Cant figure out whats wrong with simple rules

dualarrow
2012-07-18
2013-03-05
  • dualarrow
    dualarrow
    2012-07-18

    I'm having problems figuring out why a simple set of rules are failing. In total, theres 3 rules. 1 to allow everything on interface lo (1st rule) The last rule is a block everything, and the middle rule is as follows
    Source: any
    Destingation: network 10.250.0.0/16
    Service: any
    Interface: any
    Direction: both
    Action: allow
    Time: any
    Options: none

    When applied, I can't ssh to the box. If I add the boxes IP (10.250.1.153) to the destination, it all works.

    Below is the result of iptables -L -n

    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    DROP       all  -  0.0.0.0/0            0.0.0.0/0           state INVALID
    ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state NEW
    RULE_10    all  -  0.0.0.0/0            0.0.0.0/0

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    DROP       all  -  0.0.0.0/0            0.0.0.0/0           state INVALID
    ACCEPT     all  -  0.0.0.0/0            10.250.0.0/16       state NEW
    RULE_10    all  -  0.0.0.0/0            0.0.0.0/0

    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    DROP       all  -  0.0.0.0/0            0.0.0.0/0           state INVALID
    ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state NEW
    ACCEPT     all  -  0.0.0.0/0            10.250.0.0/16       state NEW
    RULE_10    all  -  0.0.0.0/0            0.0.0.0/0

    Chain RULE_10 (3 references)
    target     prot opt source               destination
    ULOG       all  -  0.0.0.0/0            0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
    DROP       all  -  0.0.0.0/0            0.0.0.0/0

    The logging indicates it always reaches the block rule even through the rules look like they should be letting it through.

    I'm sure I'm missing something obvious but I just can't see it.

    Any help would be appreciated.

    Thanks,
    Andrew

     
  • Vadim Kurland
    Vadim Kurland
    2012-07-18

    iptables -L -n -v   would have been better command because it shows inbound and outbound interface

    anyway, check if the option "assume firewall is part of "any" and networks" is turned on in the firewall settings dialog. When it is off, compiler assumes firewall is _not_ part of the network 10.250.0.0/16 and so does not put rule matching this network in destination in the INPUT chain

     
  • dualarrow
    dualarrow
    2012-07-18

    Thanks for the reply vkurland,

    Below is the iptables -L -n -v

    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
        9   668 ACCEPT     all  -  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        0     0 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
        0     0 ACCEPT     all  -  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
       90  9433 RULE_10    all  -  *      *       0.0.0.0/0            0.0.0.0/0

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  -  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
       54  8805 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
      261 24054 ACCEPT     all  -  *      *       0.0.0.0/0            10.250.0.0/16       state NEW
       96 11073 RULE_10    all  -  *      *       0.0.0.0/0            0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
       12  1108 ACCEPT     all  -  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        0     0 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
        0     0 ACCEPT     all  -  *      lo      0.0.0.0/0            0.0.0.0/0           state NEW
        0     0 ACCEPT     all  -  *      *       0.0.0.0/0            10.250.0.0/16       state NEW
        0     0 RULE_10    all  -  *      *       0.0.0.0/0            0.0.0.0/0

    Chain RULE_10 (3 references)
    pkts bytes target     prot opt in     out     source               destination
      186 20506 ULOG       all  -  *      *       0.0.0.0/0            0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
      186 20506 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0

    I have been comparing another firewall I have generated (its live and works fine and also generated from FWB).

    What I have noticed is that the working one generates a few ACCEPT rules in the INPUT chain that dont seem to be getting generated in this simple rule set. With the -v option added, it looks like theres nothing to ACCEPT on the INPUT chain for the 10.250.0.0/16 network which seems odd as I would have thought the middle rule would have generated an appropriate ACCEPT for it.

    If I remove the final RULE_10 from the INPUT chain and replace it with an ACCEPT it works (not really surprising).

    I just dont know why the 10.250.0.0/16 rule isnt generating any INPUT ACCEPT's.

    Andrew

     
  • dualarrow
    dualarrow
    2012-07-18

    Sorry, I forgot to add that the "assume firewall is part of any" was checked.

     
  • dualarrow
    dualarrow
    2012-07-18

    I found the problem

    Near the "Assume firewall is part of any" is the option "Bridging Firewall". I had assumed this would have mean it turned forwarding on. Maybe it does, but it also seems to stop generating the INPUT ACCEPT rules.

    If anyone is able to briefly explain what it's for that would be helpful.

    Anyway, my firewall seems to behaving as expected now.

    Regards,
    Andrew

     
  • Vadim Kurland
    Vadim Kurland
    2012-07-18

    that option indicates that your firewall is set up as a bridge rather than a router. Iptables rules should be different in this case.

    If you wanted to turn ip forwarding on, there is a control for this in the first page of the "advanced host settings" in the firewall object