Firewall: nat, mangle?

Locked
User avatar
sburina
Posts: 11
Joined: Tue 19. Jun 2018, 00:25

Firewall: nat, mangle?

Post by sburina »

Hi!

Is it possible to configure nat and mangle chains via the web firewall configurator? If not, is there a way to add some custom firewall rules in a local file that would be automatically merged with the configuration generated by the firewall editor?

Thank you!
User avatar
Tobi
Community Moderator
Posts: 2812
Joined: Thu 5. Jan 2017, 13:24

Re: Firewall: nat, mangle?

Post by Tobi »

Yes.
You can manage your own rules and add them to the chain.
Your configuration will be loaded automatically at startup.
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
sburina
Posts: 11
Joined: Tue 19. Jun 2018, 00:25

Re: Firewall: nat, mangle?

Post by sburina »

Hello, and thank you for the reply!

I'm still not quite enlightened, please give me some more details. In the panel I see only INPUT, FORWARD and OUTPUT chains, all belonging to the main *filter chain. All the new chains I try to create are also nested under *filter.

I need to configure other root chains like *nat and *mangle, and some chains under those, like for instance PREROUTING and POSTROUTING.
If it's really possible, can you please provide a simple example?

If not, is there any way to put my own rules in the file, to be included when the firewall fires up? If yes, what would be the full path to that file?

Thank you!
User avatar
Enigma
Posts: 258
Joined: Thu 2. Aug 2018, 19:18

Re: Firewall: nat, mangle?

Post by Enigma »

In the upper right corner of the firewall configuration page, there's a grey "Settings" button. It opens a modal with the following setting (among others):

Reload current rule sets

If you have done changes to iptables through CLI, you can initiate a reload of the current rules.

So I guess you can just modify the file and reload the complete rule set, but I haven't tried it yet, to be honest.

Cheers,
Jan
This message has been ROT-13 encrypted twice for higher security.
User avatar
sburina
Posts: 11
Joined: Tue 19. Jun 2018, 00:25

Re: Firewall: nat, mangle?

Post by sburina »

Enigma wrote: Mon 22. Oct 2018, 21:47lter
In the upper right corner of the firewall configuration page, there's a grey "Settings" button. It opens a modal with the following setting (among others):

Reload current rule sets

If you have done changes to iptables through CLI, you can initiate a reload of the current rules.

So I guess you can just modify the file and reload the complete rule set, but I haven't tried it yet, to be honest.

Cheers,
Jan
Hello, Enigma!

I've tried it. When I add a firewall rule manually in the console, then reload via the web interface, my rule shows up. But.. It only shows the rules in the *filter table, my *mangle and *nat table rules are nowhere to be seen (and yet, they are there, visible from the console: "iptables -t nat -vnL", or "iptables -t mangle -vnL"). I'm pretty sure, after all the testing, the web firewall manager does not treat *nat and *mangle tables at all, which to be honest could be a good thing - it could be possible to have my custom rules (excluding *filter table) configured at boot, and KeyHelp shouldn't touch them when it applies its saved *filter table rules.
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: Firewall: nat, mangle?

Post by Alexander »

Hello sburina,

You are right, nat and mangle can not be managed within the KeyHelp UI.

But you could import your nat and mangle rules by putting a little script into the folder:

Code: Select all

/etc/network/if-pre-up.d/
For reference, there is already the 'keyhelp_load_rules' file which is responsible for importing the firewall rules on system-boot.
Every executable (chmod +x) file inside of this folder will be executed on boot.

Note: do not touch the 'keyhelp_load_rules' file, it may get overwritten by KeyHelp.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
sburina
Posts: 11
Joined: Tue 19. Jun 2018, 00:25

Re: Firewall: nat, mangle?

Post by sburina »

Alexander wrote: Tue 23. Oct 2018, 18:24 But you could import your nat and mangle rules by putting a little script into the folder:

Code: Select all

/etc/network/if-pre-up.d/
Thank you, Alexander, that's what I have done, successfully applied the custom rules. :)

Have a nice day!
User avatar
sburina
Posts: 11
Joined: Tue 19. Jun 2018, 00:25

Re: Firewall: nat, mangle?

Post by sburina »

sburina wrote: Wed 24. Oct 2018, 15:51
Alexander wrote: Tue 23. Oct 2018, 18:24 But you could import your nat and mangle rules by putting a little script into the folder:

Code: Select all

/etc/network/if-pre-up.d/
Thank you, Alexander, that's what I have done, successfully applied the custom rules. :)
Oops!
It worked from /etc/rc.local, but on Ubuntu 18.04 the scripts in /etc/network/if-pre-up.d/ don't get fired at all!
KeyHelp-managed rules don't get loaded neither!
Please take a note! We need a systemd service, explained with the example here:

https://nucco.org/2018/05/ubuntu-18-04- ... twork.html
User avatar
Alexander
Keyweb AG
Posts: 3810
Joined: Wed 20. Jan 2016, 02:23

Re: Firewall: nat, mangle?

Post by Alexander »

Yes you are correct, we already recognized this problem on Ubuntu 18 and will fix it with the upcoming version.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Locked