icom OS Routers - Netfilters
  • 19 Sep 2024
  • PDF

icom OS Routers - Netfilters

  • PDF

Article summary

Netfilters

The netfilters in the router manipulate and block all data packets on their way from the sender interface to the destination interface as shown in the following sketch. The netfilters consist of NAT (Network Address Translation) and IP filter (Firewall) rules.

All data packets arriving at the interface pass through all destination NAT (DNAT) rules of the table PREROUTING in sequence and will then be manipulated and forwarded accordingly when the first rule applies.

All data packets not directed to the router run through the rules of the Filter table of the FORWARD chain and will be allowed to pass (are permitted to pass the firewall) as soon as a rule applies. This is the case for example, if a locally connected device sends data to the Internet.

All data packets directed to the router run through the rules of the Filter table of the INPUT chain and will be allowed to pass (are permitted to pass the firewall) to the router as soon as a rule applies. This is the case for example, if the web interface of the router is accessed or the DHCP or VPN server of the router is contacted.

All data packets generated by the router run through the rules of the Filter table of the OUTPUT chain and will be allowed to pass (are permitted to pass the firewall) as soon as a rule applies. This is the case for example, if the router makes NTP or DNS requests or initiates a tunnel.

All data packets which leave the chains OUTPUT and FORWARD, pass through all source NAT (SNAT) rules of the table POSTROUTING in sequence and will then be manipulated and forwarded to the interface accordingly when the first rule applies.

The netfilter rules defined in the router can be displayed in the Status menu on the iptables page in the classic web interface.

Example for a NAT rule for port forwarding

A control (IP address 192.168.5.31) in the machine network (net2) shall be accessed via the local company network (net3) from a PC (IP address 192.168.200.156). The communication port is TCP port 102. The router is the link between both networks and has the IP address 192.168.5.1 in the machine network and the IP address 192.168.200.189 in the company network. The PC in the company network addresses the company network address of the router (192.168.200.189); everything else will be done by the router. A destination NAT rule and an IP filter rule are necessary for this.

The destination NAT rule (port forwarding rule) must be defined as follows:

  • Description: Forward to control

  • Type: Portforward

  • Protocol: TCP

  • Input interface: net3 (over which the packet reaches the router)

  • Destination port: 102

  • Destination NAT to address: 192.168.5.31

  • Destination NAT to port: 102

The IP filter rule (firewall rule) must be defined as follows:

  • Description: Forward to control

  • Packet direction: FORWARD

  • IP version: all

  • Protocol: TCP

  • Input interface: net3 (over which the packet reaches the router)

  • Output interface: net2 (over which the packet leaves the router)

  • Source IP address: 192.168.200.156 / 32

  • Source port: (field remains empty)

  • Destination IP address: 192.168.5.31 / 32

  • Destination port: 102

Notes:

  • Port forwarding is only necessary if no routing for the machine network is configured from the company network.

  • The device in the company network communicates always with the  company network address of the router and not with the machine network  address of the control.

  • No source port is entered in the IP filter rule since this will be  determined dynamically by the respective device and is not predictable  therefore.

  • If it shall be possible to access the control from more than one device in the company network, the field Source IP address must be modified. Two examples for this:

    • Source IP address: 192.168.200.0 / 24 (permits all devices from the company network: IP addresses 192.168.200.1 to 192.168.200.254)

    • Source IP address: 192.168.200.64 / 26 (permits the following devices from the company network: IP addresses 192.168.200.65 to 192.168.200.126)

  • The IP address over which the router receives the packet (192.168.200.189) is not used as Destination IP address  of the IP filter rule, but the IP address modified by the DNAT rule  (192.165.5.31), because the DNAT rule is applied before the IP filter  rule.

  • INSYS Network Info Tool for calculating IP addresses and netmasks

Examples for typical IP filter (Firewall) rules

A few exemplary IP filter (Firewall) rules as they are also created by the wizards are shown in the following. If you want to commission your router without wizard support, you can use these rules as a guide depending on the application.

Rules for general router functions (already present in default settings)

active

Type

IP version

Protocol

from

to

Description

Comment

INPUT

all

TCP

net1

port: 80

Config port: allow HTTP interface

Allows local access to the web interface via HTTP

INPUT

all

TCP

net1

port: 443

Config port: allow HTTPS interface

Allows local access to the web interface via HTTPS

OUTPUT

all

TCP

all, port: 443

INSYS Update Server: allow HTTPS

Enables FW download from update server

Rules for general router functions

active

Type

IP version

Protocol

from

to

Description

Comment

INPUT

all

TCP

net1, net2

port: 22

Local access to command line via SSH

Allows local access to the CLI via SSH

INPUT

all

ICMP

net1, net2

ICMP pings from the local net

Enables to "ping" the participants in the local network

INPUT

all

UDP

net1

port: 67

DHCP queries from the local net

Enables to receive DHCP requests from the local network - necessary, if the router shall act as DHCP server

INPUT

all

UDP

net1, net2

port: 53

DNS queries from the local net

Enables to receive DNS requests from the local network - necessary, if the router shall act as DNS relay

INPUT

all

TCP

net1, net2

port: 53

DNS queries from the local net

Enables to receive DNS requests from the local network - necessary, if the router shall act as DNS relay

INPUT

all

UDP

net1, net2

port: 123

NTP queries from the local net

Enables to receive NTP requests from the local network - necessary, if the router shall act as NTP time server

OUTPUT

all

UDP

net1, port: 68

DHCP responses to the local net

Enables DHCP replies in the local network - necessary, if the router shall act as DHCP server

OUTPUT

all

UDP

lte2, port: 53

DNS queries sent by the router

Enables DNS requests of the router in the WAN (cellular connection via lte2) - necessary, if the router shall act as DNS relay

OUTPUT

all

TCP

lte2, port: 53

DNS queries sent by the router

Enables DNS requests of the router in the WAN (cellular connection via lte2) - necessary, if the router shall act as DNS relay

OUTPUT

all

UDP

lte2, port: 123

NTP queries sent by the router

Enables NTP requests of the router in the WAN (cellular connection via lte2) - necessary, if the router shall update its system time

OUTPUT

all

UDP

net3, port: 53

DNS queries sent by the router

Enables DNS requests of the router in the WAN (network connection via net3) - necessary, if the router shall act as DNS relay

OUTPUT

all

TCP

net3, port: 53

DNS queries sent by the router

Enables DNS requests of the router in the WAN (network connection via net3) - necessary, if the router shall act as DNS relay

OUTPUT

all

UDP

net3, port: 123

NTP queries sent by the router

Enables NTP requests of the router in the WAN (network connection via net3) - necessary, if the router shall update its system time

Rules for the communication between the networks and the WAN

active

Type

IP version

Protocol

from

to

Description

Comment

FORWARD

all

all

net1, net2

net1, net2

Traffic between the local nets

Enables communication between the networks net1 and net2

FORWARD

all

all

net1, net2

lte2

Traffic from local net into the WAN

Enables the communication between the networks net1 or net2 and the WAN (cellular connection via lte2)

FORWARD

all

all

net1, net2

net3

Traffic from local net into the WAN

Enables the communication between the networks net1 or net2 and the WAN (network connection via net3)

Rules for OpenVPN connections to the icom Connectivity Suite

active

Type

IP version

Protocol

from

to

Description

Comment

OUTPUT

all

UDP

port: 2043

OpenVPN (tunnel establishment)

Enables to establish VPN connections to the icom Connectivity Suite and key exchange

OUTPUT

all

all

openvpn1

Traffic through the OpenVPN tunnel sent by the router

Enables to send all data through VPN tunnel openvpn1

INPUT

all

all

openvpn1

Traffic through the OpenVPN tunnel to the router

Enables to receive all data through VPN tunnel openvpn1

FORWARD

all

all

net1

openvpn1

Traffic from the local net1 through the OpenVPN tunnel

Enables to route all data from the local network net1 through VPN tunnel openvpn1

FORWARD

all

all

net2

openvpn1

Traffic from the local net2 through the OpenVPN tunnel

Enables to route all data from the local network net2 through VPN tunnel openvpn1

FORWARD

all

all

openvpn1

net1

Traffic through the OpenVPN tunnel to the local net1

Enables to route all data through VPN tunnel openvpn1 into the local network net1

FORWARD

all

all

openvpn1

net2

Traffic through the OpenVPN tunnel to the local net2

Enables to route all data through VPN tunnel openvpn1 into the local network net2

Rules for OpenVPN connections

active

Type

IP version

Protocol

from

to

Description

Comment

OUTPUT

all

UDP

port: 1194

lte2, port: 1194

OpenVPN (tunnel establishment)

Enables to establish VPN connections and key exchange

OUTPUT

all

all

openvpn1

Traffic through the OpenVPN tunnel sent by the router

Enables to send all data through VPN tunnel openvpn1

INPUT

all

all

openvpn1

Traffic through the OpenVPN tunnel to the router

Enables to receive all data through VPN tunnel openvpn1

FORWARD

all

all

net1, net2

openvpn1

Traffic from the local net through the OpenVPN tunnel

Enables to route all data from the local networks net 1 or net2 through VPN tunnel openvpn1

FORWARD

all

all

openvpn1

net1, net2

Traffic through the OpenVPN tunnel to the local net

Enables to route all data through VPN tunnel openvpn1 into the local networks net1 or net2

Rules for IPsec connections

active

Type

IP version

Protocol

from

to

Description

Comment

OUTPUT

all

UDP

lte2, port: 500

IPsec (tunnel establishment)

Enables to establish IPsec connections and key exchange (cellular connection via lte2)

OUTPUT

all

ESP

lte2

IPsec protocol ESP

Enables IPsec tunnel establishment (cellular connection via lte2)

OUTPUT

all

UDP

lte2, port: 4500

IPsec UDP Port 4500 (NAT traversal)

Enables to establish IPsec connections and key exchange when using NAT traversal (cellular connection via lte2)

INPUT

all

UDP

lte2

port: 500

IPsec (tunnel establishment)

Enables to establish IPsec connections and key exchange (cellular connection via lte2)

INPUT

all

ESP

lte2

IPsec protocol ESP

Enables IPsec tunnel establishment (cellular connection via lte2)

INPUT

all

UDP

lte2

port: 4500

IPsec UDP Port 4500 (NAT traversal)

Enables to establish IPsec connections and key exchange when using NAT traversal (cellular connection via lte2)

OUTPUT

all

UDP

net3, port: 500

IPsec (tunnel establishment)

Enables to establish IPsec connections and key exchange (network connection via net3)

OUTPUT

all

ESP

net3

IPsec protocol ESP

Enables IPsec tunnel establishment (network connection via net3)

OUTPUT

all

UDP

net3, port: 4500

IPsec UDP Port 4500 (NAT traversal)

Enables to establish IPsec connections and key exchange when using NAT traversal (network connection via net3)

INPUT

all

UDP

net3

port: 500

IPsec (tunnel establishment)

Enables to establish IPsec connections and key exchange (network connection via net3)

INPUT

all

ESP

net3

IPsec protocol ESP

Enables IPsec tunnel establishment (network connection via net3)

INPUT

all

UDP

net3

port: 4500

IPsec UDP Port 4500 (NAT traversal)

Enables to establish IPsec connections and key exchange when using NAT traversal (network connection via net3)

OUTPUT

all

all

ipsec1

Traffic through the IPsec tunnel sent by the router

Enables to send all data through IPsec tunnel ipsec1

INPUT

all

all

ipsec1

Traffic through the IPsec tunnel to the router

Enables to receive all data through IPsec tunnel ipsec1

FORWARD

all

all

net1, net2

ipsec1

Traffic from the local net through the IPsec tunnel

Enables to route all data from the local networks net 1 or net2 through IPsec tunnel ipsec1

FORWARD

all

all

ipsec1

net1, net2

Traffic through the IPsec tunnel to the local net

Enables to route all data through IPsec tunnel ipsec1 into the

MAC filter

A MAC filter is a security function that controls the access to the network using the MAC address of the devices in the network. The MAC address is a hardware address and serves for the positive identification of a network adapter. This allows to restrict the data traffic to certain network devices and the individual IP networks of the router. Only the data traffic via Ethernet connections is restricted with this, connections through tunnels or via cellular radio for example will not be restricted with this. It must be observed for routed connections between two network devices that the MAC addresses of both participants must be permitted.

Security limits: The user should be aware that the actually unique MAC address of a device in the network can be modified with (depending on the device) little effort. If the MAC address of a certain device in the network is permitted, this means that another device can also penetrate the MAC filter, if the permitted MAC address is assigned to it. It is important to remember that MAC filters are only applied when routing across networks and do not block data traffic in the own network.

Default settings contain one MAC filter rule already that permits data traffic with the MAC address FF:FF:FF:FF:FF:FF to all IP networks of the router. The MAC address FF:FF:FF:FF:FF:FF is the broadcast address for ARP (Address Resolution Protocol). Without this rule and activated MAC filters, no ARP requests would be possible for example that are used by the router to determine the assignment between IP and MAC address of the network devices.


Was this article helpful?