Firewall IPTables

FW: 7650+

IPTables the linux statefull firewall software runs on the FMADIO devices. By default iptables is disabled / ACCEPT for everything. In some scenarios a tighter security policy may be needed

The iptables command works same on a standard Linux system. Please refer to the following link for documentation

iptables(8) - Linux man page

Required Rules

FMADIO uses nginx and fcgi backens as well as proxy pass settings. As such IPTABLES requires an INPUIT localhost ACCEPT rule such as the following.

 3773  944K ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0

which can be added as follows

sudo iptables -I INPUT -s localhost -j ACCEP

Without this INPUT ACCEPT rule the FMADIO GUI dashboards and status settings can not be retrieved.

Persistent Configuration

After configuring the IPTABLES setup on the FMADIO Packet Capture device, the settings will be lost each time the system is rebooted.

We use iptables-save and iptables-restore command with the configuration file located

/opt/fmadio/etc/iptables.conf

To save the current state run

fmadio@fmadio20v3-287:/mnt/store0/etc$ sudo iptables-save > iptables.conf
fmadio@fmadio20v3-287:/mnt/store0/etc$

This will generate a the looks like the following. This is a baseline recommended setting for SSH, HTTP and HTTPS access only.

# Generated by iptables-save v1.6.1 on Wed Jan 19 19:09:33 2022
*mangle
:PREROUTING ACCEPT [10620:58020130]
:INPUT ACCEPT [9091:57235443]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10194:1992682]
:POSTROUTING ACCEPT [10194:1992682]
COMMIT
# Completed on Wed Jan 19 19:09:33 2022
# Generated by iptables-save v1.6.1 on Wed Jan 19 19:09:33 2022
*nat
:PREROUTING ACCEPT [1547:785695]
:INPUT ACCEPT [10:528]
:OUTPUT ACCEPT [733:74107]
:POSTROUTING ACCEPT [733:74107]
-A PREROUTING -i eno2 -p tcp -m tcp --dport 7010 -j DNAT --to-destination 192.168.20.215:22
-A POSTROUTING -o eno2 -j MASQUERADE
COMMIT
# Completed on Wed Jan 19 19:09:33 2022
# Generated by iptables-save v1.6.1 on Wed Jan 19 19:09:33 2022
*filter
:INPUT DROP [98:13320]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10194:1992682]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jan 19 19:09:33 2022

To remove persistent IPTABLES setting, delete the /opt/fmadio/etc/iptables,conf file and reboot the system

IPMI BMC Firewall

The firewall on the IPMI/BMC is a bit trickier, as there's no direct access to iptables and manipulation needs to be done using a very unfriendly ipmitool raw access.

IPMI does have firewall manipulation GUI but its impossible to use due to how it works. Theres no way to set a Policy on INPUT rules, instead you need to drop everything and build up the chain. Below is the final iptables rules we want to create.

As you can see its a bit bastardized.. but theres no choice as each rule is always added to the top of chain.

Our goal is to DROP everything, except SSH, HTTPS and IPMITOOL traffic.

1) Reset IPMI BMC Firewall

Start by resetting the BMC firewall state entirely. This effectively resets iptables to the default state

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x76 0x8

fmadio@fmadio100v2-228U:~$

And then confirm this by listing the total number of Firewall rules as follows

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x77 0x0
 00
fmadio@fmadio100v2-228U:~$

The value returned should be 00 indicating there are NO custom firewall rules.

NOTE: This can be used to clear/reset firewall settings if a mistake is made

2) Drop everything

Next we need to drop everything, as we are building the rules backwards. This is also the reason we cant use the GUI. It wont let you set a network of 0.0.0.0/0 and once you set that the GUI is no longer accessible.

As such we need to use ipmitool on the FMADIO Packet Capture device directly as we build up the rules.

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x76 0x01 0x00 0x00 0x00 0x00 0x00 0xff 0xff 0xff 0xff

fmadio@fmadio100v2-228U:~$

The command above adds the drop everything rule to the system, this equates to the following in iptables.

Can confirm its working correctly by checking the total number of firewall rules as follows. The returned value should be 1

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x77 0x0
 01
fmadio@fmadio100v2-228U:~$

3) Enable SSH access

Next we will add SSH access to the firewall rules. This allows SMASH or shell access to the BMC device itself.

The following command opens TCP Port 22 (0x16 0x00 == 22 in hex bigedian format)

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x76 0x02 0x01 0x00 0x16 0x00

fmadio@fmadio100v2-228U:~$

This adds the following iptables rule

Then confirm there are 2 firewall rules enabled.

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x77 0x0
 02
fmadio@fmadio100v2-228U:~$

At this point you can SSH into the BMC to confirm access is working correctly

4) Enable HTTPS access

Next add HTTPS access enabling the IPMI BMC Web client to be accessed.

fmadio@fmadio100v2-228U:~$  sudo ipmitool raw 0x32 0x76 0x02 0x01 0x00 0xbb 0x01

fmadio@fmadio100v2-228U:~$

This equates to the following iptables rules

At this point the IPMI BMC Webpage can be used such as the following

5) Add ipmitool access

Finally add ipmitool access which is on UDP port 623

fmadio@fmadio100v2-228U:~$ sudo ipmitool raw 0x32 0x76 0x02 0x01 0x01 0x6f 0x02

fmadio@fmadio100v2-228U:~$

And the related iptables rule

This enable ipmitool to work over the network, which can be extremely critical and helpful when troubleshooting problems. Such as the following

aaron@ingress:~$ ipmitool -U admin -P secret -H 192.168.2.173 power status
Chassis Power is on
aaron@ingress:~$

Conclusion

While its quite cumbersome to use ipmitool raw mode to add and remove all these filters, the net result is a fairly secure BMC locked down with standard linux iptables.

Any questions or trouble please contact support.