UISP - Setting firewall on UISP devices
Introduction
This article explains how to configure a firewall using a web browser and applies to the following devices:
At this time, firewall rules can only be edited through the device’s local WebUI, not directly within the UISP application. The local WebUI can be accessed using the Remote Access feature in UISP.
This article covers both firewall and NAT configuration in UISP. NAT controls how traffic is rewritten, including source and destination IP addresses and ports for TCP and UDP traffic, but does not determine whether traffic is allowed or blocked. Firewall rules define how traffic is handled, such as whether traffic is allowed, dropped, or rejected.
To verify that the firewall is configured as expected, run the following commands directly on the device: iptables -nvL, ip6tables -nvL
NAT
| Term | Description |
| Postrouting | Applies to traffic egressing an interface. The egress interface is selected based on the routing table of the firewall. |
| Prerouting | Applies to traffic arriving at a given interface. |
Firewall Rules
| Term | Description |
| Forward | Traffic that is routed through the firewall, not destined to the firewall. Client-to-client routed traffic. |
| Input | Used to handle packets that come in through one of the router's interfaces and have a destination IP address that is one of the router's addresses. The rules of the input chain are not applied to packets going through the firewall. DNS, DHCP server, NTP, HTTP/S, etc. |
| Output | Used to handle packets that originate at the router and exit via one of the interfaces. The output chain's rules are not applied to packets traveling through the firewall. NTP, DHCP client, DNS, UISP Proxy, etc. |
| WAN_IN | Inbound traffic from the WAN interface which is forwarded to other (LAN) networks. |
| WAN_LOCAL | Inbound traffic from the WAN interface and terminating on the router itself. |
Firewall directions
| Term | Description |
| TO ROUTER (LOCAL_IN) | Traffic destined for the router itself. |
| FROM ROUTER (LOCAL_OUT) | Traffic originating from the router. |
| FORWARD IN (IN) | Traffic entering through the interface, being routed. |
| FORWARD OUT (OUT) | Traffic exiting through the interface, being routed. |
| FORWARD BOTH (IN_OUT) | Traffic passing through in either direction. |
Configuration Properties
Rule
| Property | Description |
| Enabled | Allows the ability to make a rule inactive without removing the configuration. |
| Ruleset | Allows the ability to change the ruleset in which the rule is configured. |
| Description | String input to identify the rule. |
| Action | Which action should be taken if the traffic matches this rule. |
| IP Version |
Options: IPv4 (only) IPv6 (only) IPv4 and IPv6 |
| Protocol | Selectable based on a single protocol if desired. Default: All protocols. |
| Rate Limit | How many packets to match per time unit. |
Source and Destination
| Property | Description |
| Group | Allows the selection of an address, MAC, or port group that has been previously configured. |
| Address | Allows entry for a single subnet or host. Multiple entries should be configured inside of group. |
| Port | Allows for a single port number entry (1-65,535) when the protocol option is configured to TCP, UDP, or TCP and UDP. Multiple entries should be configured inside of a group. |
| Inbound Interface | Matching based on a single ingress interface. not available for Postrouting |
| Outbound Interface | Matching based on a single egress interface. not available for Prerouting |
Action
| Property | Description |
| Target (Postrouting) |
Masquerade: Replaces the source IP address of a packet with the first or primary address of the egressing interface. SNAT: Replaces the source IP address of a packet with the “Translation Address” configuration. not available for Prerouting |
| Target (Filter) |
Accept: Accept the packet without further processing of rules in other chains. Reject: Reject the packet and send an ICMP reject packet to the originating device. Drop: Drop the packet silently without notice to the originating device. Return: The packet processing will return to the chain in which the prior jump occurred. The matching is then subject to any rules in other chains that may have a “jump” action into other chains. If there is no match, the processing may hit the default rule of Accept or Drop. |
| Translation Address | Replaces either the source (SNAT) or destination (DNAT) IP address with the specified IP address. not available for “masquerade” or Filter |
| Translation Port | When the protocol option is configured to TCP, UDP, or TCP and UDP, this option performs NAT on the source or destination ports. not available for Filter |
| Enable Logging | Controls whether each packet matching this rule will be logged to syslog. Take care to not over-enable logging, as the number of logs generated can become unwieldy, and put significant stress on the router. For example, limiting logging to rules matching connection state “new” will generate one log per connection and is a reasonable, sometimes desirable log level. Enabling logging on a rule without a state specified will generate one log entry for each matching packet traversing the system, which is almost always extremely excessive. |
Connection State
Valid for firewall rules only. Matching is based on the connection tracking table.
| Property | Description |
| Established | A packet that belongs to an existing connection. |
| Invalid | A packet that does not have a determined state. Typically this would be a packet that is out-of-order. Invalid packets are not subject to NAT and can egress interfaces with their original source or destination IP addresses. |
| New | The packet has started a new connection or is otherwise associated with a connection that has not seen packets in both directions. |
| Related | A packet related to but not part of an existing connection, such as ICMP errors, or a packet that initiates an FTP data connection |
| Untracked | In the firewall RAW table, a packet was set to avoid connection tracking. |
Groups
Firewall groups enable the creation of sets of IPs and/or IP subnets, ports, or MAC addresses. The use of groups in firewall and NAT rules enables shorter, more easily manageable rule sets. For example, you might create a firewall group for publicly accessible web servers listing their IP addresses, and another group for the ports allowed to those web servers. Then, if a new web server is added or removed in the future, or an additional port must be allowed to those servers, it’s simply a matter of modifying the appropriate group, rather than potentially several firewall rules.
Examples
Dropping Bogons
Bogon IP Addresses are IP addresses not assigned to any entity by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIR's). These IP addresses can be used in a malicious manner because they are not able to be traced back to a definitive source. To block these addresses, perform the following steps:
- Create the address group with bogon subnets: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3
-
Create a destination IP address group rule for bogon addresses in the Forward chain.
Filter rule
Screenshot
Chain name: Forward
Protocol: All protocols
IP Version: IPv4
Destination Group: Bogon_Subnets (Address group) -
Create a source IP address group rule for bogon addresses in the Forward chain.
Filter rule
Screenshot
Chain name: Forward
Protocol: All protocols
IP Version: IPv4
Source Group: Bogon_Subnets (Address group) - Move the rules to your desired position in the Forward chain.
Port Forwarding
| LAN Host | 192.168.1.231* |
| TCP Port to Forward | 22* |
| Inbound Interface | Port 9.1010 (eth8.1010)* |
| Inbound Interface IP Address | 100.64.10.11* |
*This is meant as an example only. Apply configuration for your subnets, hosts, and interfaces accordingly.
Two rules must be configured to make the port forward function as desired. The NAT prerouting (DNAT) rule will translate the destination IP to the proper internal IP address. The filter rule in the forward chain will allow the packet to be accepted and pass through the firewall to the LAN host.
User Tip: For the filter rule to function properly, place the rule in the Forward chain above the predefined Drop rules.
NAT Prerouting
-
Only the Prerouting rule is necessary in this case.
Prerouting Rule
Screenshot
Prerouting Rule
Chain Name: Prerouting
Protocol: TCP
IP Version: IPv4
Inbound Interface: 9.1010
Destination Address: 198.51.100.1
Destination Port: 22
Translation Address: 192.168.1.231
Filter Forward
-
In this case, only the filter rule needs to be created
Filter rule
Screenshot
Filter rule
Protocol: TCP
IP Version: IPv4
Inbound interface: 9.1010
Destination address: 192.168.1.231
Destination port: 22
Target: Accept
Hairpin for Port Forwarding
Two NAT rules need to be configured to achieve NAT hairpin.
-
Create a DNAT (prerouting) rule to translate the public IP to LAN IP address of the 192.168.1.231 host.
Prerouting Rule
Screenshot
Prerouting Rule
Chain Name: Prerouting
Protocol: TCP
IP Version: IPv4
Inbound Interface: br0
Source Address: 192.168.1.0/24
Destination Address: 198.51.100.1
Destination Port: 22
Translation Address: 192.168.1.231 -
The second rule is a Postrouting masquerade to achieve symmetric routing. This ensures that return traffic is sent to the proper destination IP address.
Postrouting Rule
Screenshot
Postrouting Rule
Chain Name: Postrouting
Protocol: All protocols
IP Version: IPv4
Source Address: 192.168.1.0/24
Outbound Interface: br0
Target: Masquerade
Source NAT (Postrouting) with multiple public IPs
Note: For this configuration to function properly, these specific rules must be placed above the default masquerade rule.
LAN whole subnet SNAT
Example configuration:
Subnet: 192.168.1.0/24
Public IP Range: 198.51.100.1 - 198.51.100.7
Desired Public IP Address: 198.51.100.7
-
One postrouting rule must be created
Postrouting Rule
Screenshot
Postrouting Rule
Chain Name: Postrouting
Protocol: All protocols
IP Version: IPv4
Source Address: 192.168.1.0/24
Outbound Interface: 9.1010
Target: SNAT
Translation Address: 198.51.100.7
LAN single host SNAT
Example configuration:
LAN Host: 192.168.1.231
Public IP Range: 198.51.100.1 - 198.51.100.7
Desired Public IP Address: 198.51.100.4
-
One postrouting rule must be created
Filter rule
Screenshot
Postrouting Rule
Chain Name: Postrouting
Protocol: All protocols
IP Version: IPv4
Source Address: 192.168.1.231
Outbound Interface: 9.1010
Target: SNAT
Translation Address: 198.51.100.4
LAN isolation
Note that in this example, port 1 is the WAN.
-
Create FWD_IN_LAN ruleset. This matches forwarding traffic entering from all non-WAN ports.
Filter rule
Screenshot
Ruleset
Default action: DROP
Interface !1 Direction FORWARD IN -
Add an exception for internet traffic.
Filter rule
Screenshot
Firewall rule
Ruleset FWD_IN_LAN
Action ACCEPT
Protocol All
Outbound interface 1 -
Create FWD_OUT_LAN ruleset. This matches forwarding traffic exiting to all non-WAN ports.
Ruleset
Default action: DROP
Interface !1 Direction FORWARD OUT -
Add an exception for internet traffic. Modify the connection state as required by your use case.
Firewall rule
Ruleset FWD_OUT_LAN
Action ACCEPT
Protocol All
Inbound interface 1
Connection State Established or Related