userdoc:tt_firewall_plugins

Firewall Plugins

AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent Arno's IPTABLES Firewall (AIF) script, developed by Arno van Amersfoort.

A feature of AIF is firewall plugins that can add specific functionality outside of the core script. Firewall Plugins can be managed by selecting the Network Tab in the web interface.
Network Tab

Network tab

Note: Some plugins are automatically enabled and configured when the corresponding feature is enabled in AstLinux. For example, if the IPSec VPN is enabled, the ipsec-vpn plugin will be automatically enabled when the firewall is restarted, regardless how ENABLED is defined in the plugin's configuration.

Below is a list of AIF firewall plugins supported in AstLinux.

This plugin parses a log file (/var/log/messages by default) for failed access noting offending IP addresses, then ban each IP address after multiple failed attempts. This is similar to how Fail2ban works, but optimized to work on embedded platforms like AstLinux.

If you allow common services, in particular SIP or SSH, from the public internet, it is highly recommended to enable this plugin.

This plugin allows forwarding of all unhandled traffic to a “DMZ” host. This implements a common feature found in residential grade routers. Note that the “DMZ” host does not necessarily have to be defined off the DMZ interface, any internal static IPv4 address will work.

This could be useful when AstLinux is primarily used as a SIP endpoint and a customer had a pre-existing router and network, an AstLinux box could be inserted before the pre-existing router and the pre-existing router's WAN port connected to AstLinux's LAN/DMZ. The pre-existing router's WAN IPv4 address could be defined as the “DMZ” host in this plugin. Any IPv4 traffic not handled by the AstLinux box itself would be redirected to the pre-existing router's WAN IPv4 address.

Not commonly used.

(IPv4-only)

This implements support to access (A)DSL PPP modem internal configurations.

In cases when PPPoE is used as the transport to the modem, special firewall settings are often necessary to access the internal Web or Telnet servers used to configure (A)DSL PPP modems. Usually define MODEM_IF, MODEM_IP and MODEM_INTERNAL_NET in the plugin configuration.

Note, this plugin should not be enabled unless both, AstLinux is configured to use PPPoE and TCP/IP configuration is available in the modem.

(IPv4-only)

This plugin provides EXT→Local firewall 'host-open' rules using hostnames (via periodic DNS lookups) rather than static IPv4 addresses. Should the hostname resolve to multiple IPv4 addresses, a rule for each address will be opened.

If you allow common services, in particular SIP or SSH, only from public dynamic IPv4 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.

(IPv4-only)

Note: this plugin is not available until AstLinux 1.2.10 and later.
This plugin provides EXT→LAN firewall 'ipv6-forward' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses. Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.

Tip -> A custom ddclient config may be used to publish local servers with dynamic DNS AAAA records.

(IPv6-only)

Note: this plugin is not available until AstLinux 1.2.10 and later.
This plugin provides EXT→Local firewall 'ipv6-open' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses. Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.

If you allow common services, in particular SIP or SSH, only from public dynamic IPv6 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.

Tip -> Similar functionality as the IPv4 dyndns-host-open plugin except using IPv6 with AAAA DNS records.

(IPv6-only)

This implements Intrusion-Detection-System (IDS) protection. It will block remote hosts trying to scan/access your system on firewalled ports.

Automatically Enabled
This plugin adds all required rules for using the IPSec VPN.

The firewall must be enabled for the IPSec VPN to properly function.

Automatically Enabled
This plugin opens the (IPv4) protocols to enable IPv6 tunneling.

This plugin allows you to select the MAC addresses that are allowed access for the specified internal interfaces.

Before using this plugin, instead consider Network → Configure DNS Hosts mapping allowed MAC addresses to IP addresses in a range that can be allowed using normal firewall rules. Neither of these methods are perfect or secure, but can add some useful access control.

Automatically Enabled
Setup of the iptables chains that the miniupnpd daemon manages.

(IPv4-only)

This plugin enables IP multirouting (load balancing). Note that it does not support redundant connections (fallback when one of the links is down). This is not a limitation of this plugin, but of the current Linux kernel that does not currently support that feature.

Not commonly used.

Note: this plugin is not available until AstLinux 1.0.6 and later.
This plugin allows local networks to access NAT'ed hosts/ports, called NAT Loopback, using the existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules. Local nets may be able to use the external IPv4 address and port to access NAT forwarded internal servers.

(IPv4-only)

Note: this plugin is not available until AstLinux 1.3.0 and later.
Commonly used with static assigned ULA (Unique Local IPv6 Unicast Addresses) (RFC4193) prefixes on local networks and perform a 1:1 mapping to a GUA (IPv6 Global Unicast Address) (RFC3587) prefix provided by your ISP. Should the GUA prefix change, the local ULA prefix can remain the same.

(IPv6-only)

Note: this plugin is not available until AstLinux 1.0.6 and later.
Automatically Enabled
This plugin adds all required rules for using an OpenVPN Server.

The firewall must be enabled for the OpenVPN Server to properly function.

Note: this plugin is not available until AstLinux 1.0.6 and later.
When a NAT'ed external interface has multiple IPv4 addresses, it may be desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections.

(IPv4-only)

Note: this plugin is not available until AstLinux 1.2.5 and later.
This plugin loads the required kernel modules for PPTP VPN Clients to access remote PPTP VPN Server(s) when NAT is enabled.

(IPv4-only)

Note: this plugin has been removed for AstLinux 1.3.8 and later.

Note: this plugin is not available until AstLinux 1.2.0 and later.
This plugin adds SIP User-Agent filtering, no packets are allowed by this plugin, only denied. This plugin monitors inbound (EXT→Local) SIP sessions on specified ports.

If SIP_USER_AGENT_PASS_TYPES is defined with a list of space separated User-Agent matches, non-matching User-Agent packets will be dropped. (Whitelist)

Otherwise if SIP_USER_AGENT_DROP_TYPES is defined with a list of space separated User-Agent matches, matching User-Agent packets will be dropped. (Blacklist)

This plugin will have no effect on TLS encrypted SIP sessions, only unencrypted SIP sessions.

This plugin attempts to track the RTP ports used in a SIP dialog and automatically open the necessary RTP ports when needed.

In practice this plugin does not always yield the expected results. Feel free to experiment.

When this plugin is disabled (the default) the SIP RTP ports must be manually opened to match the Asterisk rtp.conf rtpstart/rtpend values.

In general, do not enable this plugin.

This plugin implements protecting for brute force cracking by limiting the amount of connection attempts for each source IP in specific time slot. It is primarily intended for SSH, though in principle it can be used for any TCP protocol, for example: FTP, SMTP, IMAP, etc. .

Users may find the adaptive-ban plugin a better solution for SSH.

Note: this plugin is not available until AstLinux 1.1.2 and later.
This plugin selectively blocks outgoing connections by MAC or IP address based on a local time schedule and day-of-week. Useful for blocking guest WiFi access during off-hours, children's curfew, etc. .

Automatically Enabled, additional configuration may be necessary.
This plugin will shape traffic using either htb or hfsc. It borrows heavily on the logic of Maciej Blizinski's original script, with some minor changes to the actual bins how traffic is classified. Additionally htb support from Kristian Kielhofner's astshape (similar to wondershaper) in much earlier AstLinux is implemented. Classification by DSCP class is automatically performed.

In most cases, it is recommended to enable this plugin via the Firewall tab of the web interface, start by choosing htb as the type.

This plugin enables transparent DNAT for internal hosts for certain ports, meaning you can redirect certain TCP/UDP ports (eg. HTTP) which should be redirected from a certain INET address to an internal address.

(IPv4-only)

This plugin enables transparent Proxy for internal hosts for certain ports, meaning you can redirect certain TCP/UDP ports (eg. HTTP) using a proxy server.

(IPv4-only)

Note: this plugin is not available until AstLinux 1.3.2 and later.
Automatically Enabled
This plugin adds all required rules for using the WireGuard VPN.

The firewall must be enabled for the WireGuard VPN to properly function.

  • userdoc/tt_firewall_plugins.txt
  • Last modified: 2021/06/30 10:19
  • by abelbeck