arno-iptables-firewall / aif Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
License: GNU General Public License v2.0
-= Arno's Iptables Firewall(AIF) =- Single- & multi-homed firewall script with DSL/ADSL support ~ In memory of my dear parents ~ (C) Copyright 2001-2024 by Arno van Amersfoort & Lonnie Abelbeck Web : https://github.com/arno-iptables-firewall/aif Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m (note: you must remove all spaces and substitute the @ and the . at the proper locations!) ------------------------------------------------------------------------------- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ------------------------------------------------------------------------------- A MESSAGE FROM THE AUTHOR: -------------------------- Almost *all* my work is distributed under the terms of the GNU GPL License, which means it's free (open-source) software. If you like my work or you want me to implement a certain feature, you are encouraged to donate money. You can (preferably) donate directly to me through my bank account (mail me for my IBAN number (International Bank Account Number). My favourite charity organisations are: - foundations for cancer research (in The Netherlands: "KWF Kanker Bestrijding"); - foundations for brain desease research (in The Netherlands: "De Hersenstichting"); - foundations for the welfare of animals ("IFAW" or in the Netherlands: "De Dierenbescherming") Note that *ALL* donations I receive go to one of the above foundations. IMPORTANT NOTE: --------------- I don't provide enduser support by email, I'm simply too busy to help everybody out with every (trivial) issue. Bugs may be reported on Github. Please ask any other questions on Stackexchange/Stackoverflow/Reddit/etc. Also consult the FAQs before reporting a problem/question. Furthermore read the information in the troubleshooting section below! An explanation of the files in the package: ------------------------------------------- /bin/arno-iptables-firewall : The actual firewall script, core of Arno's Iptables Firewall(AIF). You should put this file in eg. /usr/local/sbin/ . You should make sure it's executable (use "chmod 700 or chmod +x). /bin/arno-fwfilter : A pipe filter script to make the firewall-log better readable. It can be used for example in conjuction with a tail to log your firewall to local tty10 (-12). It can be used for both /var/log/messages and /var/log/firewall (or whatever name you configured syslogd), depending on the log-level specified in the configuration file. An example on how to use it can be found in the beginning of the fwfilter script. Any options for fwfilter can be configured within the script itself. You should put this file in eg. /usr/local/bin/. /etc/arno-iptables-firewall/firewall.conf : The configuration file used for Arno's Iptables Firewall(AIF). Normally you should put it in /etc/arno-iptables-firewall/. Make sure root is owner/group (with "chown 0:0"). /etc/arno-iptables-firewall/plugins/ : Any plugin config files (.conf files) are stored here. /etc/arno-iptables-firewall/conf.d/ : Put any (override) configuration files in the directory. Any files here with a .conf-extension(!) will be sourced AFTER the main firewall.conf file has been read. /etc/arno-iptables-firewall/custom-rules : Put any (iptables) custom rules in this file. This file should be put in /etc/arno-iptables-firewall/ . Make sure root is owner/group (with "chown 0:0"). /lib/systemd/system/arno-iptables-firewall.service : The systemd service file. Depending on your system it should be put in either /usr/lib/systemd/system, /lib/systemd/system or /etc/systemd/system /etc/init.d/arno-iptables-firewall : The init.d script (for older systems still using init.d). On some (older) distributions you may need to put it in /etc/rc.d/ (instead of /etc/init.d). You should make sure it's executable (use "chmod 700 or chmod +x). Inside this script you can also enable VERBOSE(=1) logging for eg. debugging purposes. /share/arno-iptables-firewall/environment : This is the environment-file required by the firewall and plugins. It contains several global functions. It should normally be put in /usr/local/share/. /share/arno-iptables-firewall/plugins/ : Put any plugin binaries (.plugin files) for my firewall in this directory. It should normally be put in /usr/local/share/. /share/man/man8/arno-iptables-firewall.8 : A man page for the arno-iptables-firewall script. /share/man/man1/arno-fwfilter.1 : A man page for the arno-fwfilter script. /CHANGELOG : The version changelog of my firewall. /README : "This" file. /configure.sh : Script to setup a basic configuration. /install.sh : Install script to deploy my firewall on your system. /uninstall.sh : Uninstall script to remove my firewall from your system. /contrib/ : Directory contains any misc. (user contributed) files (scripts etc.) It also contains examples on how to modify your syslogger to log your firewall stuff into a separate file. ----------------------------------------- | Some IMPORTANT (security) information | ----------------------------------------- 1) If possible try to start the firewall before you enable your (ADSL) internet connection. For an ppp-interface that doesn't exist yet you can use the wildcard device called "ppp+" (but you can only use ppp+ if there aren't any other ppp interfaces!). 2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't really understand what they mean. Changing them anyway could have a big impact on the security of your machine. 3) I get a lot of emails from people complaining that their webserver etc. stopped working after installing my firewall. This is the CORRECT behaviour for a firewall: BLOCKING ALL incoming traffic by default! Configure your eg. OPEN_TCP accordingly! ----------------- | General hints | ----------------- 1) For IPv4 addresses you can use IP ranges in all variables by specifying it as eg. "192.168.1.10-50" (which would make the range start with 192.168.1.10 and end at 192.168.1.50). Note that this only works for Class-C(/24) ranges, so specifying eg. 192.168.1.1-192.168.2.1 does NOT work! 2) My firewall has mixed IPv4/IPv6 support. You can switch from IPv4-only to IPv4/IPv6 support by simply setting "IPV6_SUPPORT=1" in the config file. 3) You can use the $ANYPORT and $ANYHOST macros to specify "ALL ports" or "ALL hosts" in the configuration variables/rules. 4) The configuration variables use several "special" (seperator) characters: ' ' (space): Used to seperate rules (eg. 'rule1 rule2') ',' : Used for lists of ports, hosts or protocols (eg. '21,22,23') '~' : Used for host-port seperation (eg. '192.168.1.1~22') '>' : Used for source-to-target seperation (eg. '192.168.1.1>10.0.0.3') '#' : Used for external interface(-IP) restrictions (eg. 'eth0>rule') Also see 5) You may want to have a look at the configuration file in /etc/arno-iptables-firewall/ for additional information (and examples) 5) For configuration-variables/rules which are related to the external (internet) interface one can restrict the interface(s) for which it is applied to by adding either "{interface1,interface2,...}#" or "{interface_ip1,interface_ip2}#" at the beginning of the rule. The latter is especially handy for aliased interfaces. Example 1: OPEN_TCP="eth0#22", would only open TCP port 22 (SSH) for interface eth0 Example 2: OPEN_TCP="1.2.3.4#22", would only open TCP port 22 (SSH) for interface which has the IP 1.2.3.4 This feature can also be used to enable NAT port forwarding for certain (external) interfaces. Examples: Example 1: NAT_FORWARD_TCP="eth0#0/0~22>{internal_host}" means: - Forwards TCP port 22; - Forward is available for the whole world (0/0); - Forward is applied to eth0 only; - {internal_host} is the host the port should be forwarded to. Example 2: NAT_FORWARD_TCP="1.2.3.4#0/0~80>{internal_host}" means: - Forwards TCP port 80; - Forward is available for the whole world (0/0); - Forward is applied to the (external) (aliased) interface with IP 1.2.3.4; - {internal_host} is the host the port should be forwarded to. 6) Port ranges should be written as port_start:port_end, eg. "137:139" would select ports 137,138 and 139. --------------- | Quick setup | --------------- If you want to have it running ASAP or are a novice user, than this is the part that's important. Remember that my firewall has a lot of other useful features which will NOT be used in this way. On the other hand, various security features are enabled by default to protect you from hostile attacks. 1) First we've to check whether your Linux setup is OK in order to make the script work correctly: - It needs iptables and iproute(2) to be installed (probably come as packages with your distro). - It requires a POSIX compliant /bin/sh (should live on any UNIX system by default) - My scripts need the following binaries (in your path): iptables (obviously), ip (from the iproute package), sysctl, modprobe, logger, uname, date, awk, tr, grep, sed, cut, head, tail, wc, which, & cat. - If you plan to use DNS resolving (eg. for certain plugins) then the binary 'dig' (from the dnsutils package) or as a fall-back 'nslookup' should also be available. 2) Now we need to determine whether you have a single- or dual-homed machine. Single means you ONLY have one network-interface, which is the one connected to the outside "evil" world (internet). Dual-homed also have a local subnet connected to an additional network interface. 3) Run the install script and follow the instructions: ./install.sh a) Configure your external network interfaces, EXT_IF. In case of a dual(multi)-homed it's the interface which is connected to the internet, in case of a LAN it's the one connected to your network. When you have an (dynamically) IP assigned to you (by your ISP) via DHCP, you should set "EXT_IF_DHCP_IP=1" else leave it off (0, default). If you have multiple (non-aliased) external interfaces, you should ALL specify them here (space separated). Note that for aliased interfaces you should only specify the "parent"-interface in EXT_IF. So if you have eth0, eth0:1 and eth0:2, you should make EXT_IF="eth0" (only). b) When your public IP is assigned to you by your ISP (through DHCP) then you should enable support for an DHCP external assigned IP. c) Now we configure what ports should be open for the outside world. If you eg. are running an HTTP-server(port 80), an SSH-server(port 22), and/or an FTP-server (port 21) which should be accessible from the internet you should configure the OPEN_TCP / OPEN_UDP variables like this: OPEN_TCP="21 22 80" OPEN_UDP="" d) For dual-homed machines you should also configure INT_IF, the interface used for the local network and you should set your local subnet range in "INTERNAL_NET=". If you want your internal network to be able to access the internet (aka. internet-sharing), you should also enable NAT (masquerading) by setting "NAT=1"). For single-homed machines (part of a LAN), you shouldn't touch INT_IF (leave it disabled) and just stick to using EXT_IF. 4) Now your firewall is ready but I'd suggest to review this additional info: a) In case you use an (A)DSL modem (which works with a PPtP connection to your machine) you should enable the dsl-ppp-modem plugin (You can verify this with 'ifconfig', if a ppp device with your public IP exists you need this). We must enable/configure the dsl-ppp-modem plugin via /etc/arno-iptables-firewall/dsl-ppp-modem.conf by setting ENABLED=1. Now we must configure the network interface(ethX) to which your modem is physically connected (=MODEM_IF, which is commented(#) out by default), and this is NOT ppp+, ppp0 etc.! Here are some examples on how to do it for some providers (it's assumed that the modem is connected to eth0): PPPoE connection with a static public IP (eg. MxStream in the Netherlands) (setup with the ADSL4Linux package from http://www.adsl4linux.nl): - MODEM_IF="eth0" - MODEM_IF_IP="10.0.0.150" - MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem! T-DSL (Germany) with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="192.168.99.1" - MODEM_IP="" PPPoA connection with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="" # This MUST be unset("") (default) - MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem! NOTE 1: For extra security you *can* set the IP of your modem (MODEM_IP), but it's not neccessary (anymore). If you don't know its IP or believe it doesn't have an IP, you can leave MODEM_IP="". The same applies for the IP of the modem network interface (MODEM_IF_IP). NOTE 2: If both your modem AND your network interface don't have an IP you probably don't have to configure your modem settings (at all). NOTE 3: In case of a PPPoA (PPP-over-ATM) you MUST leave MODEM_IF_IP empty(="")! NOTE 4: Don't forget to set EXT_IF_DHCP_IP=1 in firewall.conf too, in case your ISP uses DHCP. b) In case your on a corporate network which uses public IPs I'd suggest to add your local subnet (range) to "FULL_ACCESS_HOSTS". c) Some people mentioned that protocols like IRC or some (older) FTP/POP3/SMTP servers don't work (properly) if port 113(Identd) is filtered (firewalled). I really hate the fact that these type of protocols still depend on the "not-so-secure" IDENT-protocol. But if you really need it, you can do 2 things to make them work properly: 1) If you don't want to run an IDENT-daemon, simply add port 113 to the REJECT_TCP-variable (Recommended). 2) Or if you really want to run an IDENT-daemon, you should add port 113 to the OPEN_TCP-variable. (Not recommended) 9) You're now ready to start the firewall by issueing: "/etc/init.d/arno-iptables-firewall start" Everything should be working OK now, if it doesn't, carefully review all steps and your configuration. For troubleshouting you can first consult the FAQs on my webpage. NOTE 1: Make sure that when you use NAT, you should properly configure the client's "default gateway" and the (public) DNS server(s) it should use! Note that you don't have to setup any proxy settings in eg. your client's browser. NOTE 2: Additional (more advanced) options are (also) explained in the configuration-file comments and in the QA's on my webpage (eg. IPSec VPN support). Troubleshooting: What if it doesn't work?: ------------------------------------------------------------------------------ 1) Check your settings (.conf) at least 10 times. It's quite common for a human being to make mistakes. TIPS / Common errors: - Make sure that EXT_IF, MODEM_IF and/or INT_IF are not the same. If they are, YOU made a mistake, as they can never EVER be the same! - Another error I once saw was someone that used something like "127.0.0.0/24" for his local subnet. "127.0.0.0" is the address of the local loopback and therefor should never ever appear in the configuration file! 2) Obtain the latest version of your (distribution) kernel & iptables. 3) Make sure your (self-built) kernel supports all required options. 4) Carefully inspect the output generated when issueing "arno-iptables-firewall start" 5) Read the README file at least 3 times 6) Download the latest (beta) version of my script and check whether this fixes your problem. 7) Read the README file one more time and review your .conf-file also one more time, just in case ;-) 8) Do NOT send enduser requests to my personal email address, instead post your question/problem on the firewall mailing list. Provide us with: - your (firewall) *.conf files - the screen output of "/usr/local/sbin/arno-iptables-firewall start" (or whatever it is located) - the output of 'ifconfig' - (firewall) logs - the version of my script you're using (or date if you use the development script) - detailed explanation of your setup - and anything else that might help Remember that people that don't obey these rules, get a low, very low priority, or won't get any reaction at all! Plugin support ------------------------------------------------------------------------------ As of version 1.8.7-RC2 my firewall also supports plugins -> little scripts that implement specific functionality. Notes on plugins: ----------------- 1) Plugin config files can be found in /etc/arno-iptables-firewall/plugins/ 2) All plugins have an option called "ENABLED" (in their config file) which is set to 0 by default, meaning it is disabled. So if you actually want to use a plugin, you have to make ENABLED=1 3) Plugins can have their own additional set of configuration variables, don't forget to set/review those too. Everyone is invited to write their own plugins to implement other things, and to submit to us. Notes on writing your own plugins --------------------------------- 1) When you write your own plugins, make sure you know what you're doing. You can severely compromise security or break things with buggy plugins. 2) Submit plugins to me, if you think they can be of use to others, but note that I always reserve the right to decline the plugin (because it was eg. poorly written). Submitted plugins must be (at least) compatible with the GPLv2 license. 3) The plugin should have/use these variables: - PLUGIN_NAME (Plugin name/description) - PLUGIN_VERSION (Plugin version) - PLUGIN_CONF_FILE (Location of the plugin config file) Furthermore it should honour the ENABLED variable from the config-file to enable/disable the plugin. Use one of my plugins as a template(skeleton) for writing your own plugins (I recommend to have a look at the "SSH Brute-Force protection"-plugin), in this way it's easier to understand it for me and for others. 4) Plugins should have a separate config file (.conf) with all user variables(settings). It should at least contain the "ENABLED="-variable to enable/disable the plugin. 5) Plugins should also have a separate file with their CHANGELOG (.changelog) 6) Plugins should be preferably POSIX shell compatible (eg. work with "Dash") 7) Plugins can use all variables/functions/chains from the main-script and main configuration file. Plugin specific configuration variables should be put inside the plugin's configuration file (.conf). 8) Make sure that when you create new iptables-chains, they don't conflict with the main script or other plugins. The same goes for the iptables MARK-module, make sure that you use an unique MARK-number that doesn't conflict with other plugins. 9) Plugins should in principle always cleanup up their own chains (and possibly other stuff) they created at start when stopping. 10) A list of available chains created by AIF's main script can be found below. Note that I strongly recommend NOT to directly use any builtin iptables chains like INPUT/OUTPUT/FORWARD/PREROUTING/POSTROUTING. Only do this when it's absolutely necessary! Available iptables chains created by Arno's Iptables Firewall ------------------------------------------------------------- BASE_INPUT_CHAIN - Base input chain. For internal use by AIF only! BASE_OUTPUT_CHAIN - Base output chain. For internal use by AIF only! BASE_FORWARD_CHAIN - Base forward chain. For internal use by AIF only! INPUT_CHAIN - AIF's main INPUT chain. Use this if you want to insert rules in the INPUT chain OUTPUT_CHAIN - AIF's main OUTPUT chain. Use this if you want to insert rules in the OUTPUT chain FORWARD_CHAIN - AIF's main FORWARD chain. Use this if you want to insert rules in the FORWARD chain EXT_INPUT_CHAIN - External-net INPUT chain EXT_OUTPUT_CHAIN - External-net OUTPUT chain EXT_BROADCAST_CHAIN - External-net chain for broadcast traffic EXT_MULTICAST_CHAIN - External-net chain for multicast traffic EXT_FORWARD_IN_CHAIN - External-net FORWARD chain for INcoming traffic EXT_FORWARD_OUT_CHAIN - External-net FORWARD chain for OUTgoing traffic EXT_ICMP_FLOOD_CHAIN - External-net chain where ICMP packets go which are considered a "flood" DMZ_FORWARD_IN_CHAIN - DMZ FORWARD chain for INcoming traffic DMZ_FORWARD_OUT_CHAIN - DMZ FORWARD chain for OUTgoing traffic DMZ_INET_FORWARD_CHAIN - DMZ to internet/external-net forward chain DMZ_INPUT_CHAIN - DMZ INPUT chain DMZ_LAN_FORWARD_CHAIN - DMZ to LAN/internal-net forward chain DMZ_OUTPUT_CHAIN - DMZ output chain INET_DMZ_FORWARD_CHAIN - External-net(internet) to DMZ forward chain HOST_BLOCK_SRC - Chain containing the list of inbound blocked hosts HOST_BLOCK_DST - Chain containing the list of outbound blocked hosts HOST_BLOCK_SRC_DROP - Chain where packets from dropped inbound blocked hosts go HOST_BLOCK_DST_DROP - Chain where packets from dropped outbound blocked hosts go INT_INPUT_CHAIN - Internal-net INPUT chain INT_OUTPUT_CHAIN - Internal-net OUTPUT chain LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only) LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain POST_INPUT_CHAIN - This chain is always processed last(post) in the INPUT chain POST_OUTPUT_CHAIN - This chain is always processed last(post) in the OUTPUT chain POST_FORWARD_CHAIN - This chain is always processed last(post in the FORWARD chain POST_INPUT_DROP_CHAIN - Packets dropped at the end of the INPUT chain end up in this chain (Used for eg. IDS) RESERVED_NET_CHK - This chain holds the list of reserved nets to check against SPOOF_CHK - This chain contains rules for spoof checking VALID_CHK - This chain contains rules for checking whether a packet is valid NAT_POSTROUTING_CHAIN - NAT (-t nat) POSTROUTING chain NAT_PREROUTING_CHAIN - NAT (-t nat) PREROUTING chain POST_NAT_POSTROUTING_CHAIN - This chain is always processed last(post) in the NAT (-t nat) POSTROUTING chain POST_NAT_PREROUTING_CHAIN - This chain is always processed last(post) in the NAT (-t nat) PREROUTING chain Loadbalancing/multirouting (with multiroute masquerade/SNAT) ------------------------------------------------------------ My firewall also supports multirouting (loadbalancing), optionally in conjunction with NAT. Although this works with both conventional masquerading and SNAT, it's strongly recommended to use SNAT. This is because the latter is known to have a much lower chance of causing problems. Also note that I haven't found a way (yet) to make this work with dynamic external(internet) IP's, meaning you need static IP's from your ISP. First of all, if you want to use multirouting, make sure that your (vanilla)-kernel has the following network features enabled (eg. when building from source): - CONFIG_IP_ADVANCED_ROUTER=y - CONFIG_IP_MULTIPLE_TABLES=y - CONFIG_IP_ROUTE_MULTIPATH=y Second, you should configure/enable the multiroute-plugin. And last but not least, you should setup the firewall: adding (all) the used external interfaces to EXT_IF. And when SNAT is used, add the corresponding external IPs to NAT_STATIC_IP. That's it! NOTE: Redundant connections are (currently) not supported! This is limitation of the (current) Linux kernel (not of my firewall). Info when building your own kernel (2.4 & 2.6) through "make menuconfig": ------------------------------------------------------------------------------- For the firewall to work properly you need the following options enabled (as modules or compiled in your kernel): - "Loadable module support" - "Enable loadable module support" (If you want to build iptables as modules) - "Automatic kernel module loading" (Strongly recommended if you build iptables as modules) (Only available in newer 2.6 kernels) - "Networking", "Networking Support", "Networking Options" : - "Packet socket" (If you want to use dhcp client and/or server) - "TCP/IP networking" - "IP: Multicasting" - "IP: advanced router" - "IP: policy routing" (If you want to use load balancing, eg. multiroute masquerading) - "IP: equal cost multipath" (If you want to use load balancing, eg. multiroute masquerading) - "IP: TCP syncookie support" - ("Network packet filtering") - "Core Netfilter Configuration" (For kernel =>2.6.16) - "Netfilter Xtables support (Required for ip_tables)" - "MARK" target support (Only required for special purposes like eg. traffic shaping & kernel 2.6 VPN support) - "conntrack" connection tracking match support - "limit" match support - "mac" address match support (If you want to use MAC filtering) - "state" match support - "tcpmss" match support (If you want to use tcpmss clamping) - "IP: Netfilter Configuration": - "Connection tracking" - "Connection tracking flow accounting" (If you want to do accounting on your network traffic. (kernel 2.6 only) - "FTP protocol support" - "IP tables support" (NOTE: The order of sub-options can differ between kernel versions): - "Multiple port match support" - "TOS match support" (If you want to use TOS mangling) - "recent match support" (required for IDS & SSH brute-force protection) - "TTL match support" (If you want to use TTL manipulation) - "limit match support" (kernel <2.6.16) - "MAC address match support" (If you want to use MAC filtering) (kernel <2.6.16) - "Multiple port match support" (kernel <2.6.16) - "tcpmss match support" (If you use tcpmss clamping) (kernel <2.6.16) - "Connection state match support" (Kernel <2.6.16) - "Packet filtering" (kernel <2.6.16) - "REJECT target support" - "LOG target support" - "TCPMSS target support (If you want to use tcpmss-clamping) - "Full NAT" (If you use NAT/masquerading aka internet-sharing or transparent proxies) - "MASQUERADE target" (If you want to use masquerading) - "REDIRECT target support" (If you want to use port- forwarding, -redirection or transparent proxies) - "Packet mangling" - "TOS target support" (If you want to use TOS mangling) - "MARK target support" (Only required for special purposes like eg. traffic shaping & kernel 2.6 VPN support) (kernel <2.6.16) - "TTL target support" (if you want to use TTL manipulation Kernel configuration - Special issues ------------------------------------- Some kernel versions, or series of versions, may have unique issues, below are topics related to the scope of this firewall script. 1) Starting with kernel version 2.6.27, CONFIG_NF_CT_ACCT is deprecated, the result when the "nf_conntrack" module is loaded and the kernel has CONFIG_NF_CT_ACCT=y set, the following message is displayed: "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or sysctl net.netfilter.nf_conntrack_acct=1 to enable it." The message is harmless, and can be safely ignored. The main script also sets net.netfilter.nf_conntrack_acct=1 in the case CONFIG_NF_CT_ACCT is not set. Though, if you find this message annoying, it can be silenced via "make menuconfig": -- Core Netfilter Configuration -- <M> Netfilter connection tracking support [ ] Connection tracking flow accounting if "Connection tracking flow accounting" can't be disabled, then disabling < > "connbytes" per-connection counter match support may be required because of dependencies. The resulting configuration settings are: CONFIG_NF_CONNTRACK=m # CONFIG_NF_CT_ACCT is not set # CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set CONFIG_NF_CT_ACCT was scheduled to be removed in 2.6.29, but has not yet been removed, as of writing.
My business internet connection finally got native IPv6 using DHCPv6-PD and ran across an AIF configuration issue.
In my case, IPv4 is statically assigned, so EXT_IF_DHCP_IP=0
.
But, in order to receive the return "dhcp6 advertise" in response to my "dhcp6 solicit", AIF needs to allow -p udp --sport 547 --dport 546
.
Currently the code is:
# Here we add support for DHCP assigned IP
##########################################
if [ "$EXT_IF_DHCP_IP" = "1" ]; then
echo " Enabling support for DHCP-assigned-IP (DHCP client)"
# Allow this host to be an DHCP client:
ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
if [ "$IPV6_SUPPORT" = "1" ]; then
# Allow this host to be an DHCPv6 client:
ip6tables -A EXT_INPUT_CHAIN -p udp --sport 547 --dport 546 -j ACCEPT
fi
fi
It is not ideal to set EXT_IF_DHCP_IP=1
in this case.
I propose we add a EXT_IF_DHCPV6_IPV6
variable, as such:
# Here we add support for DHCP assigned IP
##########################################
if [ "$EXT_IF_DHCP_IP" = "1" ]; then
echo " Enabling support for DHCP-assigned-IP (DHCP client)"
# Allow this host to be an DHCP client:
ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
if [ "$IPV6_SUPPORT" = "1" ]; then
# Allow this host to be an DHCPv6 client:
ip6tables -A EXT_INPUT_CHAIN -p udp --sport 547 --dport 546 -j ACCEPT
fi
+ elif [ "$EXT_IF_DHCPV6_IPV6" = "1" ]; then
+ if [ "$IPV6_SUPPORT" = "1" ]; then
+ # Allow this host to be an DHCPv6 client via Link-Local:
+ ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT
+ fi
fi
While it would be a change, do we want to also limit EXT_IF_DHCP_IP=1
DHCPv6 client to Link-Local only as well ? If so we could combine them in one test.
Thoughts @arnova ?
I have an issue while setting it up
Which TCP ports do you want to allow from the internet? (eg. 22=SSH, 80=HTTP, etc.) (comma separate multiple ports)? 20,21,22,80,443,1935,8080,10000,10051,10050
then I get
Allowing ANYHOST for TCP port(s): 20,21,22,80,443,1935,8080.10000,10050,10051 /sbin/iptables -A EXT_INPUT_CHAIN -i + -d 0/0 -p tcp --dport 8080.10000 -j ACCEPT ERROR (2): iptables v1.6.0: invalid port/service
8080.10000' specified
Try iptables -h' or 'iptables --help' for more information. /sbin/ip6tables -A EXT_INPUT_CHAIN -i + -d 0/0 -p tcp --dport 8080.10000 -j ACCEPT ERROR (2): ip6tables v1.6.0: invalid port/service
8080.10000' specified
Try ip6tables -h' or 'ip6tables --help' for more information.
I don't know why the comma is translated to a point. As a result I cannot access webmin
Starting with Linux kenel 3.7 ip6tables gained support for IPv6 NAT, iptables added support with v1.4.17 in 2012-Dec-25.
Regardless of the good/bad of IPv6 NAT, AIF should be flushing and deleting all ip6tables -t nat
rules as we do for ip4tables -t nat
.
BTW, the NETMAP target is very useful for IPv6 unique local address (ULA) routing. A work in progress NPTv6 AIF plugin is here:
https://sourceforge.net/p/astlinux/code/HEAD/tree/branches/1.0/package/arnofw/net-prefix-translation/
So, what is the best way to handle this, do we test for IPv6 NAT support and if/then in various places, or simply use try_ip6tables
so any errors are ignored. These actions only occur when AIF is started/stopped/restarted.
I'm suggesting using try_ip6tables
, ex.
try_ip6tables -t nat -F
try_ip6tables -t nat -X
@arnova agree ?
Hi,
It's issue is probably due to my fault but, i suppose that my configuration is right.
ICMP requests does not work at all.
Here is my configuration file in case of mistake :
EXT_IF="eth0"
EXT_IF_DHCP_IP=0
INT_IF="lxcbr0"
INTERNAL_NET="172.4.1.0/24"
OPEN_ICMP=1
ECHO_IGNORE=0
ICMP_REDIRECT=1
OPEN_TCP="80, 443, 587, 143, 5000, 22, 9001"
OPEN_UDP="80, 443, 587, 143, 5000, 22, 9001"
NAT=1
NAT_INTERNAL_NET="172.24.1.0/24"
NAT_TCP_FORWARD="143,587>172.24.1.3 80,443>172.24.1.2"
NAT_UDP_FORWARD="143,587>172.24.1.3 80,443>172.24.1.2"
If my fault, it could be interesting to add a section for ICMP configuration, because with a monitoring in front of a server, it's very usefull to allow it, especially without iptables skills.
Tell me if you need more info about this problem.
Great work, thanx.
Currently we set the environment & plugin bin path from firewall.conf. This causes problems when eg. switching between deb & tar.gz versions. I can't recall why we ever had this as an option but I think it's safe to assume we can autodetect where to find those files?
Not an issue, more of a request, if you think possible.
My PC that I use as my gateway server, with arno firewall installed also acts as my dhcp server. I use mac address filtering, so I know what devices can go through the firewall on the clean side. However I can't stop anyone not in the mac-address list from getting an IP address in the first place. Apparently dhcp is at a lower level than ip, so the firewall doesn't block the request for an ip address. But I think ebtables could solve that issue, e.g. ebtables -A INPUT -s xx:xx:xx:xx:xx:xx -j DROP
Is this something you could think about adding?
I just committed some stuff which changes AIF's behavior at start. Previously we would start before network was up which caused all kinds of problems with eg. plugins which need to setup routes or try to resolve names etc. I've now changed the service file so that AIF is started right after network is up, but this leaves the host exposed temporarily. This window of opportunity is very small but we may want to fix this by eg. adding a helper service which simply inits all builtin iptables chains to DROP.
Is there any config options to open for example 80,443 to the world, but only on a specific interface?
In the case where you have eth0 eth0:1 eth0:2 with 3 different IPs, I'd like only eth0:2 and its IP to be exposed to the world, not the two other IPs.
So basically have a OPEN_TCP="21,22,1919,6363,7777,19922" as usual with an addition of:
OPEN_TCP_INT=80,443-local.ip2 1200-local.ip0"
Or any other current way of doing this?
-Osi
An AstLinux integrator reported a German customer moved from ADSL to VDSL and is now logging every 30 secs the following:
May 23 10:27:18 router user.info kernel: AIF:Spoofed packet: IN=eth0 OUT= MAC=01:00:5e:00:xx:xx:xx:80:df:43:cf:xx:xx:xx SRC=192.168.4.2 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=2733 PROTO=2
A solution is to add this to custom-rules:
echo "[CUSTOM RULE] Disable antispoof checking for IGMP packets" ip4tables -I SPOOF_CHK -p 2 -j RETURN
and that stops the spoof logging.
@arnova is this something we should add by default to the SPOOF_CHK chain ?
I installed arno-iptables-firewall & answered the questions during setup, but its status says it's dead. Is there more I need to do?
$ sudo service arno-iptables-firewall status
● arno-iptables-firewall.service - Arno's Iptables Firewall
Loaded: loaded (/lib/systemd/system/arno-iptables-firewall.service; disabled; vendor preset: enabled)
Active: inactive (dead)
As of Kernel 4.7, AIF users are seeing this message:
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
It appears by default the only nf_conntrack_<helper>
AIF enables is "ftp". "irc" is a firewall.conf option and "sip" is in an optional plugin.
An excellent reference is here:
"Secure use of iptables and connection tracking helpers"
https://home.regit.org/netfilter-en/secure-use-of-helpers/
BTW, this should not be confused with the nf_nat_*
helpers, AFAIK.
I don't have any commit ideas at this point, but we need to get a handle on this.
In AstLinux we recently updated iptables to version 1.4.21, and very rarely, usually a background plugin can generate either error below:
/usr/sbin/iptables: (4) Another app is currently holding the xtables lock.
Perhaps you want to use the -w option?
or
/usr/sbin/ip6tables: (4) Another app is currently holding the xtables lock.
Perhaps you want to use the -w option?
Digging deeper, this change occurred with iptables 1.4.20, from Changelog...
ip[6]tables: Add locking to prevent concurrent instances
Discussion and preliminary patch:
http://patchwork.ozlabs.org/patch/246619/
In my limited testing, I can forcibly generate the error, and adding -w seems to gracefully work.
We need to automatically handle this in AIF since it could mean a rule does not get applied while the firewall is being built.
Fortunately, adding a -w is only needed in 4 lines in environment.
grep 'IP[46]TABLES ' /usr/share/arno-iptables-firewall/environment
result=`$IP4TABLES "$@" 2>&1`
result=`$IP6TABLES "$@" 2>&1`
$IP4TABLES "$@" >/dev/null 2>&1
$IP6TABLES "$@" >/dev/null 2>&1
Checking for iptables-1.4.20+ is probably the most work :-)
And much testing...
Unlike DHCPv4, DHCPv6 does not provision the default gateway for a client. Devices running DHCPv6 on the WAN need to be learning and installing a default gateway based on router advertisements.
Currently AIF sets accept_ra=0 when forwarding=1, which is not needed since with forwarding=1 the kernel ignores RA's when accept_ra=0 or accept_ra=1
After Linux kernel 2.6.35, accept_ra=2 was supported to override this behavior when forwarding=1 to selectively allow a DHCPv6 client on a WAN interface.
I propose we simply remove the line where accept_ra is set to 0 when forwarding=1, this would allow external agents to set accept_ra=2 as needed for DHCPv6-client. Sysctl accept_ra=2 should only be done for interfaces that require it (not all EXT_IF's) and is often needed before AIF is called, this should be left to an outside agent, and AIF should simply leave accept_ra alone for the forwarding=1 case.
When the multiroute.conf is enabled, I received an error in /var/log/message.log
Error: either "to" is duplicate, or "equalize" is garbage
According : https://rocky.eld.leidenuniv.nl/pipermail/firewall/2013-July/002357.html
In 50multiroute.plugin I changed the line
ip route add default equalize
to
ip route add default scope global \
It appears to work perfectly, but not sure it's correct ?
Daniel
Hi!
Is it possible somehow to block a range of IPs assigned to a specific country(ies), using your script, most preferable by supplying a list in cfg? There are examples of such :
https://www.cyberciti.biz/faq/block-entier-country-using-iptables/ , not involving dependence on GeoIP.
Seems my server is visited by a korean guy with a port scanner. The scanner goes at a very low pace (like 2 seconds/connection) but still is annoying to see the packets logged on journald. These are the packets:
Oct 23 23:54:17 host kernel: AIF:UNPRIV TCP packet: IN=vmbr0 OUT= MAC=52:ec:95:9f:fc:28:18:55:0f:b3:ce:71:08:00 SRC=112.175.124.2 DST=192.168.178.4 LEN=40 TOS=0x08 PREC=0x20 TTL=67 ID=47713 DF PROTO=TCP SPT=45986 DPT=3000 WINDOW=29200 RES=0x00 SYN URGP=0
Oct 23 23:54:21 host kernel: AIF:PRIV TCP packet: IN=vmbr0 OUT= MAC=52:ec:95:9f:fc:28:18:55:0f:b3:ce:71:08:00 SRC=112.175.124.2 DST=192.168.178.4 LEN=40 TOS=0x08 PREC=0x20 TTL=63 ID=64892 DF PROTO=TCP SPT=49086 DPT=53 WINDOW=29200 RES=0x00 SYN URGP=0
Oct 23 23:54:22 host kernel: AIF:UNPRIV TCP packet: IN=vmbr0 OUT= MAC=52:ec:95:9f:fc:28:18:55:0f:b3:ce:71:08:00 SRC=112.175.124.2 DST=192.168.178.4 LEN=40 TOS=0x08 PREC=0x20 TTL=60 ID=29017 DF PROTO=TCP SPT=40306 DPT=3000 WINDOW=29200 RES=0x00 SYN URGP=0
Oct 23 23:54:30 host kernel: AIF:PRIV TCP packet: IN=vmbr0 OUT= MAC=52:ec:95:9f:fc:28:18:55:0f:b3:ce:71:08:00 SRC=112.175.127.189 DST=192.168.178.4 LEN=40 TOS=0x08 PREC=0x20 TTL=59 ID=28435 DF PROTO=TCP SPT=37831 DPT=53 WINDOW=29200 RES=0x00 SYN URGP=0
Oct 23 23:54:37 host kernel: AIF:UNPRIV TCP packet: IN=vmbr0 OUT= MAC=52:ec:95:9f:fc:28:18:55:0f:b3:ce:71:08:00 SRC=112.175.127.189 DST=192.168.178.4 LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=8847 DF PROTO=TCP SPT=37568 DPT=3000 WINDOW=29200 RES=0x00 SYN URGP=0
Is there any way to prevent those packets from being logged? I have already set to zero all LOG settings, but I am still getting them.
By default, LAN's are isolated from each other, a good thing for example for a guest WiFi VLAN.
But in special situations it may be desirable to allow certain LAN's access to specific network resources, such as network printers, possibly advertised using mDNS using avahi and 'enable-reflector=yes'.
The problem is currently AIF only supports TRUSTED_IF and IF_TRUSTS beyond the isolated default. All or nothing.
I propose an additional chain LAN_LAN_FORWARD_CHAIN and set of rules LAN_LAN_HOST_OPEN_xxx, modeled after DMZ_LAN_HOST_OPEN_xxx to selectively allow LAN to LAN traffic by src, dst and port.
I propose a new function setup_lan_lan_forward_chain() implementing the new rules which would be called...
# Setup helper chain for the LAN:
setup_lan_inet_forward_chain;
setup_lan_lan_forward_chain; <<< added <<<
IFS=' ,'
for iif in $INT_IF; do
echo "Applying internal(LAN) FORWARD policy to interface: $iif"
# Always make subnets on the SAME interface trust each other
iptables -A FORWARD -i $iif -o $iif -j ACCEPT
for eif in $EXT_IF; do
iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
done
<<< hook in LAN_LAN_FORWARD_CHAIN using INT_IF permutations >>>
done
@arnova do you agree ?
Hello,
Is there any way to block p2p traffic?
thank you!
Currently all LAN traffic (INT_IF interfaces) is allowed to the DMZ network(s)
# Apply policy for LAN->DMZ (allow all)
iptables -A FORWARD -i $iif -o $dif -j ACCEPT
There are situations where a particular LAN should not have access to the DMZ.
One solution is with interface granularity, add a DMZ_DENY_INT_IF variable that contains INT_IF interfaces that should not be allowed to the DMZ, example pseudo-code:
# Apply policy for LAN->DMZ
if $iif is in $DMZ_DENY_INT_IF
iptables -A FORWARD -i $iif -o $dif -j DROP
else
iptables -A FORWARD -i $iif -o $dif -j ACCEPT
Another approach is general filtering granularity, add a LAN_DMZ_FORWARD_CHAIN which defaults to one rule of ACCEPT
# Apply policy for LAN->DMZ (default to allow)
iptables -A FORWARD -i $iif -o $dif -j LAN_DMZ_FORWARD_CHAIN
then add support for the following rules:
LAN_DMZ_HOST_DENY_TCP=""
LAN_DMZ_HOST_DENY_UDP=""
LAN_DMZ_HOST_DENY_IP=""
which would be applied with a new function setup_lan_dmz_forward_chain()
adding defined DROP rules before the default ACCEPT in the new LAN_DMZ_FORWARD_CHAIN.
@arnova Thoughts ?
Just wanted to point out that the guided configuration script fails on my system. It seems to look for /etc/init.d/arno-iptables-firewall and reports aif "is not installed on this system".
My system is an Arch Linux using systemd, so I have no init.d. To bypass the sanity_check() function I have to fake the directory like this: mkdir -p /etc/init.d/arno-iptables-firewall
Hello
setting up a new server and after I installed aif, I can't connect via ftp anymore. it says Error: Failed to retrieve directory listing
I opened port 21 though, what is the cause of this
thanks
Hey, I have similar problem.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778845;msg=2
Just though I'd drop a note to say there seems to be some issues with AIF and Red Hat EL 8. For example, when an IP from the FULL_ACCESS_HOSTS list is processed the call to "get_ifs " results in "interfaces" being set to "+". On CentOS 7 (basically Red Hat EL 7) the following rule is set:
iptables -A EXT_INPUT_CHAIN -i + -s -d 0/0 -j ACCEPT
and "iptables -S" shows the following so that is allowed through:
-A EXT_INPUT_CHAIN -s /32 -j ACCEPT
In this case the version of iptables is 1.4.21.
On Red Hat EL 8 (iptables 1.8.0) the same procedure as above results in "iptables -S" showing the following:
-A EXT_INPUT_CHAIN -s /32 -i + -j ACCEPT
where is just some non-ASCII jumble which does not allow through. This was tested using AIF 2.0.3.
It appears that AIF is relying on the fact that "-i +" used to behave as "any interface", but it seems this is no longer the case. Indeed, the documentation for iptables is ambiguous in this respect:
[!] -i, --in-interface name
Name of an interface via which a packet was received (only
for packets entering the INPUT, FORWARD and PREROUTING chains).
When the "!" argument is used before the interface name, the
sense is inverted. If the interface name ends in a "+", then
any interface which begins with this name will match. If this
option is omitted, any interface name will match.
so it's not clear what should happen if the interface name is null (the man page hasn't changed in this regard between 1.4.21 and 1.8.0).
It's true that Red Hat EL 8 is still in beta, but this seems to be more of an issue with how iptables is now parsing the "-i" setting, and might be worth looking into.
For example, the OPEN_TCP
setting allows settings like 1.2.3.4,5.6.7.8#80
to open port 80
on the local IPs 1.2.3.4
and 5.6.7.8
.
However, the equivalent for IPv6 (eg. fe80::1:1#80
, ignore that this is a link-local, I was using real public addresses when trying this) doesn't appear to work and generates commands like /sbin/ip6tables -A EXT_INPUT_CHAIN -i fe80::1:1 -d 0/0 -p tcp --dport 80 -j ACCEPT
, where it seems to be confused about what the interface and destination IPs are.
More examples to make the format of IPv6 settings clear would be great.
Thanks.
Hi guys, I've recently purchased a Netgear Nighthawk D7000v2 modem/router, and it's fantastic. I've logged into it via telnet and added the following:
/etc/arno-iptables-firewall/plugins/nat_loopback.conf, and configured it with ENABLED=1, set the proper IPv4 internal net.
I added the binary for the nat_loopback to the binary_dir set in firewall.conf:
PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins" << here
PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins" (here is where the .conf is)
I restart the firewall, and it flushes everything. It says Unloaded 0 user plugins, even after it states that it has loaded it:
Checking for (user) plugins in /usr/local/share/arno-iptables-firewall/plugins...
NAT Loopback plugin v1.02
NAT Loopback default IPv4: 169.254.25.54
NAT Loopback internal net(s): 192.168.1.0/24
NAT Loopback local forwards are enabled.
Loaded 1 plugin(s)...
Every time I restart the firewall, it says Unloaded 0 user plugins. However, every time it starts, it states the above message saying the Plugin has been loaded.
status-plugins doesn't show the plugin status. It just shows:
/etc/arno-iptables-firewall #
And consequently, the loopback-nat functionality isn't working. When I try to open the URL that links to my externally forwarded server, it is still trying to connect to the router (because it says connection refused, and this specific port isn't a port that would be used by my router).
Could you please give me some pointers as to where I'm going wrong? thank you so very much.
Kindest regards, Anthony
I am using a Debian 4.9 based virtual machine and arno does not start with the system. It was installed with apt.
I have it setup to use an OpenVPN tunnel interface for it's upstream port and the second ethernet device as the downstream port.
Is there an issue with the tunnel not being setup by the time the firewall goes up so it fails?
ip6 prefixes delegated by dhcpcd to two internal networks do not appear to function correctly.
ETH1,ETH0 = Internal
ETH2=external.
only one interface can properly route ipv6 through the firewall. ipv4 traffic functions as expected.
I was doing EDNS Compliance Tester today (https://ednscomp.isc.org/ednscomp) while IPv4 part was doing fine with tos mangling on or off, IPv6 was failing until i turned it off. Error was in PREROUTING chain. Also i notice PREROUTING and OUTPUT chains are using different set-tos options, not sure if its intentional or not, but anyway if i set ANY kind of ToS mangling for IPv6 on PREROUTING chain for udp 53 it fails last test with large options.
This is output with TOS mangling disabled:
domain.net. @84.255.xxx.xxx (ns.domain.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie edns512tcp=ok optlist=ok,expire,cookie,subnet
domain.net. @2a01:260:xxxx:xxxx::x (ns.domain.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie edns512tcp=ok optlist=ok,expire,cookie,subnet
While with TOS mangling enabled for DNS i get following:
domain.net. @84.255.xxx.xxx (ns.domain.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie edns512tcp=ok optlist=ok,expire,cookie,subnet
domain.net. @2a01:260:xxxx:xxxx::x (ns.domain.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok,cookie edns512tcp=ok optlist=timeout
Is it possible to add nf_nat_pptp
module in load_modules
function of main arno-iptables-firewall
? Because without this module, users behind the FW could not connect to MS VPN server with MS VPN Client 😞.
this program is in need of ipset intervention in addition to iptables. Loading and saving times will be dramatically faster as you can load and save all sets with 1 command. ipset save -f something.txt
ipset restore -f something.txt
You could probably eliminate some the for next loops. Also the way your doing things a list of 20000 ip's, which I have 88000+ would cause the CPU to run at 100% and be slow. You add 1 iptables rule for every IP and with ipset you only need 1 iptables entry for any number of ip's.
ipset -! -N ban_ip hash:net counters
iptables -A INPUT -m set --set ban_ip src -j DROP
OR
ipset -N ban_ip hash:net counters timeout 300 comment
300 is just the default
ipset add ban_ip 1.1.1.1 adds to the list
OR
ipset add ban_ip 1.1.1.1 timeout 60
OR
ipset add ban_ip 1.1.1.1 timeout 60 comment "evil doers r us"
iptables -A ban_ip -j SET --add-set banned_hosts src
Hello,
i'am Running some VPS with Ubuntu 14.04. I've Installed this Firewall with a script to fill the blocked-host file. Everything runs Perfect.
So now i have tried it on Ubuntu 15.10 an 16.04 64bit Server.
Everything runs Perfect, till i filled up the blocked-host file. I grep much sites like blocklist.de all IPs or Ranges, so the File has 30K IPs. On Ubuntu 14.04 restart takes under a minute. In 15.10 or 16.04, the newest, the start/restart takes 15 Minutes. After reading the blocked-hosts file. It takes much time to start. The System is on 100% cpu.
I Hope anyone understand me and can help
Hi!
Id like to request an IPv6 nat feature if possible.
I have managed to get OpenVPN working with AIF by setting INT_IF to tun+ as below. The AIF machine is sitting in the DMZ of consumer router. I also want to forward port 55538 (for incoming connection from host 1.2.3.4) to port 22 on a LAN host (10.0.0.14), which I thought I'd be able to do using NAT_FORWARD_TCP as below:
EXT_IF="eth0"
EXT_IF_DHCP_IP="0"
INT_IF="tun+"
INTERNAL_NET="10.8.0.0/24"
NAT=1
NAT_INTERNAL_NET="10.8.0.0/24"
NAT_LOCAL_REDIRECT=1
NAT_FORWARD_TCP="1.2.3.4~55538>10.0.0.14~22"
IF_TRUSTS="tun+"
FULL_ACCESS_HOSTS="10.0.0.0/24,1.2.3.4"
OPEN_UDP="1194"
However, I'm getting Dropped FORWARD packet
in the logs:
AIF:Dropped FORWARD packet: IN=eth0 OUT=eth0 MAC=themacaddress SRC=1.2.3.4 DST=10.0.0.14 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=15573 DF PROTO=TCP SPT=35616 DPT=55538 WINDOW=29200 RES=0x00 SYN URGP=0
.
Please can anyone offer any advice about getting this to work?
Thanks
Nick
Due to the implementation of our current blocked-hosts batch loader, we drop all firewall traffic on force-reload because we temporarely set the fw policy to drop while reloading. Especially with large lists of blocked hosts this is undesireable. Perhaps we should fix this by using a passive and an active chain?
I try to make openSUSE RPM for Arno's iptables firewall script
But get than nemysis user for openSUSE Build Service can't make RPM. Tthat works only that root. This is not usual.
Please make one Makefile for installation and configure when needed.
The release info on Freecode stops at version 2.0.1b on 19 March 2012. It makes the project look abandoned to the uninitiated.
I'm running Raspbian Jessie with systemd on board, and I noticed that install.sh fails to install arno-iptables-firewall.service into /etc/systemd/system.
Shouldn't
# Install service file if systemd directory is available if [ -d "/usr/lib/systemd/system/" ]; then copy_ask_if_exist ./lib/systemd/system/arno-iptables-firewall.service /usr/lib/systemd/system/ fi
be
# Install service file if systemd directory is available if [ -d "/etc/systemd/system/" ]; then copy_ask_if_exist ./lib/systemd/system/arno-iptables-firewall.service /etc/systemd/system/ fi
(at least for Raspbian)
Thanks, otherwise works marvellously. A way out of CSF...
Nick
I was reading the description for this commit where Eric Dumazet explains why /proc/sys/net/ipv4/ip_local_port_range was changed to 32768-60999 instead of 32768-61000.
LOCAL_PORT_RANGE in AIF's .conf file still defaults to 61000 for the last local port number, should we change it accordingly?
Hi,
yesterday the iptables update 1.8.1 came in to debian buster. With the new iptables version, something in the rule behaviour seem to have changed.
All outgoing packets fall into the the DROP policy and never reach the EXT_OUTPUT_CHAIN (like before).
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15 1221 BASE_OUTPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 TCPMSS tcp -- * wlp3s0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
15 1221 OUTPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
15 1221 HOST_BLOCK_DST all -- * * 0.0.0.0/0 0.0.0.0/0
5 389 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Fragment packet: "
13 1117 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_OUTPUT_CHAIN all -- * wlp3s0 0.0.0.0/0 0.0.0.0/0
Reverting back to iptables 1.6.2-1.1, everything worked fine again.
Affects the debian stock package for arno-iptables-firewall, as well as the git master of this repository.
I am trying to perform an unattended install (i.e. without user interaction) of arno-iptables-firewall.
I have setup predefined answers using debconf-set-selections before running the apt-get install -q -y arno-iptables-firewall but the debconf answer are ignored.
Is it on purpose? what is the supported way to perform unattended setup on Ubuntu?
I started getting an error when starting my firewall.
Arno's Iptables Firewall Script v2.0.0c
-------------------------------------------------------------------------------
Platform: Linux 3.8.0-32-generic i686
WARNING: External interface eth0 does NOT exist (yet?)
WARNING: External interface tun0 does NOT exist (yet?)
My interfaces are are up and running.
When I isolate the check_interfaces and run a simple test it returns 1 not 0.
When I check
sudo bash -x /usr/sbin/arno-iptables-firewall restart 2>&1 |grep check_interface
it shows
+ check_interface eth0
+ check_interface tun0
here is my full verbose output of a restart:
�[40m�[1;32mArno's Iptables Firewall Script v2.0.0c�[0m
-------------------------------------------------------------------------------
Platform: Linux 3.8.0-32-generic i686
�[40m�[1;31mWARNING: External interface tun0 does NOT exist (yet?)�[0m
Stopping (user) plugins...
SSH Brute-Force Protection plugin v1.1a
Checking/probing Iptables modules:
Loaded kernel module ip_tables.
Loaded kernel module nf_conntrack.
Loaded kernel module nf_conntrack_ftp.
Loaded kernel module xt_conntrack.
Loaded kernel module xt_limit.
Loaded kernel module xt_state.
Loaded kernel module xt_multiport.
Loaded kernel module iptable_filter.
Loaded kernel module iptable_mangle.
Loaded kernel module ipt_REJECT.
Loaded kernel module ipt_LOG.
Loaded kernel module xt_TCPMSS.
Loaded kernel module xt_DSCP.
Loaded kernel module iptable_nat.
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring general kernel parameters:
Setting the max. amount of simultaneous connections to 16384
Configuring kernel parameters:
Disabling send redirects
Enabling protection against source routed packets
Enabling packet forwarding
Setting some kernel performance options
Enabling reduction of the DoS'ing ability
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling kernel support for dynamic IPs
Enabling PMTU discovery
Flushing route table
Kernel setup done...
Initializing firewall chains
Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, DROP all IPv6 packets
Using loglevel "info" for syslogd
Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
SSH Brute-Force Protection plugin v1.1a
Loaded kernel module xt_recent.
Allowing bypass of SSH protection checks for: malevich
Protecting TCP port(s): 22
Loaded 1 plugin(s)...
Setting up external(INET) INPUT policy
Logging of ICMP flooding enabled
Enabling support for DHCP-assigned-IP (DHCP client)
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing ANYHOST for TCP port(s): 80
Allowing ANYHOST for TCP port(s): 21
Allowing ANYHOST for TCP port(s): 22
Allowing ANYHOST for TCP port(s): 1194
Allowing ANYHOST for TCP port(s): 8112
Allowing ANYHOST for TCP port(s): 4040
Allowing ANYHOST for TCP port(s): 10000
Allowing ANYHOST for TCP port(s): 53
Allowing ANYHOST for TCP port(s): 137
Allowing ANYHOST for TCP port(s): 138
Allowing ANYHOST for TCP port(s): 139
Allowing ANYHOST for TCP port(s): 443
Allowing ANYHOST for TCP port(s): 445
Allowing ANYHOST for TCP port(s): 631
Allowing ANYHOST for TCP port(s): 58846
Allowing ANYHOST for TCP port(s): 873
Allowing ANYHOST for TCP port(s): 17500
Allowing ANYHOST for TCP port(s): 6566
Allowing ANYHOST for TCP port(s): 50000:50200
Allowing ANYHOST for TCP port(s): 8094
Allowing ANYHOST for TCP port(s): 4444
Allowing ANYHOST for TCP port(s): 23423
Allowing ANYHOST for TCP port(s): 8895
Allowing ANYHOST for TCP port(s): 8228
Allowing ANYHOST for UDP port(s): 80
Allowing ANYHOST for UDP port(s): 21
Allowing ANYHOST for UDP port(s): 22
Allowing ANYHOST for UDP port(s): 1194
Allowing ANYHOST for UDP port(s): 8112
Allowing ANYHOST for UDP port(s): 4040
Allowing ANYHOST for UDP port(s): 10000
Allowing ANYHOST for UDP port(s): 53
Allowing ANYHOST for UDP port(s): 137
Allowing ANYHOST for UDP port(s): 138
Allowing ANYHOST for UDP port(s): 139
Allowing ANYHOST for UDP port(s): 443
Allowing ANYHOST for UDP port(s): 445
Allowing ANYHOST for UDP port(s): 631
Allowing ANYHOST for UDP port(s): 58846
Allowing ANYHOST for UDP port(s): 873
Allowing ANYHOST for UDP port(s): 17500
Allowing ANYHOST for UDP port(s): 6566
Allowing ANYHOST for UDP port(s): 50000:50200
Allowing ANYHOST for UDP port(s): 8094
Allowing ANYHOST for UDP port(s): 4444
Allowing ANYHOST for UDP port(s): 1900
Allowing ANYHOST for UDP port(s): 8228
Allowing ANYHOST to send IPv4 ICMP-requests (ping)
Logging of possible stealth scans enabled
Logging of (other) packets to PRIVILEGED TCP ports enabled
Logging of (other) packets to PRIVILEGED UDP ports enabled
Logging of (other) packets to UNPRIVILEGED TCP ports enabled
Logging of (other) packets to UNPRIVILEGED UDP ports enabled
Logging of IGMP packets enabled
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: eth0 (without an external subnet specified)
Applying external(INET) policy to interface: tun0 (without an external subnet specified)
Security is LOOSENED for external interface(s) in the FORWARD chain!
Logging of dropped FORWARD packets enabled
Dec 01 15:03:04 �[40m�[1;32mAll firewall rules applied.�[0m
lan-inet rules should have nolog settings for reject/deny
using dhcpcd with prefix delegation set for internal interfaces causes ipv6nd_sendadvertisement: Operation not permitted error.
example: (enp3s0 is the public interface)
interface enp3s0
ipv6rs # enable routing solicitation get the
ia_na 0 # request an IPv6 address
ia_pd 1 enp3s0/1
ia_pd 2 enp2s0/2 wlx9cefd5febaca/3
private interfaces enp2s0 and wlx9cefd5febaca do NOT receive a pd.
Here is the dump:
[root@rees log]# service arno-iptables-firewall start
Starting Arno's Iptables Firewall...
/sbin/iptables -A HOST_BLOCK_DST_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Blocked host(s) Outbound:
ERROR (2): iptables v1.4.7: Maximum prefix length 29 for --log-prefix
Try `iptables -h' or 'iptables --help' for more information.
Nov 23 17:26:11 WARNING: 1 firewall rules failed to apply!
Hello
I can't start aif, either the package or the git I get from here. try my dedicated as well as a small vps, it's just not working
-j' specified Apr 21 00:47:37 vps665030 arno-iptables-firewall[13368]: Try
iptables -h' or 'iptables --help' for more information.-- The result is RESULT.
@arnova A confusing issue can up with an AstLinux user, using AIF as a router:
It was desired to NAT port TCP 8443 to port 443 on the "Local" router, so the destination address was set to 192.168.0.1, a LAN gateway interface ...
NAT_LOCAL_REDIRECT=1 NAT_FORWARD_TCP="1.2.3.4~8443>192.168.0.1~443"
This worked as expected, but this LOG was always generated:
Jul 25 10:06:35 pbx3 user.info kernel: AIF:PRIV TCP packet: IN=eth0 OUT= MAC=00:30:18:... SRC=1.2.3.4 DST=192.168.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=16302 DF PROTO=TCP SPT=58305 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Normally NAT_FORWARD rewrites the packets to pass through the FORWARD chain, but in this case the IPv4 address "192.168.0.1" is associated with "Local" so it is passed via the INPUT chain. A rule added to the EXT_FORWARD_IN_CHAIN chain to normally allow this rewritten packet is not used.
After some headscratching, the NAT_LOCAL_REDIRECT=1 adds this to the EXT_INPUT_CHAIN chain:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
which allows DNAT'ed packets to be allowed in the INPUT chain, but this rule is added after the 'AIF:PRIV TCP packet' log (and others) so even if the DNAT'ed packet is allowed the log is generated.
I'm proposing to move the NAT_LOCAL_REDIRECT=1 conditional up, After "# Handle multicast traffic" and before "# Log packets to privileged TCP ports?"
Seem reasonable ?
Is this firewall better than csf firewall? If so, in what ways please could someone explain. Also, does it totally blocks drdos attacks?
For many years I have had an annoying, but hard to reproduce issue with a SIP ATA (Analog Terminal Adapter) behind NAT.
The ATA is a Grandstream (not my choice) specifically configured for my home alarm system for remote monitoring. The alarm provider automatically provisions it.
The problem is the ATA looses it's register when AstLinux using AIF reboots, but only 1 (or 2) out of 10 times. This has been an issue for many years, various AIF versions and iptables versions.
The problem seems to be an outbound UDP packet is generated by the ATA before the firewall is completely built, causing a stuck inappropriate conntrack state.
Normally the connection state should look like this with a 3:00 TTL
10.10.22.40 5060 184.73.xxx.xxx 5060 UDP 2:47
When it fails the state only has a 1:00 TTL
10.10.22.40 5060 184.73.xxx.xxx 5060 UDP 0:57
My hunch is this occurs when the UDP packet is allowed into the INPUT chain but before the NAT POSTROUTING rules are applied.
With the incorrect state, fixing it is a pain, either unplugging the ATA for 1 minute, (wait for the conntrack state to expire) or playing iptables games to block 10.10.22.40 UDP, reboot the ATA, wait 1 minute, then allow 10.10.22.40 UDP in.
I suspect this issue is only noticed for devices that force a fixed source and destination port so any retries always hits the same conntrack state.
Anyone see this ?
It's now reasonably common for machines (e.g managed servers, virtual servers etc.) to get allocated a single IPv6 /64. Running containers on these servers is typically done with IPv4 NAT with port-forwarding, and IPv6 (with firewalling but without port forwarding). Ideally, the ISP would allocate larger than a /64, but unfortunately many don't.
A relatively straightforward way around this issue for IPv6 is to use a bridge to the physical network to pass IPv6 traffic. Loading the br_netfilter module then allows this bridged traffic to be firewalled. Arno currently doesn't support this configuration, but I use the following to workaround in custom-rules, but it would be great to have some support in aif. If there's interest I can look into developing a plugin?
# Allow all icmpv6 to allow IPv6 neighbour discovery to the machine behind the firewalled bridge (this should be improved on).
/sbin/ip6tables -A FORWARD -i br0 -o br0 -p icmpv6 -j ACCEPT
# Treat other traffic appropriately
/sbin/ip6tables -m physdev -A FORWARD -i br0 --physdev-in 'veth+' -j INT_FORWARD_OUT_CHAIN
/sbin/ip6tables -m physdev -A FORWARD -i br0 --physdev-out eth0 -j INT_FORWARD_IN_CHAIN
# Stateful related will catch inbound replies...
/sbin/ip6tables -m physdev -A FORWARD -i br0 --physdev-in 'veth+' -j LAN_INET_FORWARD_CHAIN
I have a multi-interface firewall that I use a .conf file to configure the rules. I'm trying to setup something like this:
Instead of using 10.10.10.0/24>192.168.1.0/27~3389
I'd like to use eth0>eth1~3389. Is that possible? How would I go about setting this up to use interface aliases instead of network addresses?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.