Firewall IPTables

  • Published on Apr 20, 2025
  • 1 minute(s) read
  • aA
 Prev Next

IPTables running on FMADIO Capture systems

FW: 7650+

IPTables the linux statefull firewall software runs on the FMADIO devices. By default iptables is disabled / ACCEPT for everything. In some scenarios a tighter security policy may be needed

The iptables command works same on a standard Linux system. Please refer to the following link for documentation

iptables man 8

Required Rules

FMADIO uses nginx and fcgi backens as well as proxy pass settings. As such IPTABLES requires an INPUIT localhost ACCEPT rule such as the following.

 3773  944K ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0

which can be added as follows

sudo iptables -I INPUT -s localhost -j ACCEPT

Without this INPUT ACCEPT rule the FMADIO GUI dashboards and status settings can not be retrieved.

Persistent Configuration

After configuring the IPTABLES setup on the FMADIO Packet Capture device, the settings will be lost each time the system is rebooted.

We use iptables-save and iptables-restore command with the configuration file located

/opt/fmadio/etc/iptables.conf

To save the current state run

fmadio@fmadio20v3-287:/mnt/store0/etc$ sudo iptables-save > iptables.conf
fmadio@fmadio20v3-287:/mnt/store0/etc$

This will generate a the looks like the following. This is a baseline recommended setting for SSH, HTTP and HTTPS access only.

# Generated by iptables-save v1.6.1 on Wed Jan 19 19:09:33 2022
*mangle
:PREROUTING ACCEPT [10620:58020130]
:INPUT ACCEPT [9091:57235443]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10194:1992682]
:POSTROUTING ACCEPT [10194:1992682]
COMMIT
# Completed on Wed Jan 19 19:09:33 2022
# Generated by iptables-save v1.6.1 on Wed Jan 19 19:09:33 2022
*nat
:PREROUTING ACCEPT [1547:785695]
:INPUT ACCEPT [10:528]
:OUTPUT ACCEPT [733:74107]
:POSTROUTING ACCEPT [733:74107]
-A PREROUTING -i eno2 -p tcp -m tcp --dport 7010 -j DNAT --to-destination 192.168.20.215:22
-A POSTROUTING -o eno2 -j MASQUERADE
COMMIT
# Completed on Wed Jan 19 19:09:33 2022
# Generated by iptables-save v1.6.1 on Wed Jan 19 19:09:33 2022
*filter
:INPUT DROP [98:13320]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10194:1992682]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jan 19 19:09:33 2022

After editing or modifying the iptables.conf file testing can be done using the below command

sudo iptables-restore < /opt/fmadio/etc/iptables/conf

Example output shown below

fmadio@fmadio100v2-228U:~$ sudo iptables-restore < /opt/fmadio/etc/iptables.conf
fmadio@fmadio100v2-228U:~$