From e08b8f04e8921b09261734c6f07fcf001d45eecb Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Sun, 25 Sep 2022 21:12:32 +0900
Subject: [PATCH] [DOC] iptable setting for security (#1768)

---
 docs/_docs/guide/01-quickstart.md                 | 15 +++++++++++++++
 .../guide/02-building-open5gs-from-sources.md     | 13 +++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/docs/_docs/guide/01-quickstart.md b/docs/_docs/guide/01-quickstart.md
index 4dfda5bcc..2546e2216 100644
--- a/docs/_docs/guide/01-quickstart.md
+++ b/docs/_docs/guide/01-quickstart.md
@@ -430,6 +430,21 @@ $ sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
 $ sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
 ```
 
+Optionally, you may consider the settings below for security purposes.
+
+```bash
+### Prevent UE's from connecting to the host on which UPF is running
+$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP
+$ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP
+
+### If your core network runs over multiple hosts, you probably want to block
+### UE originating traffic from accessing other network functions.
+### Replace x.x.x.x/y with the VNFs IP/subnet
+$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
+```
+
+**Note:** The above assumes you do not have any existing rules in the filter and nat tables. If a program such as docker has already set up rules, you may need to add the Open5GS related rules differently.
+{: .notice--danger}
 
 ## 5. Turn on your eNB/gNB and UE
 ---
diff --git a/docs/_docs/guide/02-building-open5gs-from-sources.md b/docs/_docs/guide/02-building-open5gs-from-sources.md
index 360b2e963..897e387b7 100644
--- a/docs/_docs/guide/02-building-open5gs-from-sources.md
+++ b/docs/_docs/guide/02-building-open5gs-from-sources.md
@@ -468,6 +468,19 @@ $ sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
 $ sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
 ```
 
+Optionally, you may consider the settings below for security purposes.
+
+```bash
+### Prevent UE's from connecting to the host on which UPF is running
+$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP
+$ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP
+
+### If your core network runs over multiple hosts, you probably want to block
+### UE originating traffic from accessing other network functions.
+### Replace x.x.x.x/y with the VNFs IP/subnet
+$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
+```
+
 **Note:** The above assumes you do not have any existing rules in the filter and nat tables. If a program such as docker has already set up rules, you may need to add the Open5GS related rules differently.
 {: .notice--danger}