 |
Online help |
Netfilters - examples for typical IP filter (Firewall) rules
A few exemplary IP filter (Firewall) rules as they are also created by the wizards are shown in the following. If you want to commission your router without wizard support, you can use these rules as a guide depending on the application.
Rules for general router functions (already present in default settings)
| active | Type | IP version | Protocol | from | to | Description | Comment |
| INPUT | all | TCP | net1 | port: 80 | Config port: allow HTTP interface | Allows local access to the web interface via HTTP | |
| ✔ | INPUT | all | TCP | net1 | port: 443 | Config port: allow HTTPS interface | Allows local access to the web interface via HTTPS |
| ✔ | OUTPUT | all | TCP | all, port: 443 | INSYS Update Server: allow HTTPS | Enables FW download from update server |
Rules for general router functions
| active | Type | IP version | Protocol | from | to | Description | Comment |
| INPUT | all | TCP | net1, net2 | port: 22 | Local access to command line via SSH | Allows local access to the CLI via SSH | |
| ✔ | INPUT | all | ICMP | net1, net2 | ICMP pings from the local net | Enables to "ping" the participants in the local network | |
| ✔ | INPUT | all | UDP | net1 | port: 67 | DHCP queries from the local net | Enables to receive DHCP requests from the local network - necessary, if the router shall act as DHCP server |
| ✔ | INPUT | all | UDP | net1, net2 | port: 53 | DNS queries from the local net | Enables to receive DNS requests from the local network - necessary, if the router shall act as DNS relay |
| ✔ | INPUT | all | TCP | net1, net2 | port: 53 | DNS queries from the local net | Enables to receive DNS requests from the local network - necessary, if the router shall act as DNS relay |
| INPUT | all | UDP | net1, net2 | port: 123 | NTP queries from the local net | Enables to receive NTP requests from the local network - necessary, if the router shall act as NTP time server | |
| ✔ | OUTPUT | all | UDP | net1, port: 68 | DHCP responses to the local net | Enables DHCP replies in the local network - necessary, if the router shall act as DHCP server | |
| ✔ | OUTPUT | all | UDP | lte2, port: 53 | DNS queries sent by the router | Enables DNS requests of the router in the WAN (cellular connection via lte2) - necessary, if the router shall act as DNS relay | |
| ✔ | OUTPUT | all | TCP | lte2, port: 53 | DNS queries sent by the router | Enables DNS requests of the router in the WAN (cellular connection via lte2) - necessary, if the router shall act as DNS relay | |
| ✔ | OUTPUT | all | UDP | lte2, port: 123 | NTP queries sent by the router | Enables NTP requests of the router in the WAN (cellular connection via lte2) - necessary, if the router shall update its system time | |
| ✔ | OUTPUT | all | UDP | net3, port: 53 | DNS queries sent by the router | Enables DNS requests of the router in the WAN (network connection via net3) - necessary, if the router shall act as DNS relay | |
| ✔ | OUTPUT | all | TCP | net3, port: 53 | DNS queries sent by the router | Enables DNS requests of the router in the WAN (network connection via net3) - necessary, if the router shall act as DNS relay | |
| ✔ | OUTPUT | all | UDP | net3, port: 123 | NTP queries sent by the router | Enables NTP requests of the router in the WAN (network connection via net3) - necessary, if the router shall update its system time |
Rules for the communication between the networks and the WAN
| active | Type | IP version | Protocol | from | to | Description | Comment |
| ✔ | FORWARD | all | all | net1, net2 | net1, net2 | Traffic between the local nets | Enables communication between the networks net1 and net2 |
| ✔ | FORWARD | all | all | net1, net2 | lte2 | Traffic from local net into the WAN | Enables the communication between the networks net1 or net2 and the WAN (cellular connection via lte2) |
| ✔ | FORWARD | all | all | net1, net2 | net3 | Traffic from local net into the WAN | Enables the communication between the networks net1 or net2 and the WAN (network connection via net3) |
Rules for OpenVPN connections to the icom Connectivity Suite
| active | Type | IP version | Protocol | from | to | Description | Comment |
| ✔ | OUTPUT | all | UDP | port: 2043 | OpenVPN (tunnel establishment) | Enables to establish VPN connections to the icom Connectivity Suite and key exchange | |
| ✔ | OUTPUT | all | all | openvpn1 | Traffic through the OpenVPN tunnel sent by the router | Enables to send all data through VPN tunnel openvpn1 | |
| ✔ | INPUT | all | all | openvpn1 | Traffic through the OpenVPN tunnel to the router | Enables to receive all data through VPN tunnel openvpn1 | |
| ✔ | FORWARD | all | all | net1 | openvpn1 | Traffic from the local net1 through the OpenVPN tunnel | Enables to route all data from the local network net1 through VPN tunnel openvpn1 |
| ✔ | FORWARD | all | all | net2 | openvpn1 | Traffic from the local net2 through the OpenVPN tunnel | Enables to route all data from the local network net2 through VPN tunnel openvpn1 |
| ✔ | FORWARD | all | all | openvpn1 | net1 | Traffic through the OpenVPN tunnel to the local net1 | Enables to route all data through VPN tunnel openvpn1 into the local network net1 |
| ✔ | FORWARD | all | all | openvpn1 | net2 | Traffic through the OpenVPN tunnel to the local net2 | Enables to route all data through VPN tunnel openvpn1 into the local network net2 |
Rules for OpenVPN connections
| active | Type | IP version | Protocol | from | to | Description | Comment |
| ✔ | OUTPUT | all | UDP | port: 1194 | lte2, port: 1194 | OpenVPN (tunnel establishment) | Enables to establish VPN connections and key exchange |
| ✔ | OUTPUT | all | all | openvpn1 | Traffic through the OpenVPN tunnel sent by the router | Enables to send all data through VPN tunnel openvpn1 | |
| ✔ | INPUT | all | all | openvpn1 | Traffic through the OpenVPN tunnel to the router | Enables to receive all data through VPN tunnel openvpn1 | |
| ✔ | FORWARD | all | all | net1, net2 | openvpn1 | Traffic from the local net through the OpenVPN tunnel | Enables to route all data from the local networks net 1 or net2 through VPN tunnel openvpn1 |
| ✔ | FORWARD | all | all | openvpn1 | net1, net2 | Traffic through the OpenVPN tunnel to the local net | Enables to route all data through VPN tunnel openvpn1 into the local networks net1 or net2 |
Rules for IPsec connections
| active | Type | IP version | Protocol | from | to | Description | Comment |
| ✔ | OUTPUT | all | UDP | lte2, port: 500 | IPsec (tunnel establishment) | Enables to establish IPsec connections and key exchange (cellular connection via lte2) | |
| ✔ | OUTPUT | all | ESP | lte2 | IPsec protocol ESP | Enables IPsec tunnel establishment (cellular connection via lte2) | |
| ✔ | OUTPUT | all | UDP | lte2, port: 4500 | IPsec UDP Port 4500 (NAT traversal) | Enables to establish IPsec connections and key exchange when using NAT traversal (cellular connection via lte2) | |
| ✔ | INPUT | all | UDP | lte2 | port: 500 | IPsec (tunnel establishment) | Enables to establish IPsec connections and key exchange (cellular connection via lte2) |
| ✔ | INPUT | all | ESP | lte2 | IPsec protocol ESP | Enables IPsec tunnel establishment (cellular connection via lte2) | |
| ✔ | INPUT | all | UDP | lte2 | port: 4500 | IPsec UDP Port 4500 (NAT traversal) | Enables to establish IPsec connections and key exchange when using NAT traversal (cellular connection via lte2) |
| ✔ | OUTPUT | all | UDP | net3, port: 500 | IPsec (tunnel establishment) | Enables to establish IPsec connections and key exchange (network connection via net3) | |
| ✔ | OUTPUT | all | ESP | net3 | IPsec protocol ESP | Enables IPsec tunnel establishment (network connection via net3) | |
| ✔ | OUTPUT | all | UDP | net3, port: 4500 | IPsec UDP Port 4500 (NAT traversal) | Enables to establish IPsec connections and key exchange when using NAT traversal (network connection via net3) | |
| ✔ | INPUT | all | UDP | net3 | port: 500 | IPsec (tunnel establishment) | Enables to establish IPsec connections and key exchange (network connection via net3) |
| ✔ | INPUT | all | ESP | net3 | IPsec protocol ESP | Enables IPsec tunnel establishment (network connection via net3) | |
| ✔ | INPUT | all | UDP | net3 | port: 4500 | IPsec UDP Port 4500 (NAT traversal) | Enables to establish IPsec connections and key exchange when using NAT traversal (network connection via net3) |
| ✔ | OUTPUT | all | all | ipsec1 | Traffic through the IPsec tunnel sent by the router | Enables to send all data through IPsec tunnel ipsec1 | |
| ✔ | INPUT | all | all | ipsec1 | Traffic through the IPsec tunnel to the router | Enables to receive all data through IPsec tunnel ipsec1 | |
| ✔ | FORWARD | all | all | net1, net2 | ipsec1 | Traffic from the local net through the IPsec tunnel | Enables to route all data from the local networks net 1 or net2 through IPsec tunnel ipsec1 |
| ✔ | FORWARD | all | all | ipsec1 | net1, net2 | Traffic through the IPsec tunnel to the local net | Enables to route all data through IPsec tunnel ipsec1 into the local networks net1 or net2 |