LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-18-2018, 02:28 PM   #16
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,719

Rep: Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118

#1 have you tried unsetting the default route on that node? If that works (as it should) then blocking at the router should also work. If that does not work, then we are looking at a whole different issue that it appears.

#2 check traceroute to an external address or site. If the first hop is your gateway, then it is not blocking and your node network is routing to it.

We need a bigger and more detailed picture showing what is really going on to make sense of it, and this should help.
 
Old 03-18-2018, 03:15 PM   #17
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
2) with blocking rule in place on the firewall
Code:
[ken@localhost Desktop]$ traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
 1  10.42.0.1 (10.42.0.1)  0.802 ms  0.575 ms  0.404 ms
 2  10.8.8.1 (10.8.8.1)  47.276 ms  49.618 ms  51.196 ms
 3  192.168.0.1 (192.168.0.1)  52.898 ms  55.127 ms  55.847 ms
 4  ip1.23-29-136.static.steadfastdns.net (23.29.136.1)  58.552 ms  60.488 ms  62.106 ms
 5  ae1.core1.edi03.steadfast.net (67.202.117.10)  63.654 ms  67.229 ms  67.191 ms
 6  ae0.core2.edi03.steadfast.net (67.202.117.9)  69.056 ms  44.888 ms  46.534 ms
 7  te0-0-1-7.rcr21.ewr06.atlas.cogentco.com (38.122.244.129)  48.704 ms  45.176 ms  45.804 ms
 8  be3118.rcr21.ewr02.atlas.cogentco.com (154.24.11.85)  49.146 ms 154.24.56.153 (154.24.56.153)  51.648 ms be3118.rcr21.ewr02.atlas.cogentco.com (154.24.11.85)  52.272 ms
 9  be2601.rcr24.jfk01.atlas.cogentco.com (154.54.40.49)  55.006 ms be2600.rcr23.jfk01.atlas.cogentco.com (154.54.40.29)  57.304 ms be2601.rcr24.jfk01.atlas.cogentco.com (154.54.40.49)  58.690 ms
10  be2896.ccr41.jfk02.atlas.cogentco.com (154.54.84.201)  60.407 ms  62.183 ms  63.601 ms
11  be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86)  131.883 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186)  141.343 ms  118.894 ms
12  be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42)  128.774 ms  126.681 ms  127.664 ms
13  be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241)  124.823 ms be2440.agr21.ams03.atlas.cogentco.com (130.117.50.6)  124.600 ms be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241)  127.159 ms
14  xe-7-2.rt1.ams3.baseip.com (149.6.128.198)  136.997 ms  139.004 ms  136.943 ms
15  xe-1-1.rt1.ams1.baseip.com (91.148.255.65)  132.321 ms  143.028 ms  141.323 ms
16  85.12.30.226 (85.12.30.226)  138.060 ms !X  139.448 ms !X  141.401 ms !X
1)
Code:
[root@localhost Desktop]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.42.0.0       *               255.255.255.0   U     1      0        0 eth0
default         10.42.0.1       0.0.0.0         UG    0      0        0 eth0

[root@localhost Desktop]# ip route delete default

[root@localhost Desktop]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.42.0.0       *               255.255.255.0   U     1      0        0 eth0

[root@localhost Desktop]# traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
connect: Network is unreachable
And now after a reboot of the node computer
Code:
[root@localhost Desktop]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.42.0.0       *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
default         10.42.0.1       0.0.0.0         UG    0      0        0 eth0

[root@localhost Desktop]# ip route delete default

[root@localhost Desktop]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.42.0.0       *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0

[root@localhost Desktop]# traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
connect: Network is unreachable
The only difference I see is that after the rich rule is removed from the firewall computer the "link local" entry appears in the route table on the node computer.

Ken
 
Old 03-19-2018, 06:00 AM   #18
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,719

Rep: Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118
If the firewall blocking at the gateway were really working then that traceroute output would not obtain. In other works, the result "network unreachable" or something similar would result for the external address in either case. Since it only results when the default is removed, we know that the block at the gate is NOT working.

Conclusions:
#1 removing the default gate ON the node DOES work as intended. It is suitable as a "first cut" solution. Since it may be reversed ON the node additional research on the gateway blocking is indicated.

#2 the command you are using at the gateway is clearly NOT adequate. Additional research is indicated.

As an aside, I seem to recall blocking some WIFI devices by MAC address. If you can do that it adds a slightly greater layer of security. Changing the MAC is less obvious and less likely to occur, though still doable if you have root access.
 
Old 03-19-2018, 07:58 AM   #19
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
Good morning wpeckham and thank you again for your assistance.

Stopping Internet access at the node is certainly a viable approach for this situation. Just for completeness I will explain in a moment what is behind this whole experiment.

Fundamentally dropping all packets at the incoming interface to the firewall should, it seems to me, DROP ALL PACKETS. Unless DNS packets are carried on neutrinos or are made of anti-matter or something, this issue seems absurd. When I was testing my firewall for the Internet facing side I had setup a test environment and used some penetration testing software, the name of which escapes me until I have some coffee. Let me find my notes and perhaps I can do some testing from the LAN side.

As to controlling access by MAC address, I do that routinely with WiFi connections using the software on the WiFi router/access point. I had wondered about specifying that in the firewall but have not come across a command to do that. I will do some more looking.

Why I am doing this... I purchased an Osborne Executive suitcase computer in 1983. About two weeks before Osborne went bankrupt The dealer then had a closeout sale on Osborne software. I picked up a copy of dBase II for $100 (list price was about $800.) I have done considerable programming in the xBase language over the years - dBase II, dBase III+, FoxBase+, FoxPro and Visual FoxPro. I have data files going back 35 years which I occasionally need to access.

Visual FoxPro 6 was last supported on Windows XP. It will run under Wine on Linux. However, on CentOS 7 and recent Ubuntu versions I get occasional strange errors when running a pseudo compile - which FoxPro does when one executes a .prg (program) file. I though had this fixed by installing Wine 2.x on Ubuntu but that has quit working and I received these errors last time I tried to run on Wine 2.x. So...

I built a CentOS 6 virtual machine in VMWare with the appropriate version of Wine and Visual FoxPro. I use an nfs mount to my data files on the host and have this mount point called drive D: in Wine. Works great. When support for CentOS 6 ends in November 2020 I would plan to keep the CentOS 6 virtual machine in use. Provided it cannot play on the Internet I am not too concerned that it is no longer receiving updates. Unless I figure out a fix for VFP/Wine/newer Linux in the mean time, this is my long term fallback.

Ken
 
Old 03-19-2018, 10:46 AM   #20
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
Had my fill of coffee and determined that the scanning tool I had used was nmap (zenmap gui). I installed same on the node virtual machine. With no blocking rule installed in the firewall I found
Code:
Discovered open port 53/tcp on 10.42.0.1
Discovered open port 22/tcp on 10.42.0.1
Discovered open port 5901/tcp on 10.42.0.1
I added my blocking rule and ran the scan again. This time I found
Code:
Discovered open port 53/tcp on 10.42.0.1
These ports correspond to:

53 - DNS
22 - SSH
5901 - VNC

I have the second and third ports open to my LAN so I can manage the firewall machine as it runs headless. It seems that the first port is opened by dnsmasq. If I kill the dnsmasq process the port is closed and thennode cannot access the Internet. Of course neither can any other machine on my LAN.

It looks like the issue boils down to... why is dnsmasq overriding the blocking rule or why is the blocking rule ignoring port 53?

Ken
 
Old 03-19-2018, 08:31 PM   #21
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,719

Rep: Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118
Here is a thought: if your node is a virtual machine then any traffic from it appears at some layers to come from the host node.

Check for rules in your firewall software that specifically allow the DNSMASQ application or port 53 (tcp or udp or both).

I see no major security issue with CentOS-6 running WINE having limited access to the internet. As long as you are not doing things like browsing for porn from it, the odds of an exploit are minimal.
 
Old 03-20-2018, 07:54 AM   #22
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
Thanks again wpeckham,

That was an excellent thought. However, the firewall seems to have a mind of its own and it does not agree. I changed my rule to block the address of a physical machine on my LAN and again ran Zenmap. Before adding the rule I found
Code:
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 a1:d9:a2:87:72:e8:93:06:d1:2b:ae:7d:41:0e:af:1e (RSA)
|_256 c9:9b:b7:c7:92:82:50:8b:fe:fb:7b:9f:53:a9:67:e3 (ECDSA)
53/tcp   open   domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
and after enabling the rule
Code:
PORT   STATE SERVICE VERSION
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
I cannot ping the firewall computer from the blocked computer. However, I can ping other computers on the LAN (desired result) and also computers on the Internet (not the desired result).

The firewall is VERY simplistic. The Internet facing interface is in the Drop zone. NOTHING is allowed in unless it is asked for from behind the firewall. The LAN facing interface is in the Public zone. The only services allowed are SSH and vnc-server. dns is NOT checked in the configuration gui. Ports 5901 and 5905 (tcp) are open for vnc. dns is shown to use port 53 tcp and udp. ssh is shown to use port 22 tcp and vnc-server 5900-5903 tcp. I have poked around in the gui and do not see anything else.

Ken

p.s. Browsing for porn - that is best done from a VM installed on an encrypted partition with a vpn and/or Tor - I didn't say that
 
Old 03-22-2018, 02:42 PM   #23
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
I asked this question over on the CentOS forum https://centos.org/forums/viewtopic.php?f=50&t=66466

I was told that I had made my change to the INPUT chain and they need to be made to the FORWARD chain. I have not found out how to do this with firewall-cmd. I have tried but not succeeded in doing this with iptables. Does the FORWARD chain prompt any suggestions?

TIA,

Ken
 
Old 03-25-2018, 08:58 AM   #24
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,719

Rep: Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118
Quote:
Originally Posted by taylorkh View Post
I asked this question over on the CentOS forum https://centos.org/forums/viewtopic.php?f=50&t=66466

I was told that I had made my change to the INPUT chain and they need to be made to the FORWARD chain. I have not found out how to do this with firewall-cmd. I have tried but not succeeded in doing this with iptables. Does the FORWARD chain prompt any suggestions?

TIA,

Ken
I see what the thought is there. The behavior indicates that your rule is blocking your isolation nodes access to the CentOS device, but it is still forwarding packets as a gateway for that node. Block forwarding for that node and see if that has the intended effect.

Just curious, why use CentOS instead of a distribution specifically designed as a security gateway?
 
Old 03-25-2018, 09:49 AM   #25
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
Good morning wpeckham,

Perhaps it was the wrong thing to do but I broke this problem into some smaller pieces and started a couple of bite sized threads. I felt that this thread was not well focused. I have managed to block the node computer from using the FORWARD chain and it does stop the node from accessing the Internet (almost). I did not do this "correctly" as I used the iptables command instead of the firewall-cmd --direct command and I added my rule to the main FORWARD chain. firewalld creates a whole lot of subordinate chains under the main 3 (INPUT, FORWRED, OUTPUT) dependent on which zone they apply to etc. I have managed to figure out some of them. I asked a specific questoin about translating iptables speak to firewall-cmd --direct speak here https://www.linuxquestions.org/quest...nd-4175626310/

By "almost" I mean that the node cannot ping an Internet resource by IP address nor by web address. However, it CAN resolve a web address meaning it is somehow talking to DNS on/via the firewall computer even though it is blocked on the INPUT and FORWARD chains. I explained this in detail here https://www.linuxquestions.org/quest...-a-4175626268/

As to why I am using CentOS rather than a router specific product... This fiasco started when I replaced my OLD DSL Modem and OLDER stand alone router with a DSL modem/router combination provided by my ISP. I was tired of arguing with the (in most cases) morons at the ISP tech support every time THEIR system went down and it was the fault of MY old modem. In examining the new box I found that TELNET was open and I could not close it! The Linux kernel on the device was ancient. The version of dnsmasq on the thing had a list of vulnerabilities on it as long as my arm. etc. AND the ISP tech support folks had no clue how to update it. One swore that it did not run Linux and it actually had NO OPERATING SYSTEM! Obviously it needed to run in transparent bridged mode.

I looked at a product called Untangle. They offered a "light weight" free version for home use. A day after I registered and downloaded the product I got an email from their support folks offering to have one of their specialists call me to help. I replied that I was just trying to setup a SIMPLE firewall for a home network. My only questions related to running OpenVPN on the Untangle box. In reply I got an email pointing to a bunch of FOR SALE packages. I could not figure out most of the FREE features much less why I would want them. So...

I have used CentOS and the old RedHat 5.x - 9 distros (with Ubuntu in the middle) for a long time. I started researching how to configure my own firewall/router. This did not make too much progress. I remembered that Windoze XP had a feature in the network setup to "share Internet connection with other computers" or something like that. Low and behold the NetworkManager gui offers the same thing. A couple of clicks and I had a router.

I tweaked the firewall to place the Internet facing interface in the drop zone and the lAN interface in the public zone. I allowed ssh and vnc on the public zone and installed dhcpd as I wished to have some reserved/static IP addresses on the LAN. I am not sure dnsmasq can do that, in fact I did not realize initially that NetworkManager enabled dnsmasq. I did some port scanning and verified that everything Internet facing was stealthed so I went "production."

I can certainly configure the network connection on the node virtual machine manually and leave off the gateway. This will accomplish the original objective. I am simply using this as a learning exercise.

Ken
 
Old 03-25-2018, 04:27 PM   #26
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,719

Rep: Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118Reputation: 1118
I see. DNS traffic can be UDP, so if your rules only affect TCP then it will not block the UDP traffic.

I have always used a dumb device for the ISP connection with a server I loaded (generally Debian) running as a DNS/DHCP and firewall server. Until Comcast/Xfinity with their "special" devices: don't get me started.

ISPs who are not terribly bright and assume you know even less are the bane of the country, and perhaps the world.

That said, the value of a device specifically designed or loaded for the tasks is significant. I would not recommend backing our and loading something else now, but if you ever have to start over you should have a look through distrowatch at some of the firewall/router distributions.

Since SOPHOS purchased them, I am not sure if a download of the Astaro Security Gateway software is still available, but that was once (2004-2007 or so at least) about the best in the world.
 
Old 03-25-2018, 05:11 PM   #27
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 1,792

Original Poster
Rep: Reputation: 125Reputation: 125
Thanks again wpeckham,

Let me look at my rules and see if I can block UDP if I am not already. As to the distro... I will have a look around. My description of how this machine came to be was only half the story and sort of backwards.

The hardware in question is a Dell Inspiron 3050 Micro. Dual core Celeron processor (I have two others with Dual core Pentium chips), 4 GB RAM and a 128 GB M.2 SSD. About the size of a small Intel NUC. Super little machines (toys). Initially this was my Usenet leacher machine as it only used about 7 watts compared to 160 for my desktop. I could leave it on 7x24 without worrying about power usage. Handy when I had only a 1.5 Mb/s DSL connection.

Then my Usenet provider added a "free" VPN service to the package if I paid annually. Cool. I tried running the VPN on a small LinkSys router with DD-WRT. Worked OK but heavy downloads overloaded the router cpu and dragged down the throughput. I ran the VNP on the Dell for Usenet and played with another instance on my desktop.

More recently, now with an "up to 10 Mb/s DSL service" I subscribed to ProtonVPN (from the ProtonMail folks). I wanted to share this with my whole LAN. I purchased a more powerful router but before even opening the package I reviewed the documentation for setting up DD-WRT and ... I can't believe I had done it on the little router. The new router went back to the store and I embarked on setting up a VPN sharing box.

The architecture at that point was [DSL modem] <--> [Netgear router] <--> [Dell with VPN] <--> [Switch] <--> LAN.

For my next trick I replaced the DSL modem and Netgear router with the new ISP provided device and eventually moved the whole router/firewall/DHCP functionality to the Dell machine.

That is sort of where I am now. I documented my setup and how I dealt with DNS leakage on the VPN here https://www.linuxquestions.org/quest...ch-4175618851/

The most recent addition to my home data center is a Raspberry Pi 3 running Ubuntu Mate 16.04. It serves as my Bit Torrent machine as it only draws 4 or 5 watts (I must download a lot of Linux ISOs.)

Ken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Easy way to find bots/spiders and block them from Nginx access.log ASTRAPI Linux - Newbie 5 03-24-2015 10:19 AM
squid block internet on computer Ammad Linux - General 0 03-27-2009 09:46 PM
how to block internet access? E_l_d_o Linux - Networking 2 05-03-2007 12:39 PM
i need help... how to block internet access... E_l_d_o Linux - General 3 05-03-2007 12:00 PM
Easy access to the Internet drabkin Linux - Newbie 10 11-26-2002 08:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration