Skip to main content

Custom host firewall rules

In most cases a host running the Edge Enforcer does not require any custom firewall rules. When custom rules are needed, they must be written to not interfere with the Edge Enforcer's own firewall rules. See the Host firewall section in the Application Networking document for the rules to follow when writing a compatible configuration.

Consider that in many cases an additional management interface (such as SSH) may be desirable besides managing the host via the Edge Enforcer, in which case the firewall must allow incoming traffic for such an interface.

Using iptables-nft

An example of a minimal iptables configuration compatible with the Edge Enforcer firewall configuration, which includes an optional rule to allow SSH traffic. Note that the iptables-nft translation tool for nftables is used. iptables-legacy is unsupported.

iptables rules
# allow all outgoing connections (Control Tower connectivity, DNS and other essentials)
iptables-nft -P OUTPUT ACCEPT
# allow replies to outgoing connections
iptables-nft -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# optional: allow incoming SSH traffic
iptables-nft -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# allow essential incoming packets marked by the Edge Enforcer
iptables-nft -A INPUT -m mark --mark 0x460000/0xff0000 -j ACCEPT
# all other incoming traffic may be dropped
iptables-nft -P INPUT DROP
# allow forwarding of application and proxy traffic managed by the Edge Enforcer
iptables-nft -A FORWARD -m mark --mark 0x460000/0xff0000 -j ACCEPT
# all other forwarded traffic may be dropped
iptables-nft -P FORWARD DROP

If using the plain iptables command, make sure that its version string indicates nf_tables:

iptables --version
iptables v1.8.11 (nf_tables)

Using nftables directly

The equivalent configuration expressed in native nftables syntax, suitable for loading with nft -f:

nftables rules
table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;
        # allow replies to outgoing connections
        ct state related,established accept
        # optional: allow incoming SSH traffic
        tcp dport 22 accept
        # allow essential incoming packets marked by the Edge Enforcer
        mark & 0xff0000 == 0x460000 accept
    }
    chain forward {
        type filter hook forward priority filter; policy drop;
        # allow forwarding of application and proxy traffic managed by the Edge Enforcer
        mark & 0xff0000 == 0x460000 accept
    }
    chain output {
        # allow all outgoing connections (Control Tower connectivity, DNS and other essentials)
        type filter hook output priority filter; policy accept;
    }
}