Firewall configuration

From ISPWiki
Jump to: navigation, search

Introduction

Firewall is a standard security system for operating systems on which ISPmanager is installed:

  • Debian/CentOS - iptables

ISPmanager firewall can filter only incoming traffic.

Adding firewall rules

Debian/CentOS: when starting ISPmanager for the first time, the following chains will be created in iptables/ip6tables:

  1. ispmgr_deny_ip - contains denied IP addresses
  2. ispmgr_allow_ip - contains allowed IP addresses
  3. ispmgr_allow_sub - contains allowed subnets
  4. ispmgr_deny_sub - contains denied subnets

These chains are added to the end of the INPUT table in the order as they are described.

 Attention: parameters that are added into the chains manually can be incorrectly applied  or modified in ISPmanager.
 Attention: the rules described in the ISPmanager firewall will be used to filter network traffic only after the user rules that were described prior to ISPmanager installation. 
  Attention: if you configure the firewall manually, all the changes made in the "Firewall" module may cause unexpected behavior of the firewall of your operating system.

Additional parameters

Parameters are added into the file mgr5/etc/ispmgr.conf.

  • Option FirewallCheckAccess - enables to add denying firewall rules regardless the module limits.

Path to the rule file

Debian

  • /etc/ispiptable.conf /etc/ispip6table.conf
  • Run the script /etc/network/if-up.d/ispmgrfw

CentOS

  • Standard /etc/sysconfig/iptables

Block by country

In ISPmanager Lite and ISPmanager Business starting from 5.77.0 countries cannot be blocked on OpenVZ.

In ISPmanager Business this function is available only if one or several cluster nodes do not use OpenVZ.