Setup guide
0 ;;; Allow established TCP connections
protocol=tcp tcp-options=non-syn-only connection-state=established
action=accept
1 ;;; Allow UDP connections
protocol=udp action=accept
2 ;;; Allow ICMP messages
protocol=icmp action=accept
3 ;;; Allow access from 'trusted' network 10.5.8.0/24
src-address=10.5.8.0/24 action=accept
4 ;;; Reject everything else
action=reject log=yes
[admin@Wandy] ip firewall rule input>
Thus, the input chain will accept only allowed connections and reject, and log everything else.
Protecting the Customer's Network
To protect the customer's network, we should match all packets with destination address
192.168.0.0/24 that are passing through the router. This can be done in the forward chain. We can
match the packets against the IP addresses in the forward chain, and then jump to another chain,
say, customer. We create the new chain and add rules to it:
[admin@Wandy] ip firewall> add name=customer
[admin@Wandy] ip firewall> print
# NAME POLICY
0 input accept
1 forward accept
2 output accept
3 customer none
[admin@Wandy] ip firewall> rule customer
[admin@Wandy] ip firewall rule customer> protocol=tcp tcp-options=non-syn-only \
\... connection-state=established comment="Allow established TCP connections"
[admin@Wandy] ip firewall rule customer> add protocol=udp \
\... comment="Allow UDP connections"
[admin@Wandy] ip firewall rule customer> add protocol=icmp \
\... comment="Allow ICMP messages"
[admin@Wandy] ip firewall rule customer> add protocol=tcp tcp-options=syn-only \
\... dst-address=192.168.0.17/32:80 \
\... comment="Allow http connections to the server at 192.168.0.17"
[admin@Wandy] ip firewall rule customer> add protocol=tcp tcp-options=syn-only \
\... dst-address=192.168.0.17/32:25 \
\... comment="Allow SMTP connections to the server at 192.168.0.17"
[admin@Wandy] ip firewall rule customer> add protocol=tcp tcp-options=syn-only \
\... src-port=20 dst-port=1024-65535 \
\... comment="Allow ftp data connections from servers on the Internet"
[admin@Wandy] ip firewall rule customer> add action=reject log=yes \
\... comment="Reject and log everything else"
[admin@Wandy] ip firewall rule customer> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow established TCP connections
protocol=tcp tcp-options=non-syn-only connection-state=established
action=accept
1 ;;; Allow UDP connections
protocol=udp action=accept
2 ;;; Allow ICMP messages
protocol=icmp action=accept
3 ;;; Allow http connections to the server at 192.168.0.17
dst-address=192.168.0.17/32:80 protocol=tcp tcp-options=syn-only
action=accept
4 ;;; Allow SMTP connections to the server at 192.168.0.17
dst-address=192.168.0.17/32:25 protocol=tcp tcp-options=syn-only
action=accept
5 ;;; Allow ftp data connections from servers on the Internet