Folks
I'm struggling with my firewall settings, and would appreciate some help.
I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address).
I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan.
Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system.
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
Much thanks
David
On Tue, Jun 16, 2020 at 12:26 PM david david@daku.org wrote:
Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system.
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
which interface is that bound to? I don't see a -i eth0 or whatever, but you want that rule on your LAN interface.
note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to the gateway machine itself.
Is your policy accept? It is possible to trace the packet through the netfilter path by setting up raw table rules with TRACE as the target and logging turned on (search the web for details - probably too much to post here) but be aware that you need a very controlled test because the syslog entries will likely be an order of magnitude greater than the actual packet count.
________________________________ From: CentOS centos-bounces@centos.org on behalf of david david@daku.org Sent: Tuesday, June 16, 2020 2:21 PM To: CentOS mailing list centos@centos.org Subject: [EXTERNAL] [CentOS] firewall help request
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Folks
I'm struggling with my firewall settings, and would appreciate some help.
I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address).
I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan.
Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system.
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
Much thanks
David
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Harriscomputer
Leroy Tennison Network Information/Cyber Security Specialist E: leroy@datavoiceint.com
[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]
2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.comhttp://www..com
This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.
If you prefer not to be contacted by Harris Operating Group please notify ushttp://subscribe.harriscomputer.com/.
This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
On Tue, 16 Jun 2020, Leroy Tennison wrote:
I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address).
I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan.
Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system.
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
I'm not sure it's your INPUT table that needs that rule. I don't have any NAT machines for experimentation, but my initial hunch is that you'd want OUTPUT rules, e.g.,
iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT
In article alpine.OSX.2.22.432.2006161443010.72543@silver.local, Paul Heinlein heinlein@madboa.com wrote:
On Tue, 16 Jun 2020, Leroy Tennison wrote:
I have a gateway machine (currently Centos 7 with IPV4 only) with two NICs. One is connected to the internet, the other to an internal network (10.0.0.0/24) of mixed hardware (windows7, android tablets, android phones, linux boxes) using NAT. I wish to block all outgoing connects to any external IP address on port 22 (ssh) originating from any internal machine except one (which has a known internal IP address).
I've tried some commands using 'iptables' to accomplish this, but so far have failed. If anyone has a suggestion, I'd really appreciate it. In addition, a suitable version for 'firewalld' could be useful, as an upgrade to Centos 8 is in plan.
Examples of what I've tried, and then tested. None of them stopped an outgoing SSH from an internal system.
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
I'm not sure it's your INPUT table that needs that rule. I don't have any NAT machines for experimentation, but my initial hunch is that you'd want OUTPUT rules, e.g.,
iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT
No, the OUTPUT chains apply to traffic originating within the machine itself (the gateway machine).
But for traffic being forwarded by the gateway, it will use the FORWARD chains rather than the INPUT chains. So probably something like this:
iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24 -j REJECT
Cheers Tony
The rule is in the wrong chain. The INPUT chain affects packets that terminate at the same machine. You want to block packets that will be passed on to the Internet, so your rule needs to be in the FORWARD chain. (The OUTPUT chain affects packets that originate at your machine.)
Here's a nice collection of diagrams showing how packets flow through the system:
At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that terminate at the same machine. You want to block packets that will be passed on to the Internet, so your rule needs to be in the FORWARD chain. (The OUTPUT chain affects packets that originate at your machine.)
Here's a nice collection of diagrams showing how packets flow through the system:
Ah ... Caught it. So here is the IPTABLES method to block output on port 22 from internal machines on a gateway:
iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j DROP
So, for example, if your internal interface is, for example, /dev/enp2s0, you'd write
iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
If you want to log such attempts, preceed it with a log request. Since I'm using the -I command (insert at top), it means the log request is entered second:
iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
If someone can suggest a firewall-cmd equivalent, it would be nice.
David in SF
--On Tuesday, June 16, 2020 5:20 PM -0700 david david@daku.org wrote:
If someone can suggest a firewall-cmd equivalent, it would be nice.
Alas, firewalld is targeted at end nodes and doesn't really provide much facility for routers. Its big advantage there is in setting up a reasonable default firewall for the gateway itself. The only real gateway support is to enable masquerade on the external interface.
I use firewalld direct rules for controlling the forwarded packets. They look like iptables rules and get injected into firewalld's own subchains. Use "iptables -L -v -n" to dump the whole mess into a file for examination.
In /etc/firewalld/direct.xml, you could add an XML passthrough node like this:
<passthrough ipv="ipv4">-I FWDI_internal_deny 1 -p tcp --dport 22 -j DROP</passthrough>
This assumes your internal zone is named internal. Change the chain name to match your zone name. You don't need to specify the interface name here because the FWDI_internal chain is only invoked if the inbound interface matches an interface in that zone.
Also note that the -I option takes a chain name and a number indicating where to insert a rule. I use 1 to put the rule at the start of any rules that firewalld has already inserted. So if you need a LOG rule, you'll want to put the nodes in reverse order in the XML file so they get inserted backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.
At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that terminate at the same machine. You want to block packets that will be passed on to the Internet, so your rule needs to be in the FORWARD chain. (The OUTPUT chain affects packets that originate at your machine.)
Here's a nice collection of diagrams showing how packets flow through the system:
Ah ... Caught it. So here is the IPTABLES method to block output on port 22 from internal machines on a gateway:
iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j DROP
So, for example, if your internal interface is, for example, /dev/enp2s0, you'd write
iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
If you want to log such attempts, preceed it with a log request. Since I'm using the -I command (insert at top), it means the log request is entered second:
iptables -I FORWARD -p tcp --dport 22 -i {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
If someone can suggest a firewall-cmd equivalent, it would be nice.
For that kind of firewalling, I suggest to use Shorewall instead:
IMHO it's the better tool for where you need more than a "personal" firewall.
Regards, Simon
-
david -
John Pierce -
Kenneth Porter -
Leroy Tennison -
Paul Heinlein -
Simon Matter -
tony@softins.co.uk