j ACCEPT
iptables -I INPUT -p tcp --source 5.6.7.8 --dport 81 -j ACCEPT

Incoming Firewall
The Firewall Incoming feature is mainly used for two primary purposes. Other following the same
Marketplace feature as used in Custom Firewall

To allow external connections to your ClearOS system

To permanently block a particular IP address or entire networks from accessing ClearOS

Installation

This feature is part of the core system and installed by default

Configuration

Incoming Connections
Whenever a firewall is enabled on your ClearOS system, the default behaviour that comes into
action is to block all external traffic coming to your server. But what on the case if one wants to use
if for other running services on your ClearOS system that can be accessed out from the Internet
either it is for Dynamic DNS or Dynamic VPN. Thus in such cases you will need to add the
firewall policy. For example, the Open VPN Feature requires UDP port 1194 to be open on the
firewall.
You can also open up ports to allow for remote management of your ClearOS system. For example,
you can open up TCP port 81 to give access to Webconfigure.
There are three ways to add an incoming firewall rule:
select a standard service in the Standard Services drop down
input a protocol and single port number in the Port Number box.
input a protocol and multiple consecutive ports in a port range in the Port Range box.