forked from acouzens/open5gs
[DOC] iptable setting for security (#1768)
This commit is contained in:
parent
87bc82b245
commit
e08b8f04e8
|
@ -430,6 +430,21 @@ $ sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
|
||||||
$ sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
|
$ sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Optionally, you may consider the settings below for security purposes.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### Prevent UE's from connecting to the host on which UPF is running
|
||||||
|
$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP
|
||||||
|
$ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP
|
||||||
|
|
||||||
|
### If your core network runs over multiple hosts, you probably want to block
|
||||||
|
### UE originating traffic from accessing other network functions.
|
||||||
|
### Replace x.x.x.x/y with the VNFs IP/subnet
|
||||||
|
$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
|
||||||
|
```
|
||||||
|
|
||||||
|
**Note:** The above assumes you do not have any existing rules in the filter and nat tables. If a program such as docker has already set up rules, you may need to add the Open5GS related rules differently.
|
||||||
|
{: .notice--danger}
|
||||||
|
|
||||||
## 5. Turn on your eNB/gNB and UE
|
## 5. Turn on your eNB/gNB and UE
|
||||||
---
|
---
|
||||||
|
|
|
@ -468,6 +468,19 @@ $ sudo iptables -t nat -A POSTROUTING -s 10.45.0.0/16 ! -o ogstun -j MASQUERADE
|
||||||
$ sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
|
$ sudo ip6tables -t nat -A POSTROUTING -s 2001:db8:cafe::/48 ! -o ogstun -j MASQUERADE
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Optionally, you may consider the settings below for security purposes.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### Prevent UE's from connecting to the host on which UPF is running
|
||||||
|
$ sudo iptables -I INPUT -s 10.45.0.0/16 -j DROP
|
||||||
|
$ sudo ip6tables -I INPUT -s 2001:db8:cafe::/48 -j DROP
|
||||||
|
|
||||||
|
### If your core network runs over multiple hosts, you probably want to block
|
||||||
|
### UE originating traffic from accessing other network functions.
|
||||||
|
### Replace x.x.x.x/y with the VNFs IP/subnet
|
||||||
|
$ sudo iptables -I FORWARD -s 10.45.0.0/16 -d x.x.x.x/y -j DROP
|
||||||
|
```
|
||||||
|
|
||||||
**Note:** The above assumes you do not have any existing rules in the filter and nat tables. If a program such as docker has already set up rules, you may need to add the Open5GS related rules differently.
|
**Note:** The above assumes you do not have any existing rules in the filter and nat tables. If a program such as docker has already set up rules, you may need to add the Open5GS related rules differently.
|
||||||
{: .notice--danger}
|
{: .notice--danger}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue