sub interface filtering

sub interface filtering

[Mike]

Hi guys I have the following setup and rules. And I cant seem to get the
filtering to work.



Interfaces:



eth0

<internetIP>

eth1

<privateIP>

eth2

<routeable internetIP/28>

eth2:0

<routeable internetIP/28>

eth2:1

<routeable internetIP/28>



I have the following rules



iptables -P FORWARD DROP

iptables -I FORWARD -i eth0 -o eth2 -p tcp -m state --state
NEW,ESTABLISHED,RELATED --dport 80 -j ACCEPT

iptables -I FORWARD -i eth0 -o eth2 -p tcp -m state --state
NEW,ESTABLISHED,RELATED --dport 443 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth2 -p tcp -m state --state
NEW,ESTABLISHED,RELATED,INVALID -j DROP



iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport 80 -j
DNAT --to 192.168.1.197

iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
443 -j DNAT --to 192.168.1.197
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to
<routeable internetIP/28

ifconfig eth2:0 <routeable internetIP/28> broadcast <routeable
internetIP/28> netmask 255.255.255.240


iptables -t nat -A PREROUTING -p tcp -d <routeable internetIP/28 --dport
80 -j DNAT --to 192.168.1.198

iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
443 -j DNAT --to 192.168.1.198
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.198 -j SNAT --to
<routeable internetIP/28

ifconfig eth2:1 <routeable internetIP/28> broadcast <routeable
internetIP/28> netmask 255.255.255.240






but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL the
local services (ssh, ptptp,dns etc..) Is connection not passing the
forwading chain?

Re: sub interface filtering

[Martijn Lievaart]

Mike wrote:

>but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL the
>local services (ssh, ptptp,dns etc..) Is connection not passing the
>forwading chain?
>
>  
>

You obviously have the INPUT chain set to a policy of ACCEPT. All 
locally destined packets go through the INPUT chain, all forwarded 
packets go through the FORWARD chain. Add apropriate rules for the INPUT 
chain.

HTH,
Martijn Lievaart

RE: sub interface filtering

[Rob Sterenborg]

> Hi guys I have the following setup and rules. And I cant seem to get
the filtering to work.
> eth2:0
> 
> <routeable internetIP/28>
> 
> eth2:1
> 
> <routeable internetIP/28>

AFAIK it is because you cannot filter eth<x>:y (but you can filter the
IP address of course).


Rob

Re: sub interface filtering

[Joel Newkirk]

On Wednesday 02 April 2003 01:45 pm, Mike wrote:
> Hi guys I have the following setup and rules. And I cant seem to get
> the filtering to work.

> iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
> 80 -j DNAT --to 192.168.1.197
>
> iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
> 443 -j DNAT --to 192.168.1.197
> iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to
> <routeable internetIP/28

> but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL
> the local services (ssh, ptptp,dns etc..) Is connection not passing
> the forwading chain?

You are DNATting dport 80 and dport 443, but the remainder of the ports 
are not being DNATted, so they still target the firewall box.  You'd 
need to DNAT all connections to the specified IP, then DROP all except 
ports 80 and 443 in FORWARD to avoid this.

Of course, this also shows that you are letting lots of (all?!?) ports 
through the INPUT chain to the box itself from outside, which you should 
lock down as well...  A DROP policy on INPUT is called for, then ACCEPT 
required ports from eth2 for externally-accessed services (if any) and 
ACCEPT required (or all if desired) ports from the LAN machines.

j

Re: sub interface filtering

[Mike]

Joel,
        I tried forwarding ALL connections  and then filtering by the
forward chain but no luck. Once it reaches the PREROUTING chain and makes
its descision does it pass anymore chains? Or is that it. I have always read
you don't want to filter in the NAT table and PREROUTING doesn't have a
filter table just a NAT & MANGLE. Any ideas?

-Mike
----- Original Message -----
From: "Joel Newkirk" <netfilter@newkirk.us>
To: "Mike" <mikeeo@msn.com>; <netfilter@lists.netfilter.org>
Sent: Wednesday, April 02, 2003 3:56 PM
Subject: Re: sub interface filtering


On Wednesday 02 April 2003 01:45 pm, Mike wrote:
> Hi guys I have the following setup and rules. And I cant seem to get
> the filtering to work.

> iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
> 80 -j DNAT --to 192.168.1.197
>
> iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
> 443 -j DNAT --to 192.168.1.197
> iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to
> <routeable internetIP/28

> but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL
> the local services (ssh, ptptp,dns etc..) Is connection not passing
> the forwading chain?

You are DNATting dport 80 and dport 443, but the remainder of the ports
are not being DNATted, so they still target the firewall box.  You'd
need to DNAT all connections to the specified IP, then DROP all except
ports 80 and 443 in FORWARD to avoid this.

Of course, this also shows that you are letting lots of (all?!?) ports
through the INPUT chain to the box itself from outside, which you should
lock down as well...  A DROP policy on INPUT is called for, then ACCEPT
required ports from eth2 for externally-accessed services (if any) and
ACCEPT required (or all if desired) ports from the LAN machines.

j

Re: sub interface filtering

[Joel Newkirk]

On Thursday 03 April 2003 10:49 am, Mike wrote:
> Joel,
>         I tried forwarding ALL connections  and then filtering by the
> forward chain but no luck. Once it reaches the PREROUTING chain and
> makes its descision does it pass anymore chains? Or is that it. I have

It still passes the filter table chains, either INPUT or FORWARD.

> always read you don't want to filter in the NAT table and PREROUTING

That's right.  In some circumstances traffic will bypass those chains.  
(IE, you have an established connection that is being NATted, it's 
traffic will usually not appear in NAT PREROUTING, just the first 
packet)  Normally you should only have ACCEPT, DNAT, or REDIRECT targets 
in that chain, and an ACCEPT policy.  (The MIRROR target would be valid 
there as well, and any traffic MIRRORed would NOT appear in any 
subsequent chains... MIRROR should only be used if you really understand 
what it is doing, really need it, and are really careful with it)

> doesn't have a filter table just a NAT & MANGLE. Any ideas?

Two.  One is to try:
iptables -I FORWARD 1 -j LOG --log-prefix "FWDLOGALL:"
which will log every packet passing through FORWARD chain, with 
"FWDLOGALL" prepended to each entry.  This will let you see precisely 
what traffic is going through, and what it looks like (re IPs, ports, 
etc).  It can also potentially generate a huge number of log entries, so 
don't leave it in any longer than necessary!  You can of course do the 
same thing with "-t nat -I PREROUTING 1" to see ALL traffic that is 
presenting to the box, and narrow down either LOG rule by matching IPs, 
ports, interface, etc.  (although "-i" will only match the physical 
interface)

I've just tested here and it works. (actually I already knew it would, 
but wanted to generate the log entries :^)  I set PREROUTING rules on my 
gateway to LOG then DNAT all connections inbound on ppp0 to my desktop 
machine, and LOG all traffic in FORWARD, then ssh'd back to myself from 
a remote SSH session I had open.  The ssh connection was DNATted 
properly and it was LOGged in FORWARD.  Then it was subsequently DROPped 
since I only accept SSH connections in FORWARD that originate on my 
desktop machine, and always LOG any DROPs in FORWARD.

Apr  3 11:43:32 janus kernel: DNATTEST:IN=ppp0 OUT= MAC= SRC= {elided} 
DST=141.150.211.149 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62380 DF 
PROTO=TCP SPT=35792 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Apr  3 11:43:32 janus kernel: FWDLOG:IN=ppp0 OUT=eth1 SRC= {elided} 
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=62380 DF PROTO=TCP 
SPT=35792 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Apr  3 11:43:32 janus kernel: IPT:FORWARDdrop:IN=ppp0 OUT=eth1 SRC= 
{elided} DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=62380 DF 
PROTO=TCP SPT=35792 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0


The other approach is to just DNAT the ports you need, and make sure you 
DROP everything on INPUT.  Since your scenario here is multiple IPs on a 
single interface, each forwarding to a different local machine, the 
first approach makes more sense - if you need to open/close ports to a 
given local machine later then everything is already set up, you just 
filter in the FORWARD chain as usual.

j


> -Mike
> ----- Original Message -----
> From: "Joel Newkirk" <netfilter@newkirk.us>
> To: "Mike" <mikeeo@msn.com>; <netfilter@lists.netfilter.org>
> Sent: Wednesday, April 02, 2003 3:56 PM
> Subject: Re: sub interface filtering
>
> On Wednesday 02 April 2003 01:45 pm, Mike wrote:
> > Hi guys I have the following setup and rules. And I cant seem to get
> > the filtering to work.
> >
> > iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28>
> > --dport 80 -j DNAT --to 192.168.1.197
> >
> > iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28>
> > --dport 443 -j DNAT --to 192.168.1.197
> > iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to
> > <routeable internetIP/28
> >
> > but when I scan eth2:1 or eth2:2 from an outside machine I can see
> > ALL the local services (ssh, ptptp,dns etc..) Is connection not
> > passing the forwading chain?
>
> You are DNATting dport 80 and dport 443, but the remainder of the
> ports are not being DNATted, so they still target the firewall box. 
> You'd need to DNAT all connections to the specified IP, then DROP all
> except ports 80 and 443 in FORWARD to avoid this.
>
> Of course, this also shows that you are letting lots of (all?!?) ports
> through the INPUT chain to the box itself from outside, which you
> should lock down as well...  A DROP policy on INPUT is called for,
> then ACCEPT required ports from eth2 for externally-accessed services
> (if any) and ACCEPT required (or all if desired) ports from the LAN
> machines.
>
> j

RE: sub interface filtering

[Daniel Chemko]

Correct. Aliases are obsolete from what I can see. IProute2 adds IP
addresses directly to interfaces, so eth0 could have 10 IP addresses
instead of the awkward eth0:0 eth0:1, etc. mechanism. In this system,
you filter based on IP address instead of interface alias.

-----Original Message-----
From: Rob Sterenborg [mailto:rob@sterenborg.info] 
Sent: Wednesday, April 02, 2003 11:39 AM
To: netfilter@lists.netfilter.org
Subject: RE: sub interface filtering

> Hi guys I have the following setup and rules. And I cant seem to get
the filtering to work.
> eth2:0
> 
> <routeable internetIP/28>
> 
> eth2:1
> 
> <routeable internetIP/28>

AFAIK it is because you cannot filter eth<x>:y (but you can filter the
IP address of course).


Rob

Re: sub interface filtering

[Mike]

I hate to ask but do you have and example of using iproute2 for IP address
aliases?

Thanks,
Mike
----- Original Message -----
From: "Daniel Chemko" <dchemko@smgtec.com>
To: "Rob Sterenborg" <rob@sterenborg.info>; <netfilter@lists.netfilter.org>
Sent: Wednesday, April 02, 2003 2:53 PM
Subject: RE: sub interface filtering


Correct. Aliases are obsolete from what I can see. IProute2 adds IP
addresses directly to interfaces, so eth0 could have 10 IP addresses
instead of the awkward eth0:0 eth0:1, etc. mechanism. In this system,
you filter based on IP address instead of interface alias.

-----Original Message-----
From: Rob Sterenborg [mailto:rob@sterenborg.info]
Sent: Wednesday, April 02, 2003 11:39 AM
To: netfilter@lists.netfilter.org
Subject: RE: sub interface filtering

> Hi guys I have the following setup and rules. And I cant seem to get
the filtering to work.
> eth2:0
>
> <routeable internetIP/28>
>
> eth2:1
>
> <routeable internetIP/28>

AFAIK it is because you cannot filter eth<x>:y (but you can filter the
IP address of course).


Rob

Re: sub interface filtering

[Kelly Setzer]

On Wed, Apr 02, 2003 at 03:34:11PM -0500, Mike wrote:
> I hate to ask but do you have and example of using iproute2 for IP address
> aliases?

Then don't ask, check out the fine manual:

http://www.linuxguruz.org/iptables/howto/2.4routing.html

Specifically:
http://www.linuxguruz.org/iptables/howto/2.4routing-10.html
http://www.linuxguruz.org/iptables/howto/2.4routing-15.html



http://www.google.com/search?q=iproute+howto&sourceid=mozilla-search&start=0&start=0
Results 1 - 10 of about 7,550. Search took 0.16 seconds.


Kelly
--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)

Re: sub interface filtering

[Ralf Spenneberg]

Am Mit, 2003-04-02 um 22.34 schrieb Mike:
> I hate to ask but do you have and example of using iproute2 for IP address
> aliases?
ip addr add 192.168.7.55 dev eth0
ip addr add 192.168.7.56 dev eth0

But these are no aliases anymore. The notion of aliases has been
dropped. But both addresses are bound to the interface.

Cheers,

Ralf
> 
> Thanks,
> Mike
> ----- Original Message -----
> From: "Daniel Chemko" <dchemko@smgtec.com>
> To: "Rob Sterenborg" <rob@sterenborg.info>; <netfilter@lists.netfilter.org>
> Sent: Wednesday, April 02, 2003 2:53 PM
> Subject: RE: sub interface filtering
> 
> 
> Correct. Aliases are obsolete from what I can see. IProute2 adds IP
> addresses directly to interfaces, so eth0 could have 10 IP addresses
> instead of the awkward eth0:0 eth0:1, etc. mechanism. In this system,
> you filter based on IP address instead of interface alias.
> 
> -----Original Message-----
> From: Rob Sterenborg [mailto:rob@sterenborg.info]
> Sent: Wednesday, April 02, 2003 11:39 AM
> To: netfilter@lists.netfilter.org
> Subject: RE: sub interface filtering
> 
> > Hi guys I have the following setup and rules. And I cant seem to get
> the filtering to work.
> > eth2:0
> >
> > <routeable internetIP/28>
> >
> > eth2:1
> >
> > <routeable internetIP/28>
> 
> AFAIK it is because you cannot filter eth<x>:y (but you can filter the
> IP address of course).
> 
> 
> Rob
> 
> 
> 
> 
-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

RE: sub interface filtering

[Daniel Chemko]

The Advanced Traffic and Routing Howto had everything I needed. It can
show you how to setup its IP settings etc.. If you want to integrate
into IPTables, the following example shows how simply this can be
accomplished.

$ ip address list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 11:11:11:11:11:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
    inet 192.168.1.111/32 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 11:11:11:11:11:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.1.255 scope global eth1

You notice that there are 2 addresses on the same interface eth0. I want
to forward each IP address to a separate machine on a different subnet
in this case, so I would do the following:

iptables -t nat -A PREROUTING -j DNAT --destination 192.168.1.2 --to-
destination 192.168.2.2

iptables -t nat -A PREROUTING -j DNAT --destination 192.168.1.111 --to-
destination 192.168.2.111

You could have included "-i eth0" if you really wanted to, but unless
you have the same IP address bolted to different interfaces, I don't see
that mattering much. 


-----Original Message-----
From: Mike [mailto:mikeeo@msn.com] 
Sent: Wednesday, April 02, 2003 12:34 PM
To: Daniel Chemko; netfilter@lists.netfilter.org
Subject: Re: sub interface filtering

I hate to ask but do you have and example of using iproute2 for IP
address aliases?

Thanks,
Mike

Re: sub interface filtering

[Qunwei Chen]

I tried the google for "Advanced Traffic and Routing Howto" but failed 
to find it. Does anyone have the location of this document?

Thanks in advance,

Qunwei

Daniel Chemko wrote:

>The Advanced Traffic and Routing Howto had everything I needed. It can
>show you how to setup its IP settings etc.. If you want to integrate
>into IPTables, the following example shows how simply this can be
>accomplished.
>
>$ ip address list
>1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>    link/ether 11:11:11:11:11:11 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
>    inet 192.168.1.111/32 scope global eth0
>3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>    link/ether 11:11:11:11:11:11 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.2.1/24 brd 192.168.1.255 scope global eth1
>
>You notice that there are 2 addresses on the same interface eth0. I want
>to forward each IP address to a separate machine on a different subnet
>in this case, so I would do the following:
>
>iptables -t nat -A PREROUTING -j DNAT --destination 192.168.1.2 --to-
>destination 192.168.2.2
>
>iptables -t nat -A PREROUTING -j DNAT --destination 192.168.1.111 --to-
>destination 192.168.2.111
>
>You could have included "-i eth0" if you really wanted to, but unless
>you have the same IP address bolted to different interfaces, I don't see
>that mattering much. 
>
>
>-----Original Message-----
>From: Mike [mailto:mikeeo@msn.com] 
>Sent: Wednesday, April 02, 2003 12:34 PM
>To: Daniel Chemko; netfilter@lists.netfilter.org
>Subject: Re: sub interface filtering
>
>I hate to ask but do you have and example of using iproute2 for IP
>address aliases?
>
>Thanks,
>Mike
>
>
>  
>

RE: sub interface filtering

[Daniel Chemko]

http://lartc.org/

-----Original Message-----
From: Qunwei Chen [mailto:chenqunwei@yahoo.com] 
Sent: Friday, April 04, 2003 5:31 PM
To: netfilter@lists.netfilter.org
Subject: Re: sub interface filtering

I tried the google for "Advanced Traffic and Routing Howto" but failed 
to find it. Does anyone have the location of this document?

Thanks in advance,

Qunwei

Daniel Chemko wrote:

>The Advanced Traffic and Routing Howto had everything I needed. It can
>show you how to setup its IP settings etc.. If you want to integrate
>into IPTables, the following example shows how simply this can be
>accomplished.
>
>$ ip address list
>1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>    link/ether 11:11:11:11:11:11 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
>    inet 192.168.1.111/32 scope global eth0
>3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>    link/ether 11:11:11:11:11:11 brd ff:ff:ff:ff:ff:ff
>    inet 192.168.2.1/24 brd 192.168.1.255 scope global eth1
>
>You notice that there are 2 addresses on the same interface eth0. I
want
>to forward each IP address to a separate machine on a different subnet
>in this case, so I would do the following:
>
>iptables -t nat -A PREROUTING -j DNAT --destination 192.168.1.2 --to-
>destination 192.168.2.2
>
>iptables -t nat -A PREROUTING -j DNAT --destination 192.168.1.111 --to-
>destination 192.168.2.111
>
>You could have included "-i eth0" if you really wanted to, but unless
>you have the same IP address bolted to different interfaces, I don't
see
>that mattering much. 
>
>
>-----Original Message-----
>From: Mike [mailto:mikeeo@msn.com] 
>Sent: Wednesday, April 02, 2003 12:34 PM
>To: Daniel Chemko; netfilter@lists.netfilter.org
>Subject: Re: sub interface filtering
>
>I hate to ask but do you have and example of using iproute2 for IP
>address aliases?
>
>Thanks,
>Mike
>
>
>  
>