Bridge/VPN question.

Bridge/VPN question.

[Anthony R. Vallario]

[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]

I hope you all can help. Ok, here's the setup


Internet: eth0
Lan: eth1
Tunnel: tap0
Bridge: br0 (tap0<->eth1)


I have the firewall setup to be a gateway/router to the internet, and to the private offsite lan thru the tunnel. Everything works great, minus one thing.

I have FORWARD/OUTPUT rules for not letting certain traffic out to the internet. Mainly virus traffic and use of other mail servers. Only problem is they aren't working. Here are the rules:


iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server> --dport 25 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -m tcp --dport 25 -j DROP
iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server> --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j DROP
iptables- A FORWARD -o eth0 -p tcp -m tcp --dport 445 -j DROP
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 445 -j DROP
iptables- A FORWARD -o eth0 -p udp -m udp --dport 445 -j DROP
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 445 -j DROP

Now if I take the tunnel and bridge are down(Only having eth1 NAT'D to eth0), everything works fine. I've read that iptables works at layer 3 and will not filter bridged interfaces. Well tap0 and eth1 are the bridged interfaces, not eth0. So why isn't the firewall stopping these packets? I can telnet to port 25 all day long on non-approved mail servers. 


Anthony R. Vallario

[-- Attachment #2: Type: text/html, Size: 3054 bytes --]

Re: Bridge/VPN question.

[Dharmendra T.]

Hi,

Are there any other rules you have defined? If no, this may work:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server>
--dport 25 -j ACCEPT
 iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server>
--dport 25 -j ACCEPT

Dharmendra T.
Linux Security and Admin,
www.nsecure.net

This message is intended for the addressee only. It may contain
privileged or confidential information. If you have received
 this message in error, please notify the sender and destroy the message
immediately. Unauthorised use or reproduction of 
this message is strictly prohibited.

On Tue, 2004-06-22 at 20:02, Anthony R. Vallario wrote:
> I hope you all can help. Ok, here's the setup
> 
> 
> Internet: eth0
> Lan: eth1
> Tunnel: tap0
> Bridge: br0 (tap0<->eth1)
> 
> 
> I have the firewall setup to be a gateway/router to the internet, and to the private offsite lan thru the tunnel. Everything works great, minus one thing.
> 
> I have FORWARD/OUTPUT rules for not letting certain traffic out to the internet. Mainly virus traffic and use of other mail servers. Only problem is they aren't working. Here are the rules:
> 
> 
> iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server> --dport 25 -j ACCEPT
> iptables -A FORWARD -o eth0 -p tcp -m tcp --dport 25 -j DROP
> iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server> --dport 25 -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j DROP
> iptables- A FORWARD -o eth0 -p tcp -m tcp --dport 445 -j DROP
> iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 445 -j DROP
> iptables- A FORWARD -o eth0 -p udp -m udp --dport 445 -j DROP
> iptables -A OUTPUT -o eth0 -p udp -m udp --dport 445 -j DROP
> 
> Now if I take the tunnel and bridge are down(Only having eth1 NAT'D to eth0), everything works fine. I've read that iptables works at layer 3 and will not filter bridged interfaces. Well tap0 and eth1 are the bridged interfaces, not eth0. So why isn't the firewall stopping these packets? I can telnet to port 25 all day long on non-approved mail servers. 
> 
> 
> Anthony R. Vallario

-- 

Re: Bridge/VPN question.

[Antony Stone]

On Wednesday 23 June 2004 9:42 am, Dharmendra T. wrote:

> Hi,
>
> Are there any other rules you have defined? If no, this may work:
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server>
> --dport 25 -j ACCEPT
>  iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server>
> --dport 25 -j ACCEPT

The above rules (if you are propsing them as a complete ruleset) are a highly 
secure system - nothing will get through it, and nothing will get to 
communicate with the box itself.

Why?

1. You have a default DROP policy on FORWARD (good idea), and a rule allowing 
packets to TCP port 25 on a specific server, but no rule allowing replies 
back again.   Therefore no traffic gets *through* the machine.

2. You have a default DROP policy on INPUT, and no rules in the INPUT chain 
allowing anything at all, therefore no packets can get in (which makes the 
rule in the OUTPUT chain allowing some packets out somewhat pointless).

Regards,

Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Bridge/VPN question.

[Dharmendra T.]

On Wed, 2004-06-23 at 14:38, Antony Stone wrote:
> On Wednesday 23 June 2004 9:42 am, Dharmendra T. wrote:
> 
> > Hi,
> >
> > Are there any other rules you have defined? If no, this may work:
> >
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server>
> > --dport 25 -j ACCEPT
> >  iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server>
> > --dport 25 -j ACCEPT
> 
> The above rules (if you are propsing them as a complete ruleset) are a highly 
> secure system - nothing will get through it, and nothing will get to 
> communicate with the box itself.
> 
> Why?
> 
> 1. You have a default DROP policy on FORWARD (good idea), and a rule allowing 
> packets to TCP port 25 on a specific server, but no rule allowing replies 
> back again.   Therefore no traffic gets *through* the machine.
> 
> 2. You have a default DROP policy on INPUT, and no rules in the INPUT chain 
> allowing anything at all, therefore no packets can get in (which makes the 
> rule in the OUTPUT chain allowing some packets out somewhat pointless).
> 
> Regards,
> 
> Antony.
> 
> -- 
> "Black holes are where God divided by zero."
> 
>  - Steven Wright
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
> 

Yes I agree. But these rules were given assuming that the user has given
Required rulsets (Assuming means that the user can connect to the
approved mail server. Please check the last mail to which I replied).

Regards,
-- 
Dharmendra T.
Linux Security and Admin,
www.nsecure.net

This message is intended for the addressee only. It may contain
privileged or confidential information. If you have received
 this message in error, please notify the sender and destroy the message
immediately. Unauthorised use or reproduction of 
this message is strictly prohibited.

Re: Bridge/VPN question.

[Antony Stone]

On Wednesday 23 June 2004 10:30 am, Dharmendra T. wrote:

> On Wed, 2004-06-23 at 14:38, Antony Stone wrote:
>
> > 1. You have a default DROP policy on FORWARD (good idea), and a rule
> > allowing packets to TCP port 25 on a specific server, but no rule
> > allowing replies back again.   Therefore no traffic gets *through* the
> > machine.
> >
> > 2. You have a default DROP policy on INPUT, and no rules in the INPUT
> > chain allowing anything at all, therefore no packets can get in (which
> > makes the rule in the OUTPUT chain allowing some packets out somewhat
> > pointless).
>
> Yes I agree. But these rules were given assuming that the user has given
> Required rulsets (Assuming means that the user can connect to the
> approved mail server. Please check the last mail to which I replied).

You said "Are there any other rules you have defined? If no, this may work:"

To me, that means that if the user does not have any other rules, then he 
should try these (the ones you posted).

I just wanted to avoid the original poster trying out a ruleset which could 
not possibly work (and if they were connected to the machine by SSH, would 
cut them off permanently, too).

Regards,

Antony.

-- 
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

                                                     Please reply to the list;
                                                           please don't CC me.