[SOLVED] iptables command gets executed successfully but its impact is not visible.

ankit,garg · 05-03-2016, 10:05 AM

Hi!

I am facing a problem where I want to use iptables commands to drop the incoming packets, I execute the iptables command, it gets executed but its effect is not visible.

Details:

OS: Cent OS 7 / Fedora 21
Kernel: 3.11.7

Network setup:

I have two ethernet interface on my machine eth0 and eth1 where eth0 is connected to the internet (say with IP 192.168.1.10) and eth1 is connected to a stb. I create a bridge with below commands and bridge eth0 and eth1 so that the stb gets IP and network connectivity through this bridge. STB obtains IP 192.168.1.20

brctl addbr test_stb
brctl addif test_stb eth0
brctl addif test_stb eth1

ifconfig test_stb up

Usgae of this setup: From an another machine with IP 192.168.1.5 I am multicasting a H264 udp transport stream on IGMP group 233.0.0.248:1112. STB joins this multicast group and plays the incoming transport stream on it.

So, my machine having bridge between eth0 and eth1 is receiving the transport stream in form of udp packets on interface eth0 and getting redirected to interface eth1 through the bridge interface test_Stb.

Requirement of iptables: I am using below iptables command to drop the incoming udp packets so that stb do not get the transport stream.

iptables -A FORWARD -i test_stb -d 233.0.0.248 -p udp --dport 1112 -j DROP

or

iptables -A FORWARD -i test_stb -d 233.0.0.0/24 -p udp -j DROP
iptables-save

Above commands gets executed successfully but it's impact is not visible i.e. the incoming udp packets are not getting dropped.

I googled about this problem and I found that the newer versions of Cent OS and Fedora has included firewalld and replaced the iptables but; It is still possible to use the iptables by disabling the firewalld module on the machine. I tried below commands to disable the firewalld and using the iptables but it didn't help me as the outcome of executing iptables command is still same as stated above

systemctl mask firewalld

systemctl stop firewalld

yum -y install iptables-services

systemctl enable iptables

systemctl enable ip6tables

systemctl start iptables

systemctl start ip6tables

I even checked the running status of firewalld by command "firewall-cmd --state" and it returns status as "not running".

Please help me to troubleshoot this issue. The strange thing is that above mentioned iptables commands runs and gives its impact perfectly fine on using a older version of fedora 18 / CentOS 5 which do not have firewalld module in it.

TIA
Ankit

lazydog · 05-03-2016, 11:12 AM

Try using the Preroute for this:

Code:

iptables -t mangle -A PREROUTING -i eth0 -d 233.0.0.248 -p udp --dport 1112 -j DROP
or
iptables -t mangle -A PREROUTING -i eth0 -d 233.0.0.0/24 -p udp -j DROP

The second being the better choice as you don't always know.

I too am not a fan of firewalld so I also replaced it with iptables.

ankit,garg · 05-04-2016, 02:37 AM

Hi lazydog!

Thanks for your reply.

I tried the commands as suggested by you but the result is still same i.e. The command got executed but it's effect is not visible.

I even tried below command which also works on a older version of fedora 18 / CentOS 5 which do not have firewalld module in it. But, below commands are also not working on Cent OS 7

iptables -t raw -A PREROUTING -i eth0 -d 233.0.0.0/24 -p udp -j DROP

or

iptables -t raw -A PREROUTING -i eth0 -d 233.0.0.248 -p udp --dport 1112 -j DROP

Is there any log file in which iptables writes its log where we can check what could be happening )

lazydog · 05-04-2016, 02:53 PM

Are you sure your system is using iptables? You should check.

ankit,garg · 05-06-2016, 05:49 AM

That is about I have suspicion if my system is using iptables or not. How can I check that ?

lazydog · 05-06-2016, 10:38 AM

Quick way would be:

Code:

systemctl | grep firewall

ankit,garg · 05-09-2016, 03:54 AM

I have made sure that firewall is not running. In my first post I verified this by running command "firewall-cmd --state" and it returns status as "not running".

So, I am sure that firewalld is not running.

lazydog · 05-09-2016, 07:04 AM

OK so what do you get with the following command?

Code:

iptables -nL

If everything here checks out the next step is going to be a capture of your traffic to see exactly what IP and port are being used.

ankit,garg · 05-09-2016, 07:41 AM

I ran the suggested commands and below is the result

Code:

[root@localhost 6.1.1_1]# systemctl | grep firewall
ip6tables.service                                                                         loaded active exited    IPv6 firewall with ip6tables
iptables.service                                                                          loaded active exited    IPv4 firewall with iptables


[root@localhost 6.1.1_1]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  0.0.0.0/0            224.0.251.1          udp dpt:8002

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      


[root@localhost 6.1.1_1]# iptables-save
# Generated by iptables-save v1.4.21 on Mon May  9 14:38:36 2016
*mangle
:PREROUTING ACCEPT [748:693151]
:INPUT ACCEPT [4:336]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:336]
:POSTROUTING ACCEPT [4:336]
-A PREROUTING -d 224.0.251.1/32 -i br_iface -p udp -j DROP
-A PREROUTING -d 224.0.251.0/24 -i br_iface -p udp -j DROP
COMMIT
# Completed on Mon May  9 14:38:36 2016
# Generated by iptables-save v1.4.21 on Mon May  9 14:38:36 2016
*filter
:INPUT ACCEPT [4:336]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:336]
-A FORWARD -d 224.0.251.1/32 -i br_iface -p udp -m udp --dport 8002 -j DROP
COMMIT
# Completed on Mon May  9 14:38:36 2016

lazydog · 05-09-2016, 08:42 AM

Those "-d 224" should be "-s 224".

ankit,garg · 05-09-2016, 08:52 AM

I tried it replacing the command from

Code:

iptables -A FORWARD -i br_iface -d 224.0.251.1 -p udp --dport 8002 -j DROP

to

Code:

iptables -A FORWARD -i br_iface -s 224.0.251.1 -p udp --dport 8002 -j DROP

Code:

[root@localhost 6.1.1_1]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  224.0.251.1          0.0.0.0/0          udp dpt:8002

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But it did not have any effect on it. STB is still receiving the multicast stream. Please note that I am applying these rules on my bridge interface.

lazydog · 05-09-2016, 09:23 AM

How about applying them to the internet interface eth1 or eth0?

ankit,garg · 05-10-2016, 03:17 AM

Hi Again,

I tried applying iptables rules on each interface. This time to be very simple I applied the rule in the INPUT chain to drop every type of packet and not specific packets like udp. But the ipables are still not leaving its effect. Below is the snapshot what I did from reboot of the machine.

When machine is rebooted then the interface configuration looks like below

Code:

[root@localhost ~]# ifconfig
em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::3e97:eff:fef0:cca8  prefixlen 64  scopeid 0x20<link>
        ether 3c:97:0e:f0:cc:a8  txqueuelen 1000  (Ethernet)
        RX packets 157  bytes 41818 (40.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 260  bytes 19128 (18.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf2500000-f2520000  

enp0s20u1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:50:b6:59:46:21  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 464  bytes 40432 (39.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 464  bytes 40432 (39.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

After that I created the bridge interface and added both ethernet devices to it

Code:

[root@localhost ~]# brctl addbr br_iface
[root@localhost ~]# brctl addif br_iface em1
[root@localhost ~]# brctl addif br_iface enp0s20u1
[root@localhost ~]# ifconfig br_iface up
[root@localhost ~]# ifconfig br_iface hw ether 3c:97:0e:f0:cc:a8

br_iface: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::250:b6ff:fe59:4621  prefixlen 64  scopeid 0x20<link>
        ether 3c:97:0e:f0:cc:a8  txqueuelen 0  (Ethernet)
        RX packets 626  bytes 840617 (820.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 418 (418.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::3e97:eff:fef0:cca8  prefixlen 64  scopeid 0x20<link>
        ether 3c:97:0e:f0:cc:a8  txqueuelen 1000  (Ethernet)
        RX packets 10732  bytes 14403886 (13.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 270  bytes 19896 (19.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf2500000-f2520000  

enp0s20u1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:50:b6:59:46:21  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 464  bytes 40432 (39.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 464  bytes 40432 (39.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Checked if the bridge is successfully created or not

Code:

[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
br_iface		8000.3c970ef0cca8	no		em1
							enp0s20u1

Checked if the iptables service is running or not

Code:

[root@localhost 6.1.1_1]# systemctl | grep firewall
ip6tables.service                                                    loaded active exited    IPv6 firewall with ip6tables
iptables.service                                                     loaded active exited    IPv4 firewall with iptables

Checked the iptables rules if there are any

Code:

[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]#

Added iptables rules in the INPUT chain and later listed the rules

Code:

[root@localhost ~]# iptables -A INPUT -i br_iface -j DROP
[root@localhost ~]# iptables -A INPUT -i em1 -j DROP
[root@localhost ~]# iptables -A INPUT -i enp0s20u1 -j DROP
[root@localhost ~]# 
[root@localhost ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]#

No effect of iptables is visible. I can access everything from stb.

ankit,garg · 05-10-2016, 04:25 AM

One more thing I found during my investigation, the iptables rules are effective on an ethernet interface without adding it to the bridge interface i.e. I rebooted the machine and applied the below iptables rule on em1

Code:

iptables -A INPUT -i em1 -p all -j DROP

then I was not able to access anything from my machine. On applying below iptables rule

Code:

iptables -A INPUT -i em1 -p tcp -j DROP

I was not able to browse websites from a webbrowser but I was able to ping 8.8.8.8 and received the icmp packets. On applying below iptables rule

Code:

iptables -A INPUT -i em1 -p icmp -j DROP

The ping stopped working and I was able to browse website through web browser.

It looks like that these iptables are not getting effective when I add my both ethernet interface in a bridge and also not effective on a bridge interface.

lazydog · 05-10-2016, 08:20 AM

OK, so you have the following interfaces:

em1
enp0s20u1

Which one of these is the external interface?
In which direction are you trying to stop the flow?

Lets start with the basics and work our way up.