I'm having problems figuring out why a simple set of rules are failing. In total, theres 3 rules. 1 to allow everything on interface lo (1st rule) The last rule is a block everything, and the middle rule is as follows
Source: any
Destingation: network 10.250.0.0/16
Service: any
Interface: any
Direction: both
Action: allow
Time: any
Options: none
When applied, I can't ssh to the box. If I add the boxes IP (10.250.1.153) to the destination, it all works.
Below is the result of iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all - 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state NEW
RULE_10 all - 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all - 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all - 0.0.0.0/0 10.250.0.0/16 state NEW
RULE_10 all - 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all - 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all - 0.0.0.0/0 10.250.0.0/16 state NEW
RULE_10 all - 0.0.0.0/0 0.0.0.0/0
iptables -L -n -v would have been better command because it shows inbound and outbound interface
anyway, check if the option "assume firewall is part of "any" and networks" is turned on in the firewall settings dialog. When it is off, compiler assumes firewall is _not_ part of the network 10.250.0.0/16 and so does not put rule matching this network in destination in the INPUT chain
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 668 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all - lo * 0.0.0.0/0 0.0.0.0/0 state NEW
90 9433 RULE_10 all - * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
54 8805 DROP all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
261 24054 ACCEPT all - * * 0.0.0.0/0 10.250.0.0/16 state NEW
96 11073 RULE_10 all - * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 1108 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all - * lo 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all - * * 0.0.0.0/0 10.250.0.0/16 state NEW
0 0 RULE_10 all - * * 0.0.0.0/0 0.0.0.0/0
Chain RULE_10 (3 references)
pkts bytes target prot opt in out source destination
186 20506 ULOG all - * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
186 20506 DROP all - * * 0.0.0.0/0 0.0.0.0/0
I have been comparing another firewall I have generated (its live and works fine and also generated from FWB).
What I have noticed is that the working one generates a few ACCEPT rules in the INPUT chain that dont seem to be getting generated in this simple rule set. With the -v option added, it looks like theres nothing to ACCEPT on the INPUT chain for the 10.250.0.0/16 network which seems odd as I would have thought the middle rule would have generated an appropriate ACCEPT for it.
If I remove the final RULE_10 from the INPUT chain and replace it with an ACCEPT it works (not really surprising).
I just dont know why the 10.250.0.0/16 rule isnt generating any INPUT ACCEPT's.
Andrew
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Near the "Assume firewall is part of any" is the option "Bridging Firewall". I had assumed this would have mean it turned forwarding on. Maybe it does, but it also seems to stop generating the INPUT ACCEPT rules.
If anyone is able to briefly explain what it's for that would be helpful.
Anyway, my firewall seems to behaving as expected now.
Regards,
Andrew
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm having problems figuring out why a simple set of rules are failing. In total, theres 3 rules. 1 to allow everything on interface lo (1st rule) The last rule is a block everything, and the middle rule is as follows
Source: any
Destingation: network 10.250.0.0/16
Service: any
Interface: any
Direction: both
Action: allow
Time: any
Options: none
When applied, I can't ssh to the box. If I add the boxes IP (10.250.1.153) to the destination, it all works.
Below is the result of iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all - 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state NEW
RULE_10 all - 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all - 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all - 0.0.0.0/0 10.250.0.0/16 state NEW
RULE_10 all - 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all - 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all - 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all - 0.0.0.0/0 10.250.0.0/16 state NEW
RULE_10 all - 0.0.0.0/0 0.0.0.0/0
Chain RULE_10 (3 references)
target prot opt source destination
ULOG all - 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
DROP all - 0.0.0.0/0 0.0.0.0/0
The logging indicates it always reaches the block rule even through the rules look like they should be letting it through.
I'm sure I'm missing something obvious but I just can't see it.
Any help would be appreciated.
Thanks,
Andrew
iptables -L -n -v would have been better command because it shows inbound and outbound interface
anyway, check if the option "assume firewall is part of "any" and networks" is turned on in the firewall settings dialog. When it is off, compiler assumes firewall is _not_ part of the network 10.250.0.0/16 and so does not put rule matching this network in destination in the INPUT chain
Thanks for the reply vkurland,
Below is the iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 668 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all - lo * 0.0.0.0/0 0.0.0.0/0 state NEW
90 9433 RULE_10 all - * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
54 8805 DROP all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
261 24054 ACCEPT all - * * 0.0.0.0/0 10.250.0.0/16 state NEW
96 11073 RULE_10 all - * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 1108 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all - * lo 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all - * * 0.0.0.0/0 10.250.0.0/16 state NEW
0 0 RULE_10 all - * * 0.0.0.0/0 0.0.0.0/0
Chain RULE_10 (3 references)
pkts bytes target prot opt in out source destination
186 20506 ULOG all - * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
186 20506 DROP all - * * 0.0.0.0/0 0.0.0.0/0
I have been comparing another firewall I have generated (its live and works fine and also generated from FWB).
What I have noticed is that the working one generates a few ACCEPT rules in the INPUT chain that dont seem to be getting generated in this simple rule set. With the -v option added, it looks like theres nothing to ACCEPT on the INPUT chain for the 10.250.0.0/16 network which seems odd as I would have thought the middle rule would have generated an appropriate ACCEPT for it.
If I remove the final RULE_10 from the INPUT chain and replace it with an ACCEPT it works (not really surprising).
I just dont know why the 10.250.0.0/16 rule isnt generating any INPUT ACCEPT's.
Andrew
Sorry, I forgot to add that the "assume firewall is part of any" was checked.
I found the problem
Near the "Assume firewall is part of any" is the option "Bridging Firewall". I had assumed this would have mean it turned forwarding on. Maybe it does, but it also seems to stop generating the INPUT ACCEPT rules.
If anyone is able to briefly explain what it's for that would be helpful.
Anyway, my firewall seems to behaving as expected now.
Regards,
Andrew
that option indicates that your firewall is set up as a bridge rather than a router. Iptables rules should be different in this case.
If you wanted to turn ip forwarding on, there is a control for this in the first page of the "advanced host settings" in the firewall object