LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page iptables and conntrack - rules to set a statefull firewall
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-23-2018, 03:57 PM   #1
cbomfim
LQ Newbie
 
Registered: May 2018
Posts: 2

Rep: Reputation: Disabled
Question iptables and conntrack - rules to set a statefull firewall

Hello everyone,
I am trying to set a Raspberry Pi 2 to act a statefull firewall to demonstrate to my students how it works in a OPC (Windows DCOM, which is a nightmare to firewall since it requires dynamically allocated port) conversation. Raspberry uses an ARMv7 Processor rev 5 (v7l) processor running Raspbian GNU/Linux 9.4 (stretch). I have two virtual machines running Windows 7 and connected to two different networks. I set static IP for both windows machines, server machine - SVRM 192.168.20.22 and client machine – CLTM 192.168.12.11. I use the Raspberry as a router and firewall to connect both network. At first, I set the FORWARD policy to ACCEPT in fact, I left default setting, and run the client application in CLTM, connect with the server application in SVRM. After that, I set the following rules in the FIREWALL – Raspberry:

$ sudo iptables -P FORWARD DROP
$ sudo iptables -N LOGGING
$ sudo iptables -A FORWARD -j LOG --log-prefix "iptables_teste: "
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -p tcp --dport 135 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -s 192.168.20.22 -d 192.168.12.11 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -j LOGGING
$ sudo iptables -A LOGGING -j LOG --log-prefix "iptables_teste: {DROPPED}" --log-level 4
$ sudo iptables -A LOGGING -j DROP

And tested again. Firewall results from this test is:

May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.501838] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=480 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.503788] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:30:09:1a:40:00:7f:06:51:3c SRC=192.168.20.22 DST=192.168.12.11 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2330 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=8192 RES=0x00 ACK SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.509564] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=481 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.512563] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=204 TOS=0x00 PREC=0x00 TTL=127 ID=482 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.514001] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:01:5e:09:1b:40:00:7f:06:50:0d SRC=192.168.20.22 DST=192.168.12.11 LEN=350 TOS=0x00 PREC=0x00 TTL=127 ID=2331 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=64240 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.522560] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=574 TOS=0x00 PREC=0x00 TTL=127 ID=483 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=63930 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.525534] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=864 TOS=0x00 PREC=0x00 TTL=127 ID=484 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=63930 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.526717] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:28:09:1c:40:00:7f:06:51:42 SRC=192.168.20.22 DST=192.168.12.11 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=2332 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.894142] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:05:68:09:1d:40:00:7f:06:4c:01 SRC=192.168.20.22 DST=192.168.12.11 LEN=1384 TOS=0x00 PREC=0x00 TTL=127 ID=2333 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK PSH URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.920852] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=485 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2884.920942] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=485 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:46 raspberrypiCarlos kernel: [ 2885.111064] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=486 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK URGP=0
May 22 10:09:49 raspberrypiCarlos kernel: [ 2887.931363] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=487 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:49 raspberrypiCarlos kernel: [ 2887.931455] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=487 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:55 raspberrypiCarlos kernel: [ 2893.932204] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=488 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:09:55 raspberrypiCarlos kernel: [ 2893.932299] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=488 DF PROTO=TCP SPT=49172 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.489954] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=489 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK FIN URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.491084] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:28:09:31:40:00:7f:06:51:2d SRC=192.168.20.22 DST=192.168.12.11 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=2353 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.491307] iptables_teste: IN=eth0 OUT=eth1 MAC=b8:27:eb:34:d7:f3:08:00:27:79:a4:a9:08:00:45:00:00:28:09:32:40:00:7f:06:51:2c SRC=192.168.20.22 DST=192.168.12.11 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=2354 DF PROTO=TCP SPT=135 DPT=49171 WINDOW=62882 RES=0x00 ACK FIN URGP=0
May 22 10:10:01 raspberrypiCarlos kernel: [ 2899.495163] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=490 DF PROTO=TCP SPT=49171 DPT=135 WINDOW=64240 RES=0x00 ACK URGP=0
May 22 10:10:07 raspberrypiCarlos kernel: [ 2905.935476] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=494 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:07 raspberrypiCarlos kernel: [ 2905.935580] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=494 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:10 raspberrypiCarlos kernel: [ 2908.929478] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=496 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:10 raspberrypiCarlos kernel: [ 2908.929572] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=496 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:16 raspberrypiCarlos kernel: [ 2914.931488] iptables_teste: IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=498 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0
May 22 10:10:16 raspberrypiCarlos kernel: [ 2914.931596] iptables_teste: {DROPPED}IN=eth1 OUT=eth0 MAC=00:e0:4c:53:44:58:00:03:1b:10:08:07:08:00:45:00 SRC=192.168.12.11 DST=192.168.20.22 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=498 DF PROTO=TCP SPT=49173 DPT=49468 WINDOW=8192 RES=0x00 SYN URGP=0

Easier to see here:

IN= OUT= SRC SPT DST DPT
10:09:46 [ 2884.501838] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.503788] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.509564] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.512563] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.514001] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.522560] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.525534] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:46 [ 2884.526717] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.894142] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:09:46 [ 2884.920852] iptables_teste: eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:46 [ 2884.920942] iptables {DROPPED} eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:46 [ 2885.111064] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:09:49 [ 2887.931363] iptables_teste: eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:49 [ 2887.931455] iptables {DROPPED} eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:55 [ 2893.932204] iptables_teste: eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:09:55 [ 2893.932299] iptables {DROPPED} eth1 eth0 192.168.12.11 49172 192.168.20.22 49468
10:10:01 [ 2899.489954] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:10:01 [ 2899.491084] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:10:01 [ 2899.491307] iptables_teste: eth0 eth1 192.168.20.22 135 192.168.12.11 49171
10:10:01 [ 2899.495163] iptables_teste: eth1 eth0 192.168.12.11 49171 192.168.20.22 135
10:10:07 [ 2905.935476] iptables_teste: eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:07 [ 2905.935580] iptables{DROPPED} eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:10 [ 2908.929478] iptables_teste: eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:10 [ 2908.929572] iptables{DROPPED} eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:16 [ 2914.931488] iptables_teste: eth1 eth0 192.168.12.11 49173 192.168.20.22 49468
10:10:16 [ 2914.931596] iptables{DROPPED} eth1 eth0 192.168.12.11 49173 192.168.20.22 49468

I had some messages dropped by the firewall. I thought conntrack would be able to dynamically open the new needed port in the process based on the RELATED flag. I don’t find a way to correct the problem. Could someone help me? Not needed to say I am a newbie in this area.

Thanks a lot,

Carlos Bomfim
 
Old 05-29-2018, 01:16 PM   #2
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524

Rep: Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015Reputation: 1015
I think this would work
Code:
$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
changed to
Code:
$ $ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
 
Old 05-29-2018, 04:34 PM   #3
cbomfim
LQ Newbie
 
Registered: May 2018
Posts: 2

Original Poster
Rep: Reputation: Disabled
AwesomeMachine,

I appreciate your help here.

Correct me please if I am wrong. If I use the rule as you suggested:

$ sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

All messages from 192.168.12.11 will be routed to 192.168.20.22, no matter which protocol or port is used. In my problem, what I want is the conversation started only when 192.168.12.11 calls 192.168.20.22 on port 135. No other message can initiate the conversation, even from 192.168.12.11.

I did more tests and now, meaning yesterday, I could establish communication with this rule:

sudo iptables -A FORWARD -s 192.168.12.11 -d 192.168.20.22 -p tcp --dport 135 -m conntrack --ctstate NEW -m recent --set --rdest --name CNX-OPC -j ACCEPT

As you can see, I used the Recent module, I don’t know it before and I don’t know if I need it for sure, together Conntrack module. Following rules will check if nodes are in the list for a time less than 60 seconds. If so communication in any port is allowed. After this time, which is tunable, conversation is allowed only through an established channel. I do not know if it is the better solution and need to perform more tests in different scenarios to make sure I am really protected.

I apologize my English. Forgive my mistakes,

Carlos Bomfim
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
do we need always use statefull firewall by iptables or not ?! kikilinux Linux - Newbie 2 09-22-2012 05:00 PM
Writing firewall rules with iptables bzlaskar Linux - Security 1 02-27-2007 07:41 AM
Iptables rules for basic firewall winxandlinx Linux - Security 7 10-27-2006 07:12 AM
Firewall Rules for daemons (Iptables) robeb Linux - Security 5 05-31-2002 04:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:53 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration