Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
05-23-2018, 03:57 PM
#1
LQ Newbie
Registered: May 2018
Posts: 2
Rep:
iptables and conntrack - rules to set a statefull firewall
Hello everyone,
I am trying to set a Raspberry Pi 2 to act a statefull firewall to demonstrate to my students how it works in a OPC (Windows DCOM, which is a nightmare to firewall since it requires dynamically allocated port) conversation. Raspberry uses an ARMv7 Processor rev 5 (v7l) processor running Raspbian GNU/Linux 9.4 (stretch). I have two virtual machines running Windows 7 and connected to two different networks. I set static IP for both windows machines, server machine - SVRM 192.168.20.22 and client machine – CLTM 192.168.12.11. I use the Raspberry as a router and firewall to connect both network. At first, I set the FORWARD policy to ACCEPT in fact, I left default setting, and run the client application in CLTM, connect with the server application in SVRM. After that, I set the following rules in the FIREWALL – Raspberry:
$ sudo iptables -P FORWARD DROP
$ sudo iptables -N LOGGING
$ sudo iptables -A FORWARD -j LOG --log-prefix "iptables_teste: "
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -p tcp --dport 135 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.20.22 -d 192.168.12.11 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -j LOGGING
$ sudo iptables -A LOGGING -j LOG --log-prefix "iptables_teste: {DROPPED}" --log-level 4
$ sudo iptables -A LOGGING -j DROP
And tested again. Firewall results from this test is:
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.501838] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=480 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.503788] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:30:09:1a:40:00:7f:06:51:3c SRC=192.168.20.22 DST=192.168.12.11 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2330 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=8192 RES=0x00 ACK SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.509564] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=481 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.512563] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=204 TOS=0x00 PREC=0x00 TTL=127 ID=482 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.514001] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:01:5e:09:1b:40:00:7f:06:50:0d SRC=192.168.20.22 DST=192.168.12.11 LEN=350 TOS=0x00 PREC=0x00 TTL=127 ID=2331 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=64240 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.522560] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=574 TOS=0x00 PREC=0x00 TTL=127 ID=483 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=63930 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.525534] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=864 TOS=0x00 PREC=0x00 TTL=127 ID=484 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=63930 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.526717] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:28:09:1c:40:00:7f:06:51:42 SRC=192.168.20.22 DST=192.168.12.11 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=2332 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.894142] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:05:68:09:1d:40:00:7f:06:4c:01 SRC=192.168.20.22 DST=192.168.12.11 LEN=1384 TOS=0x00 PREC=0x00 TTL=127 ID=2333 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.920852] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=485 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.920942] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=485 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2885.111064] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=486 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK URGP=0
May 22 10:09:49 raspberrypiCarlos kernel: [ 2887.931363] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=487 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:49 raspberrypiCarlos kernel: [ 2887.931455] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=487 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:55 raspberrypiCarlos kernel: [ 2893.932204] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=488 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:55 raspberrypiCarlos kernel: [ 2893.932299] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=488 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.489954] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=489 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK FIN URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.491084] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:28:09:31:40:00:7f:06:51:2d SRC=192.168.20.22 DST=192.168.12.11 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=2353 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.491307] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:28:09:32:40:00:7f:06:51:2c SRC=192.168.20.22 DST=192.168.12.11 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=2354 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK FIN URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.495163] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=490 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK URGP=0
May 22 10:10:07 raspberrypiCarlos kernel: [ 2905.935476] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=494 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:07 raspberrypiCarlos kernel: [ 2905.935580] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=494 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:10 raspberrypiCarlos kernel: [ 2908.929478] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=496 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:10 raspberrypiCarlos kernel: [ 2908.929572] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=496 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:16 raspberrypiCarlos kernel: [ 2914.931488] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=498 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:16 raspberrypiCarlos kernel: [ 2914.931596] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=498 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
Easier to see here:
IN= OUT= SRC SPT DST DPT
10:09:46 [ 2884.501838] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.503788] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.509564] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.512563] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.514001] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.522560] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.525534] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.526717] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.894142] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.920852] iptables_teste: eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:46 [ 2884.920942] iptables {DROPPED} eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:46 [ 2885.111064] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:49 [ 2887.931363] iptables_teste: eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:49 [ 2887.931455] iptables {DROPPED} eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:55 [ 2893.932204] iptables_teste: eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:55 [ 2893.932299] iptables {DROPPED} eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:10:01 [ 2899.489954] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:10:01 [ 2899.491084] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:10:01 [ 2899.491307] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:10:01 [ 2899.495163] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:10:07 [ 2905.935476] iptables_teste: eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:07 [ 2905.935580] iptables{DROPPED} eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:10 [ 2908.929478] iptables_teste: eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:10 [ 2908.929572] iptables{DROPPED} eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:16 [ 2914.931488] iptables_teste: eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:16 [ 2914.931596] iptables{DROPPED} eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
I had some messages dropped by the firewall. I thought conntrack would be able to dynamically open the new needed port in the process based on the RELATED flag. I don’t find a way to correct the problem. Could someone help me? Not needed to say I am a newbie in this area.
Thanks a lot,
Carlos Bomfim
05-29-2018, 01:16 PM
#2
LQ Guru
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
I think this would work
Code:
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
changed to
Code:
$ $ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
05-29-2018, 04:34 PM
#3
LQ Newbie
Registered: May 2018
Posts: 2
Original Poster
Rep:
AwesomeMachine,
I appreciate your help here.
Correct me please if I am wrong. If I use the rule as you suggested:
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
All messages from 192.168.12.11 will be routed to 192.168.20.22, no matter which protocol or port is used. In my problem, what I want is the conversation started only when 192.168.12.11 calls 192.168.20.22 on port 135. No other message can initiate the conversation, even from 192.168.12.11.
I did more tests and now, meaning yesterday, I could establish communication with this rule:
sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -p tcp --dport 135 -m conntrack --ctstate NEW -m recent --set --rdest --name CNX-OPC -j ACCEPT
As you can see, I used the Recent module, I don’t know it before and I don’t know if I need it for sure, together Conntrack module. Following rules will check if nodes are in the list for a time less than 60 seconds. If so communication in any port is allowed. After this time, which is tunable, conversation is allowed only through an established channel. I do not know if it is the better solution and need to perform more tests in different scenarios to make sure I am really protected.
I apologize my English. Forgive my mistakes,
Carlos Bomfim
All times are GMT -5. The time now is 01:53 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News