Is it possible to allow only FQDN to port forward to an internal IP on green? Mainly, I’m trying to limit the source to a few FQDN of users…
I don’t want to open the port to the world…
Thanks,
Brian
No, you cannot use a FQDN, but you can limit access to the internal servers using the IP address as an identifier.
EDIT: as I explained below, you can obtain this setup by operating on the application layer (using NGINX or HAProxy) which is designed to work with domain names, instead of using IPTables, which it is operating at the network layer and therefore designed to work with IP addresses.
1 Like
but, the users WAN IP address will change. Thats why I wanted to use FQDN…
I understand, unfortunately it is not possible to use a domain name as an identifier.
aghhh, all or nothing. looks like I have to move to PFsense…
Thanks for helping me!!!
Brian
IPTables, which is the user-space utility program that allows you to configure the netfilter rules of the Linux kernel firewall, operates at the network layer. It’s designed to work with IP addresses, not domain names. When you specify a domain name in an IPTables rule, the name is resolved to an IP address at the time the rule is loaded. If the IP address corresponding to that domain name changes afterward, IPTables won’t automatically re-resolve and update the rule.
For example, consider a rule like:
iptables -A INPUT -s example.com -j ACCEPT
When this rule is loaded, example.com will be resolved to an IP address. But if the IP address for example.com changes later, the rule won’t automatically update. Hence, the Web User Interface allows only IP-based identifiers.
You can go around this limitation using a reverse proxy. Instead of doing a port forward on the orange network, you setup on IPFire a reverse proxy that takes care of forwarding the incoming traffic from the FQDN to the orange network target servers.
2 Likes
I saw somewhere a script that would check and resolve dynamic DNS or FQDN and make a change in IPtables. it was a cronjob that ran every X minutes during certain hours.
If I got it right, Pfsense uses Aliases with tables, but they also have a commercial operation.
@cfusco the suggestion with HAproxy sounds very attractive,
is that using SNI ? I have no experience with Haproxy or SNI but it sounds like a bulletproof idea. much safer than a firewall.
1 Like
@brianjmc1 AFAIK firewall software chew (process) only Ip addresses, v4 or v6. But no hostnames.
This is valid for integrated low-class firewall features of CPE routers (ADSL, VDSL, FTTH), several firewall projects (among IPcop, PFSense, Endian Firewall, NethServer, DD-WRT) and last but not least branded appliances (like NetGear, Zyxel, Cisco, Multitech, TP-Link, MikroTik).
All of them.
This because ip addresses are… like prime numbers: they can’t be derived from anything; and the source is unambiguos: on Internet (and in LANs) only one device/connection have that specific ip address (the whole thing is a bit more complex than that… but please, play on).
FDQNs can be sourced from different servers, cached, might become obsolete, correspond to multiple addresses (never heard about round robin?) and last but not least, can be spoofed via DNS poisoning. Also… FDQNs (under the hood) lead to… ip addresses.
Was like that 15 years ago, still here this “uncomprehensible limitation”, until you understand how firewalling works. After that… the question answer by itself.
3 Likes
A reverse proxy seems like the ideal solution here since it’s tailored to handle domain names. On the other hand, the firewall isn’t designed for that, and using scripts to bypass its inherent limitations seems less than ideal.
I believe SNI plays a crucial role in this setup. When you have multiple virtual hosts behind a single IP address, both HAProxy and NGINX utilize the Server Name Indication (SNI) protocol to determine which certificate to present to the client.
Appreciate all the help, gang!!!
What I am trying to do is limit(allowed from internet into network few people) the port forward to a single system(onsite PBX) on the Green side. Normally, I would just use OpenVPN which is already setup, but I have had a hell of a time getting IOS devices(iPhones) and OpenVPN certificates to work properly. Androids work fine, but everyone loves and use iPhones(Evil empire, cant stand them)…
Thanks again! Brian
A reverse proxy can be set for any protocol, not just HTTP/S. Having said that, for real-time protocols, like those used in a PBX system (e.g., SIP for signaling and RTP for media transmission), a standard reverse proxy might introduce latency. I believe there are specialized proxies that are designed for handling VoIP traffic . You could setup a specialized reverse proxy behind IPFIre (with port forward) that will take care of further forwarding the traffic to your PBX based on the FQDN.
Definitely the draw back of this approach is complexity. Maybe you could install banish; this plugin can use FQDN and could allow you to go around this IPTables limitation. It is not yet an official IPFire plugin but I believe it works quite well.
I also remember, similar to @peppetech , a post in the forum about someone successfully creating a script that periodically checked the dynamic address IP and updated the iptables ip address in a rule when it changed.
I have tried to search for the post but been unsuccessful in finding it.
1 Like