Skip to content

ACS firewall example

Jump to bottom Edit New page
James Harrison edited this page Aug 20, 2016 · 2 revisions

As a starting point the following ferm configuration can be used to configure iptables.

This configuration requires you to set the IP ranges and interfaces that your ACS servers will use, which can be the same interface on different ranges if needed, but not in the same range - the NBI should not be accessible by CPEs, ever. SSH is also restricted to the NBI side.

Ports can be altered if you're using GenieACS behind something like nginx to perform TLS termination or HTTP Basic authentication.

# GenieACS example ferm config
# Don't run this blindly! Read it and understand it.

# The interface(s) your CPEs will contact this box on
@dev $CPE_DEV = (eth0)
# Leave this empty () if you have no v6 management
@def $CPE_V6 = (2001:470:dead:beef::0/32);
# Your CPE range
@def $CPE_V4 = (10.0.0.0/24);

# The interface(s) your NBI clients will contact this box on - also used to allow ssh
@dev $CPE_DEV = (eth1)
# NBI ranges
@def $NBI_V6 = (2001:470:dead:beef::0/32);
@def $NBI_V4 = (10.0.1.0/24);

# Basic configuration - set the rules up so we drop all incoming, allow all outgoing, drop all forwarding, with conntracking
domain (ip ip6) {
  table filter {
    chain INPUT {
      policy DROP;

      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;

      # allow local/loopback packets
      interface lo ACCEPT;

      # respond to ping for diagnostics
      proto icmp icmp-type echo-request ACCEPT;

      # permit CPE communication
      interface $CPE_DEV saddr @ipfilter($CPE_RANGES) @subchain "cpe_traffic" {
        # allow CWMP and fileserver access
        proto tcp dport (7547 7567) ACCEPT;
      }
      
      interface $NBI_DEV saddr @ipfilter($NBI_RANGES) @subchain "nbi_traffic" {
        # allow SSH connections
        proto tcp dport ssh ACCEPT;
        # allow NBI access
        proto tcp dport 7557 ACCEPT;
      }
      
    }
    chain OUTPUT {
      policy ACCEPT;

      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
      policy DROP;

      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;
    }
  }
}

Once you've set up your config in /etc/ferm/ferm.conf (on Ubuntu/Debian) you can just reload the config with service ferm restart, and validate that it applied correctly with iptables -L or iptables -S.

Add a custom footer
Add a custom sidebar
Clone this wiki locally