ZTL inside NAT

[Guest]

[rgreene501]

The default iptables rules block input from private networks.  Not so cool when your interface sits on a 172.17. block.  Easy to fix, but could the installer be modified to accomodate this?  The interface is defined early in the installation, before anything is written to disk other than the file systems.

I understand the rationale, but we block these at the router anyway.

[vadim]

Hello!
You should only disable option 'Drop all packets from private reserved networks'  on the ZTL Firewall module index page.

[rgreene501]

Vadim,

Thank you for the response.

I saw the option and that works for my purpose, but was curious about modifying the installer to accomodate private networks with greater granularity.

If I'm on a 192.168.0/24 it would be nice to still block the rest of that /16 as well as 172.16/12 and 10/8.  I see no method in the ZTL admin panel to define these blocks for exclusion or to create specific drop rules either by service or address.

As I said in my previous post, we drop these packets at the router anyway, so for this network, it's unneccessary.  I'm just curious.

[vadim]

 ZTL Firewall drops all packets from private reserved networks (if option is enabled):
A: 10.0.0.0/8
B: 172.16.0.0/16-172.31.0.0/16
C: 192.168.0.0/24-192.168.255.0/24
It's possible to create specific rules for each of blocks, but it'll complicate Firewall interface very much.

[rgreene501]

Vadim,

I can appreciate the complpexity and don't mind building rules myself.  I just don't want to break ZTL in the process.

Is there documentation regarding what is safe to modify manually?  I've already been bitten by creating a user via smbpasswd and it killed the ability to create a domain.

[vadim]

 Hello!

 We still don't have Firewall documentation (in development).

 All ZTL Firewall rules are saved in the /etc/sysconfig/iptables-ipv4.d/ztl-rules.sh. We don't recommend to edit this file mannually. If you want to use more complete rules you should:
1. Backup and delete /etc/sysconfig/iptables-ipv4.d/ztl-rules.sh
2. Add new rules in to the file /etc/sysconfig/iptables-ipv4.d/start.
3. Restart Firewall (service iptables restart)

[rgreene501]

Thanks for the tip Vadim,

I had been modifying ztl-rules.sh to accomodate my needs.  I'll rename the file and restart.

As for firewall documentation...  I don't really need an iptables tutorial.  I just need to know what may be modified without breaking the ZTL management interface.

Regards,
BobG

[Tags:]