Translated your request as we prefer English here:
Hi. I would like to limit access to certain ports to UCS servers,
I would like to restrict access to certain ports to certain IP addresses on UCS servers. In particular it is about the access to SSH and the UMC, The UCS servers should serve purely as ActiveDirectory and/or Windows file servers, therefore an access to SSH and UMC is not necessary for non-admins.
As far as I have understood so far, there is no possibility to create firewall rules via UCR that are limited to source IP addresses. However, according to UCS documentation, you can include your own firewall rules via the file /etc/security/packetfilter.d/50_local.sh, so I took this approach first. But here I have the following problem:
Since ports 22 and 443 are enabled by default in the file /etc/security/packetfilter.d/10_univention-firewall_start.sh, filter rules for these ports, which I append to the Iptables chains via 50_local.sh, are not reached by the corresponding network packets, since they have already been accepted before. However, I cannot set up my own rules before executing 10_univention_firewall_start.sh, because in 10_univention_firewall_start.sh the rule chains are initially emptied and thus all rules that were inserted before are deleted again.
Is there any other way to filter the two ports with UCS means according to source IP addresses that I might have overlooked?
Greetings,
FrankTranslated with DeepL Translate: The world's most accurate translator
I am just a little bit unsure about your motivation. You say “access for non-admins is not needed for UMC nor SSH”. Right, but these are user restriction, not IP range restrictions. To prevent users to use you will not need packet filter rules.
Anyways, for restrictions to UMC have a look at this article.
Regarding SSH, have you checked the documentation or did you try it? I read:
Local rules have a higher priority and overwrite rules provided by packages.
This should be enough to define your own rules and use an IP range as limit.
/CV