TRB140 Firewall

From Wiki Knowledge Base | Teltonika
This is the approved revision of this page, as well as being the most recent.
Main Page > Network products > TRB140 > TRB140 Manual > TRB140 WebUI > TRB140 Firewall

Summary[edit | edit source]

RutOS uses a standard Linux iptables package as its firewall, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section.

General Settings[edit | edit source]

The General Settings tab is used to configure the main policies of the device's firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall general settings v1.png

field name value description
Enable SYN-flood protection yes | no; Default: yes Enables protection from SYN-flood type attacks
Drop invalid packets yes | no; Default: no If enabled, a "Drop" action will be performed on packets that are determined to be invalid
Input Reject | Drop | Accept; Default: Accept Default action* that is to be performed for packets that pass through the Input chain
Output Reject | Drop | Accept; Default: Accept Default action* that is to be performed for packets that pass through the Output chain
Forward Reject | Drop | Accept; Default: Reject Default action* that is to be performed for packets that pass through the Forward chain

* When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:

  • Accept – packet gets to continue down to the next chain
  • Drop – packet is stopped and deleted
  • Reject – packet is stopped, deleted and, differently from Drop, a packet containing a message of rejection is sent to the source from which the packet came

Zones[edit | edit source]


The Zones section provides you with the possibility to specify rules regarding traffic filtering between different zones. The figure below is an example of the Zones section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall zones v1.png

field name value description
Zone - The source zone (from which traffic has originated)
Forwardings - The destination zone (to which traffic will be forwarded to)
Input Reject | Drop | Accept; Default: depends on zone Action* that is to be performed for packets that pass through the Input chain
Output Reject | Drop | Accept; Default: depends on zone Action* that is to be performed for packets that pass through the Output chain
Forward Reject | Drop | Accept; Default: depends on zone Action* that is to be performed for packets that pass through the Forward chain
Masquerading yes | no; Default: depends on zone Enables Masquerading. MASQUERADE is an iptables target that can be used instead of the SNAT (source NAT) target when the external IP of the network interface is not known at the moment of writing the rule (when server gets external IP dynamically)
MSS clamping yes | no; Default: depends on zone Enables MSS clamping. MSS clamping is a workaround used to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500
MSS clamping - (interactive button) Opens the rule's editing page

* When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed:

  • Accept – packet gets to continue down to the next chain
  • Drop – packet is stopped and deleted
  • Reject – packet is stopped, deleted and, differently from Drop, a packet containing a message of rejection is sent to the source from which the packet came

Port Forwards[edit | edit source]

Port forwarding is a network address translation (NAT) feature that redirects communication requests from one address and port number combination to another. The Port Forwards tab displays configured port forwarding rules in a compressed manner. It can also be used to enable/disable the rules or edit them.

The figure below is an example of the Port Forwards tab with one added custom rule:

Trb14x webui network firewall port forwards port forwards v1.png

New Port Forward[edit | edit source]


The New Port Forward section is used to add new port forwarding rules. The figure below is an example of the New Port Forward section and the table below provides explanations for the fields contained in that section:

Trb14x webui network firewall port forwards new port forward v1.png

field name value description
Name string; Default none The name of the rule. This is used for easier management purposes
Protocol TCP+UDP | TCP | UDP | Other; Default: TCP+UDP Specifies to which protocols the rule should apply
External zone WAN; Default: WAN External zone, i.e., the zone from which the third party connection will come
External port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: none External port, i.e., the port from which the third party is connecting
Internal zone LAN; Default: LAN Internal zone, i.e., the zone where the incoming connection will be redirected to
Internal IP address ip; Default: none Internal IP address, i.e., the IP address to which the incoming connection will be redirected
Internal port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: none Internal port, i.e., the port to which the incoming connection will be redirected to
Add - (interactive button) Adds a new port forward rule based on the parameters specified in the previous fields

Port Forwards: editing a rule[edit | edit source]


If you click the EDIT button next to a rule, it will take you to that rule's configuration section, where you will be able to make more advanced changes to the rule's settings. The figure below is an example of a port forwarding rule's configuration section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall port forwards port forwards edit v1.png

Field Value Description
Enable off | on ; default: on Turns the rule on or off
Name string; default: none Name of the rule. This is used for easier management purposes.
Protocol TCP+UDP | TCP | UDP | Other; default: TCP+UDP Specifies to which protocols the rule should apply.
Source zone firewall zone name; default: gre The zone to which the third party will be connecting. (Same thing as "External zone" in the New port forward section.)
Source MAC address mac; default: none MAC address(es) of connecting hosts.
The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.
Source IP address ip | ip/netmask; default: any IP address or network segment used by connecting hosts.
The rule will apply only to hosts that connect from IP addresses specified in this field.
To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, 10.0.0.0/8).
Source port integer [0..65535] | range of integers [0..65534] - [1..65535]; default: none Port number(s) used by the connecting host.
The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.
External IP address ip | ip/netmask; default: any IP address or network segment to which hosts will be connecting.
The rule will apply only to hosts that connect to IP addresses specified in this field.
To specify a subnet instead of one IP, add a forward slash followed by the netmask length after the network indication (for example, 10.0.0.0/8).
External port integer [0..65535] | range of integers [0..65534] - [1..65535]; default: none Port number(s) to which hosts will be connecting.
The rule will apply only to hosts that connect to the port number(s) specified in this field. Leave empty to make the rule skip external port matching.
Internal zone firewall zone name; default: gre The zone to which the incoming connection will be redirected.
Internal IP address ip; default: none The IP address to which the incoming connection will be redirected.
Internal port integer [0..65535] | range of integers [0..65534] - [1..65535]; default: none The port number to which the incoming connection will be redirected.
Enable NAT loopback off | on ; default: on NAT loopback a.k.a. NAT reflection a.k.a. NAT hairpinning is a method of accessing an internal server using a public IP. NAT loopback enables your local network (i.e., behind your NAT device) to connect to a forward-facing IP address of a machine that it also on your local network.
Extra arguments string; default: none Adds extra iptables options to the rule.

Traffic Rules[edit | edit source]

The Traffic Rules tab is used to set firewall rules that filter the traffic moving through the device. The figure below is an example of the Traffic Rules tab and the table below provides information on the fields contained in that tab:

Trb14x webui network firewall traffic rules traffic rules v1.png

field name value description
Name string; Default none The name of the rule. This is used for easier management purposes
Match a set of firewall rule conditions A set of conditions against which data packets are compared. If a data packet matches the specified conditions of a rule, the specified ACTION is taken. If it doesn't match, the packet is checked by the next rule of the chain
Action DROP | ACCEPT | REJECT; Default: ACCEPT The action that is to be taken when a packet meets the MATCH conditions:
  • ACCEPT – packet gets to continue down to the next chain
  • DROP – packet is stopped and deleted
  • REJECT – packet is stopped, deleted and, differently from DROP, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came
Enable yes | no; Default: yes Toggles the rule ON or OFF
Edit - (interactive button) Opens the rule's editing page
<Delete - (interactive button) Deletes the rule

Open ports on router[edit | edit source]


The Open ports on router section is used to set firewall rules that open (allow traffic on) specified external ports on the device. The figure below is an example of the Open ports on router section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall traffic rules open ports on router v1.png

field name value description
Name string; Default: none The name of the rule. This is used for easier management purposes. The NAME field is auto-filled when port numbers are specified, unless the NAME was specified beforehand by the user
Protocol TCP+UDP | TCP | UDP | Other; Default: TCP+UDP Specifies to which protocols the rule should apply
External port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: none Specifies which port(s) should be opened

New forward rule[edit | edit source]


The New forward rule section is used to set firewall rules that forward traffic from one zone to another. The figure below is an example of the New forward rule section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall traffic rules new forward rule v1.png

field name value description
Name string; Default: none The name of the rule. This is used for easier management purposes
Source zone LAN | WAN; Default: WAN The zone from which traffic has originated
Destination zone LAN | WAN; Default: LAN The zone to which traffic will be forwarded to

Source NAT[edit | edit source]


Source NAT is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic. For example, to map multiple WAN addresses to internal subnets.

The figure below is an example of the Source NAT section with one added custom rule:

Trb14x webui network firewall traffic rules source nat v1.png

field name value description
Name string; Default none The name of the rule. This is used for easier management purposes
Match a set of firewall rule conditions A set of conditions against which data packets are compared. If a data packet matches the specified conditions of a rule, the specified ACTION is taken. If it doesn't match, the packet is checked by the next rule of the chain
Action DROP | ACCEPT | REJECT; Default: ACCEPT The action that is to be taken when a packet meets the MATCH conditions:
  • ACCEPT – packet gets to continue down to the next chain
  • DROP – packet is stopped and deleted
  • REJECT – packet is stopped, deleted and, differently from DROP, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came
Enable yes | no; Default: yes Toggles the rule ON or OFF
Edit - (interactive button) Opens the rule's editing page
<Delete - (interactive button) Deletes the rule

New Source NAT[edit | edit source]


The New Source NAT section is used to add custom source NAT rules. The figure below is an example of the New Source NAT section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall traffic rules source nat new source nat v1.png

field name value description
Name string; Default: none The name of the rule. This is used for easier management purposes
Source zone LAN | WAN; Default: LAN The zone from which traffic has originated
Destination zone LAN | WAN; Default: WAN The zone to which traffic will be forwarded to
To source IP ip | do not rewrite; Default: Do not rewrite Changes the source IP in the packet header
To source port integer [0..65335] | do not rewrite; Default: Do not rewrite Changes the source port in the packet header
Add and edit - (interactive button) Creates the rule and redirects you to the rule's edit page

Traffic Rules: editing a rule[edit | edit source]


If you click the EDIT button next to a rule, it will take you to that rule's configuration section, where you will be able to make more advanced changes to the rule's settings. The figure below is an example of a traffic rule's configuration section and the table below provides information on the fields contained in that section:

Trb14x webui network firewall traffic rules editing a rule v1.png

Field Value Description
Enable off | on; Default on Turns the rule on or off.
Name string; Default none Name of the rule. This is used for easier management purposes.
Restrict to address family IPv4 and IPv6 | IPv4 only | IPv6 only; Default: IPv4 only IP address family to which the rule will apply to.
Protocol TCP+UDP | TCP | UDP | ICMP | -- custom --; Default: TCP+UDP Specifies to which protocols the rule should apply.
Source zone firewall zone name; default: gre The zone to which the third party will be connecting.
Source MAC address mac; default: none MAC address(es) of connecting hosts.
The rule will apply only to hosts that match MAC addresses specified in this field. Leave empty to make the rule skip MAC address matching.
Source address ip | ip/netmask; default: any IP address or network segment used by connecting hosts.
The rule will apply only to hosts that connect from IP addresses specified in this field.
To specify a network segment instead of one IP address, add a forward slash followed by the netmask length after the network indication (for example, 10.0.0.0/8).
Source port integer [0..65535] | range of integers [0..65534] - [1..65535]; default: none Port number(s) used by the connecting host.
The rule will match the source port used by the connecting host with the port number(s) specified in this field. Leave empty to make the rule skip source port matching.
Destination zone firewall zone; Default: Device (input) Target zone of the incoming connection.
Destination address ip | ip/netmask; Default: any Tagert IP address or network segment of the incoming connection.
Destination port integer [0..65535] | range of integers [0..65534] - [1..65535]; Default: none Tagert port or range of ports of the incoming connection.
Action DROP | ACCEPT | REJECT; Default: ACCEPT Action that is to be taken when a packet meets the MATCH conditions.
  • ACCEPT – packet gets to continue to the next chain.
  • DROP – packet is stopped and deleted.
  • REJECT – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source from which the dropped packet came.
Extra arguments string; Default: none Adds extra .iptables options to the rule.
Week days days of the week [Sunday..Saturday]; Default: none Specifies on which days of the week the rule is valid.
Month days days of the month [1..31]; Default: none Specifies on which days of the month the rule is valid.
Start Time (hh:mm:ss) time [0..23:0..59:0..59]; Default: none Indicates the beginning of the time period during which the rule is valid.
Stop Time (hh:mm:ss) time [0..23:0..59:0..59]; Default: none Indicates the end of the time period during which the rule is valid.
Start Date (yyyy-mm-dd) date [0000..9999:1..12:1..31]; Default: none Indicates the first day of the date of the period during which the rule is valid.
Stop Date (yyyy-mm-dd) date [0000..9999:1..12:1..31]; Default: none Indicates the last day of the date of the period during which the rule is valid.
Time in UTC yes | no; Default: no Specifies whether the device should use UTC time. If this is disabled, the time zone specified in the NTP section will be used.

Custom Rules[edit | edit source]

The Custom Rules tab provides you with the possibility to execute iptables commands which are not otherwise covered by the device's firewall framework. The commands are executed after each firewall restart, right after the default rule set has been loaded.

The figure below is an example of the Custom Rules tab:

Trb14x webui network firewall custom rules v2.png

The rules added here are saved in the /etc/firewall.user file. Feel free to edit that file instead for the same effect in case you don't have access to the device's WebUI.

The Restart Firewall button restart the firewall service. Thus, adding the custom rules specified in this section to the router's list of firewall rules.

The Reset button resets the custom rules field to its default state.