LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-09-2015, 10:57 PM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Rep: Reputation: 182Reputation: 182
iptables to implement access control list


This may be simple ... or not.

I'd like to set up an iptables rule(s) to only permit connection by one or two specific IP addresses on eth0 and route valid connections to eth1. Assuming my public IP is 1.2.3.4, would that be something like:

iptables -A INPUT -i eth0 \! -s 1.2.3.4 -j DROP

and how about routing the traffic to eth1? Would that be:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

iptables --append FORWARD --in-interface eth1 -j ACCEPT

I'd like some advice before experimenting
 
Old 06-10-2015, 06:39 AM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Snap an image before you start.
Once you've hosed the firewall, getting access to unhose it can be... problematic.

Also, back up early, back up often.

Other than that, the only thing I'd ask is report back with what you found out because this is kind of an interesting question. Seems like you should be able to do it, I might try using the routing table instead of the firewall subsystem for segregating the traffic over the adapters (seems like it would be easier), but it definitely seems doable.
 
Old 06-10-2015, 03:39 PM   #3
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
Theoretical reply only, not intended for use beyond experimentation.

I once gave thought to this with overlapping sub-netting, which of course does not work in IP-4 because of how broadcast and anycast network IP addressing works on a subnet. But for example of theoretical sake.

10.0.0.0/24 - 10.0.0.1 gateway - being the parent subnet.
10.0.0.64/26 - 10.0.0.27 gateway - being the child subnet within the parent subnet

So for example 10.0.0.20/24 and 10.0.0.30/26 could reside on the same network but not be able to access one another. However if both were set to promiscuous mode like routers, they could in theory communicate so long as they were on the same local network. Considering the differences in node network drivers (Workstations / Servers) verse router network drivers (CISCO, Juniper, ect) it provably would not work in practice.

I am not up to date on the exact details of the differences of the broadcast / anycast in IP-6. Many of the original RFC's for IP6 have been lost in translation since its actual implementation. But I do know there are subtle differences between this on IP-4 verses IP-6. So, I wonder if what you are asking can be done on an IP6 network through how the subnets are set?

As well I once setup a secure network by implementing TCP/IP for internet access and Novel's IPX for internal secure connections. That might be more useful for what you are doing. Though I am curious about the changes in IP-6.
 
Old 06-10-2015, 11:50 PM   #4
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
I think I need to clarify the intended application a bit. Desired configuration:

Internet -- 1.2.3.4 --> [future firewall] ---> 1.2.3.4 [Samsung phone system]

Only voice mail is emailed from the Samsung which is currently connected directly to the Internet at 1.2.3.4. We've been DoS'd and need a firewall, but your typical off-the-shelf routers don't restrict incoming IPs (no access lists). The IP(s) I want to let through belong to the phone service company for their remote access support. Nobody else needs to access the Samsung.

I'm hoping my rules:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

iptables -A INPUT -i eth0 \! -s 4.3.2.1 -j DROP

will drop any source not equal to 4.3.2.1 (the Phone Company) and route all packets for all ports from 4.3.2.1 to eth1 (the Samsung with IP 1.2.3.4). As you can see, I'm not in a position to experiment with IP-6 as the Samsung doesn't support it, nor can I alter the Samsung's IP address to something other than its (public) IP 1.2.3.4. I'm no iptables guru, so I have no idea about this working. I'm trying a home-grown solution versus buying a $300+ Sonicwall that supposedly can do this. Need advice.

Last edited by mfoley; 06-10-2015 at 11:52 PM.
 
Old 06-11-2015, 01:48 PM   #5
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
If this is a firewall dedicated to the phone system, then you need a simple deny all, allow access.

# Deny Everything
iptables -I INPUT -s 0.0.0.0 -j DROP

# Allow 1.2.3.4
iptables -I INPUT -s 1.2.3.4 -j ACCEPT
 
Old 06-11-2015, 11:56 PM   #6
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
joec: OK, looks simple enough. I've put together a test setup I'll try tomorrow. Question: Assuming the Internet public IP is 4.3.2.1 and the Internet Connection is on eth0 of the firewall and the Samsung is on eth1, how do I route traffic from src 1.2.3.4 arriving at eth0 to the Samsung on eth1? Do I use the POSTROUTING, FORWARD rules I've shown or something else?
 
Old 06-12-2015, 03:51 AM   #7
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by joec@home View Post
If this is a firewall dedicated to the phone system, then you need a simple deny all, allow access.

# Deny Everything
iptables -I INPUT -s 0.0.0.0 -j DROP

# Allow 1.2.3.4
iptables -I INPUT -s 1.2.3.4 -j ACCEPT
Bad idea.

If you can't see why, try typing those commands in in that order and see what happens.

If you really want a deny all with specific allows you should set the policy to drop/reject and only have rules to do the specific allows.
 
1 members found this post helpful.
Old 06-12-2015, 09:36 PM   #8
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
wildwizard:
Quote:
If you really want a deny all with specific allows you should set the policy to drop/reject and only have rules to do the specific allows.
How would that look different (can you post example)? It looks like joec's 1st rule is dropping all, and 2nd rule is accepting the specific IP. Are you suggesting:

iptables -P INPUT DROP
iptables -A INPUT -s 1.2.3.4 -j ACCEPT

In any case, still not sure how the packets get routed to the Samsung at eth1.

(btw - how did you insert the "originally posted by ..." bit at the beginning of your quote?)

Last edited by mfoley; 06-12-2015 at 09:39 PM.
 
Old 06-14-2015, 07:54 AM   #9
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by mfoley View Post
wildwizard:
How would that look different (can you post example)? It looks like joec's 1st rule is dropping all, and 2nd rule is accepting the specific IP.
When a rule matches a packet that rule is triggered and checking of any further rules is stopped, a bad rule insert and your network access is gone.

A policy is only ever the last resort, ie you would need to wipe the chain clean to break all access.

The mere fact that you couldn't see the danger with the order of those two rules only adds to the level of danger you would place yourself in if you went down that path.

Quote:
Originally Posted by mfoley View Post
(btw - how did you insert the "originally posted by ..." bit at the beginning of your quote?)
Hit the quote button under someones post and you get their entire post as a quote with a special quote block that includes the poster/post link.

Just edit it down to the content you want but keep the quote tags it gives you.

Last edited by wildwizard; 06-14-2015 at 07:56 AM.
 
Old 06-14-2015, 12:46 PM   #10
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
I was referred to an excellent link: http://www.sjdjweis.com/linux/bridging/. Seems what I'm looking for is an "invisible firewall". That link got me most of the way there. Given the following setup:

Internet ---> [router 192.168.0.1] ---> eth0 [br0 192.168.0.104] eth1 -----> eth0 [host 192.168.0.111]

Here is what I've got working:
Code:
    brctl addbr br0
    brctl addif br0 eth0
    brctl addif br0 eth1
    ifconfig br0 up
    ifconfig eth0 up
    ifconfig eth1 up

    ip addr add 192.168.0.104/24 brd + dev br0  # give my bridge an IP address to access firewall host

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    iptables -I FORWARD -m state --state INVALID -j DROP
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
    iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.111 --destination-port ssh -j ACCEPT

   iptables -A FORWARD --in-interface eth0 --out-interface eth1 \! -d 192.168.0.111 -j REJECT
The script listed above lets me ssh from any computer on the LAN to 192.168.0.111. Great! Now to tune for my needs. First of all, I can really get to any port on 192.168.0.111, not just 22, for example, I can get the default "It Works!" webpage. To shutdown all but ssh I tried the following:
Code:
 
    iptables -P INPUT DROP
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth1 -p tcp -j ACCEPT

    iptables -I FORWARD -m state --state INVALID -j DROP
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
    iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.111 --destination-port ssh -j ACCEPT
Note that I removed the ! -d 192.168.0.111 because I figured the INPUT DROP policy would take care of that. This might go along with your (wildwizard's) cautions about the policy (though you never did actually post an example .

That didn't work. I can still ssh to ...111, but can also still access port 80. And I've lost the ability to ssh to the firewall/bridge at ...104. two steps back!

Not sure how to fix this. I would have thought that the initial ACCEPT for port 22 on eth0 would accept all port 22 connections, and the FORWARD of port 22 for ...111 would forward requests specific to that IP (which it does), and any other port 22 requests would end up directed to the local host, but no.

Ideas how to fix that?

Last edited by mfoley; 06-14-2015 at 01:02 PM.
 
Old 06-14-2015, 10:45 PM   #11
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
OK, this should be simple for some of you iptables gurus. My latest attempt is posted below. To reprint my diagram:

Internet ---> [router 192.168.0.1] ---> eth0 [br0 192.168.0.104] eth1 -----> eth0 [host 192.168.0.111]

Meaning I have a bridge/firewall connected at eth0 to the LAN at address 104. My test device is connected to the bridge's eth1 and has address 192.168.0.111.

What I think I'm doing is dropping everything by default (line 1). I'm then allowing input only from IP 192.168.0.146 destined for 192.168.0.111 only to port 22 (line 4). I'm allowing anything to connect to the firewall at 192.168.0.104 (line 5). I'm forwarding only port 22 requests destined for 192.168.111 to eth1 (line 12) and rejecting everything else going to 192.168.0.111 (line 13).

I am able to connect to to 192.168.0.111 from 192.168.0.146, but otherwise none of this works.

Now, I cannot connect to the firewall 192.168.0.104 at all.

Any host can get to 192.168.0.111 on any port -- not being restricted by IP, not being restricted to port 22.

HELP! Stuck!

Code:
 1  iptables -P INPUT DROP
 2  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 3  iptables -A INPUT -i lo -j ACCEPT
 4  iptables -A INPUT -i eth0 -s 192.168.0.146 -p tcp -d 192.168.0.111 --dport 22 -j ACCEPT
 5  iptables -A INPUT -i eth0 -d 192.168.0.104 -j ACCEPT
 6  iptables -A INPUT -i eth1 -p tcp -j ACCEPT
 7
 8  iptables -I FORWARD -m state --state INVALID -j DROP
 9  iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
10
11  iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
12  iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.111 --destination-port ssh -j ACCEPT
13  iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.111 -j REJECT
14
15  iptables -A FORWARD --in-interface eth0 --out-interface eth1 \! -d 192.168.0.111 -j REJECT

Last edited by mfoley; 06-14-2015 at 10:52 PM.
 
Old 06-14-2015, 11:58 PM   #12
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
More information ...

OK, we need to drop back to fundamentals. I've never done bridge stuff before, so I know nothing. Following the link at http://www.sjdjweis.com/linux/bridging, I set up the bridge as:

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up
ifconfig eth0 up
ifconfig eth1 up

ip addr add 192.168.0.104/24 brd + dev br0

As it turns out, all the iptables FORWARD rules in Mr. Weis' link are unnecessary. Just the above, with no iptables rules forwards every request not for 192.168.0.104 to the test host connected to 192.168.0.104's eth1. I've tried this with no iptables rules at all.

It appears that all the rules I've tried restricting IP and port are simply ignored. Nor do I have any FORWARD rules. Yet, I can log into 192.168.0.111 via ssh and get web pages from that host.

As it stands, this bridge setup is pretty useless unless I can impose some restriction rules. I could get the same effect by just plugging the test host into the LAN and have no bridge/firewall host at all.

SO ...

Can I do what I want? Maybe the bridge is a bad idea?
 
Old 06-15-2015, 06:56 AM   #13
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
A network bridge operates at layer 2
iptables operates at layer 3 and simply wont see the layer 2 traffic until the layer 2 system sends it up the food chain (ie the traffic is for the bridge itself)

See :-
https://en.wikipedia.org/wiki/OSI_model

There does appear to be code in the Linux kernel to push bridged traffic into iptables :-
http://shorewall.net/bridge-Shorewall-perl.html

I'll say it now, I've never even looked at that sort of thing.
 
Old 06-15-2015, 08:20 PM   #14
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
Quote:
Originally Posted by wildwizard View Post
A network bridge operates at layer 2
iptables operates at layer 3 and simply wont see the layer 2 traffic until the layer 2 system sends it up the food chain (ie the traffic is for the bridge itself)
Yes, I've finally figured that out. I've determined by talking with the Samsung tech that what I want to do is not really possible with a bridge setup, nor can the Samsung keep the same IP as the firewall. The Samsung has to be on a LAN subnet. Therefore, I can accomplish this with more straighforward iptables rules.

I've almost got what I want. I can redirect to the desired ports on the Samsung with access restricted to a specific external IP. However, I want to be able to access the firewall itself, but having trouble doing that unless I am connecting from the same restricted IP, even though I don't think I've restricted access to the firewall host by IP. Here's my semi-working iptables script:

Code:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

iptables -P INPUT DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20028,8084 -j ACCEPT
iptables -A INPUT -i eth0 -s 98.102.63.106 -p tcp --syn -m multiport --dports 22,80,443 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20028 -j REDIRECT --to-port 22

iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 22 -j DNAT --to-destination 192.168.168.10:22
Assuming the firewall is at xx.xx.xx.110, ssh'ing to xx.xx.xx.110 from 98.102.63.106 works and gets me to 192.168.168.10 (the Samsung).

ssh'ing to port 20028 on xx.xx.xx.110 from 98.102.63.106 works and gets me to xx.xx.xx.110 (the firewall).

ssh'ing to port 20028 on xx.xx.xx.110 from any IP other than 98.102.63.106 does not work, no connection. It's as if the iptables rule is paying attention to the -s parameter of the other rule.

This last thing is what I want to solve. Basically, I want to ssh from any computer whatsoever to xx.xx.xx.110:2028 and get to the firewall itself:

ssh -p 20028 user@xx.xx.xx.110

How do keep the source restriction and IP redirection for port 22, but let any computer ssh to port 20028 and end up on the firewall?

Last edited by mfoley; 06-15-2015 at 08:23 PM.
 
Old 06-15-2015, 11:40 PM   #15
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,637

Original Poster
Rep: Reputation: 182Reputation: 182
I think the fundamental problem is that redirecting to port 22 apparently does reprocess the rule for that port, and since that port is not opened except from the source 98.102.63.106, you'll get no connection from any other source. Maybe it simply can't be done.

To solve the problem, I just put "Listen 8084" in httpd.conf and "port 20028" in sshd_conf. Then, no redirection needed at all in iptables. I've tried that and it works. Here's what I end up with:

Code:
iptables -P INPUT DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20028,8084 -j ACCEPT
iptables -A INPUT -i eth0 -s 98.102.63.106 -p tcp --syn -m multiport --dports 22,80,443 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 22 -j DNAT --to-destination 192.168.168.10:22
iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 80 -j DNAT --to-destination 192.168.168.10:80
iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 443 -j DNAT --to-destination 192.168.168.10:443
When all is said and done, I'll need 2 permitted IPs, not just the one. That, times 3 ports (22,80,443) will give me 6 rules like the last 3 shown. Any ideas on how to consolidate that? Otherwise, I'll consider this question solved and keep my eye open for some iptables posting somewhere that lets me do what I wanted originally ... if such is possible.

Last edited by mfoley; 06-17-2015 at 05:39 PM.
 
  


Reply

Tags
access control list, iptables firewall block


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Access control list linuProg25 Linux - Software 2 04-01-2011 03:47 AM
Access Control List !!! ajeetraina Linux - Server 2 02-11-2008 10:42 PM
access control list manoj.linux Linux - Enterprise 1 01-02-2008 04:08 PM
Access Control list sheetu Solaris / OpenSolaris 1 08-07-2006 05:18 AM
Using access control list tuananhbirm Linux - General 3 04-17-2006 12:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration