FORWARD chain and Interfaces

FORWARD chain and Interfaces

[netfilter]

I have a firewall router box that I'm trying to write a ruleset for that
accepts/blocks traffic from Network A to Network B.  I'm testing the
rules on 3 virtual machines and will eventually deploy to production
hardware:

Network A Machine Eth0 <-------> Eth0 Firewall/Router Eth1 <------->
Eth0Network B Machine
              192.168.99.1                192.168.99.2           
              10.10.10.1       10.10.10.2


I have the the following rules on the Firewall/Router as a test before I
write rules with http, ssh etc:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s
192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state
NEW -j LOG --log-prefix "ICMP: "

When I ping from 192.168.99.1 to 10.10.10.2 it does not work.  The log
rule logs the packet as IN=ETH1 OUT=ETH1.  I may not understand how the
interfaces should be referenced in the FORWARD chain, but I would think
that the second rule above should allow and forward that icmp traffic.  

However, if I remove the -i eth0 and -o eth1 from the second rule above
the ping works fine, the log of course still says  IN=ETH1 OUT=ETH1.  

I guess I don't have to reference the interfaces in all my FORWARD
rules, but I'd like to.  I am confused why the -i and -o referenced in
the second rule does not allow and forward traffic. And you the log rule
log the packets as IN=ETH1 and OUT=ETH1, I would expect IN=ETH0
OUT=ETH1.

Re: FORWARD chain and Interfaces

[Andrew Beverley]

On Sat, 2011-05-21 at 00:10 -0600, netfilter@buglecreek.com wrote:
> I have a firewall router box that I'm trying to write a ruleset for that
> accepts/blocks traffic from Network A to Network B.  I'm testing the
> rules on 3 virtual machines and will eventually deploy to production
> hardware:
> 
> Network A Machine Eth0 <-------> Eth0 Firewall/Router Eth1 <------->
> Eth0Network B Machine
>               192.168.99.1                192.168.99.2           
>               10.10.10.1       10.10.10.2
> 
> 
> I have the the following rules on the Firewall/Router as a test before I
> write rules with http, ssh etc:
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s
> 192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state
> NEW -j LOG --log-prefix "ICMP: "
> 
> When I ping from 192.168.99.1 to 10.10.10.2 it does not work.  The log
> rule logs the packet as IN=ETH1 OUT=ETH1.  I may not understand how the
> interfaces should be referenced in the FORWARD chain, but I would think
> that the second rule above should allow and forward that icmp traffic.  
> 
> However, if I remove the -i eth0 and -o eth1 from the second rule above
> the ping works fine, the log of course still says  IN=ETH1 OUT=ETH1.  
> 
> I guess I don't have to reference the interfaces in all my FORWARD
> rules, but I'd like to.  I am confused why the -i and -o referenced in
> the second rule does not allow and forward traffic. And you the log rule
> log the packets as IN=ETH1 and OUT=ETH1, I would expect IN=ETH0
> OUT=ETH1.

My only thought on this is that the virtual machines are affecting your
interface names. Have you tried any other rules with interface names to
see if you get the same effect?

I expect that if you did the same with separate hardware, that the rules
would work as expected; therefore, I suggest testing without the
interface names, and inserting them when you have the actual hardware up
and running.

Andy

Re: FORWARD chain and Interfaces

[Pascal Hambourg]

Hello,

netfilter@buglecreek.com a écrit :
> I have a firewall router box that I'm trying to write a ruleset for that
> accepts/blocks traffic from Network A to Network B.  I'm testing the
> rules on 3 virtual machines and will eventually deploy to production
> hardware:
> 
> Net A Machine Eth0 <-> Eth0 Firewall/Router Eth1 <-> Eth0 Net B Machine
>       192.168.99.1     192.168.99.2   10.10.10.1     10.10.10.2
> 
> I have the the following rules on the Firewall/Router as a test before I
> write rules with http, ssh etc:
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s
> 192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state
> NEW -j LOG --log-prefix "ICMP: "
> 
> When I ping from 192.168.99.1 to 10.10.10.2 it does not work.  The log
> rule logs the packet as IN=ETH1 OUT=ETH1.


Can you describe the virtual network architecture ?
Are all the three machines above virtual guests on a same physical host
or is one of them the physical host ?

Also, can you provide the routing table on the firewall/router as
reported by route -n or ip route ?

Re: FORWARD chain and Interfaces

[netfilter]

On Sat, 21 May 2011 13:23 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
> 
> netfilter@buglecreek.com a écrit :
> > I have a firewall router box that I'm trying to write a ruleset for that
> > accepts/blocks traffic from Network A to Network B.  I'm testing the
> > rules on 3 virtual machines and will eventually deploy to production
> > hardware:
> > 
> > Net A Machine Eth0 <-> Eth0 Firewall/Router Eth1 <-> Eth0 Net B Machine
> >       192.168.99.1     192.168.99.2   10.10.10.1     10.10.10.2
> > 
> > I have the the following rules on the Firewall/Router as a test before I
> > write rules with http, ssh etc:
> > 
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s
> > 192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT
> > iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state
> > NEW -j LOG --log-prefix "ICMP: "
> > 
> > When I ping from 192.168.99.1 to 10.10.10.2 it does not work.  The log
> > rule logs the packet as IN=ETH1 OUT=ETH1.
> 
> 
> Can you describe the virtual network architecture ?
> Are all the three machines above virtual guests on a same physical host
> or is one of them the physical host ?
> 
> Also, can you provide the routing table on the firewall/router as
> reported by route -n or ip route ?
> 

Based on the comments left so far, it seems that my logic is correct in
the way I view the interfaces in the forward chain.  I guess unless
there is a reason I am missing I will assume that the issue has to do
with the way the virtual machines are setup.  As the other poster
suggested, I can develop the ruleset with out the references to the
interfaces and add them when the real hardware is in place and hopefully
it will behave as I think it should.  At least I'll be able to get a
start on on the rules since it will be fast turnaround when the hardware
is in place.

As far as the virtual machines.  All three test systems are virtual. 
They run RH5 using Mac with parallels.  The routing tables are below. 
Keep in mind that this was thrown together just to test the rules.  I
manually added the GW on Net A and B machines and got ping to work from
A to B via the firewall/router with just forwarding enabled
(/proc/net/sys . . ).  Once ping worked with just forwarding enabled I
started writing the FORWARD rules as outlined above and got the
unexpected interface behavior as outlined in the original post.

Network A Machine- 
Dest                    Gateway                 Genmask                
Iface
192.168.99.0      0.0.0.0                  255.255.255.0         eth1
0.0.0.0                198.168.99.2        0.0.0.0                    
eth1

Firewall/Router Machine:
Dest                    Gateway                 Genmask                
Iface
10.10.10.0          0.0.0.0                  255.255.255.0         eth1
192.168.99.0      0.0.0.0                  255.255.255.0         eth0


Netowork B Machine
Dest                    Gateway                 Genmask                
Iface
10.10.10.0          0.0.0.0                  255.255.255.0         eth0
0.0.0.0                10.10.10.1            0.0.0.0                    
eth0

Re: FORWARD chain and Interfaces

[Pascal Hambourg]

netfilter@buglecreek.com a écrit :
> 
> As far as the virtual machines.  All three test systems are virtual. 
> They run RH5 using Mac with parallels.  The routing tables are below. 

[Nothing unexpected in the routing tables]

How are the virtual machine network interfaces connected together ?
Did you create two separate virtual links ?
One explanation could be that all interfaces are connected to the same
virtual link, so traffic coming to the router could arrive at any of its
two interfaces.

Re: FORWARD chain and Interfaces

[netfilter]

On Sat, 21 May 2011 22:51 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> netfilter@buglecreek.com a écrit :
> > 
> > As far as the virtual machines.  All three test systems are virtual. 
> > They run RH5 using Mac with parallels.  The routing tables are below. 
> 
> [Nothing unexpected in the routing tables]
> 
> How are the virtual machine network interfaces connected together ?
> Did you create two separate virtual links ?
> One explanation could be that all interfaces are connected to the same
> virtual link, so traffic coming to the router could arrive at any of its
> two interfaces.
> 

That's an interesting idea.  I'm not sure how Parallels sets up the
interfaces.  When I created the virtual machines I selected "Host Only"
networking so I could make distinct systems and I didn't use shared
since I did not need the machines to connect to the Internet via the
physical host interface.   When I do a ifconfig on the firewall/router
it lists eth0 and eth1 like you see on a normal system.  I'm not sure
what is going on. I'll look into how the interfaces are created.

Right now I'm writing the FORWARD rules assuming that when the real
hardware is in place it will function as I expect.  I'm using -i eth0
and -o eth1 for new traffic originating from Network A going to B  and
-i eth1 and -o eth0 for new traffic originating from Network B to A.  
Based on my original diagram below.  Does that sound reasonable?

Network A Machine Eth0 <-------> Eth0 Firewall/Router Eth1 <------->
Eth0 Network B Machine

Re: FORWARD chain and Interfaces

[Pascal Hambourg]

netfilter@buglecreek.com a écrit :
> On Sat, 21 May 2011 22:51 +0200, "Pascal Hambourg"
>>
>> How are the virtual machine network interfaces connected together ?
>> Did you create two separate virtual links ?
>> One explanation could be that all interfaces are connected to the same
>> virtual link, so traffic coming to the router could arrive at any of its
>> two interfaces.
> 
> That's an interesting idea.  I'm not sure how Parallels sets up the
> interfaces.

How then do you know which interface of the router is connected to which
network ?

A quick test could be to send broadcast packets from A then B while
listening on all interfaces of the other machines with tcpdump or the
like. If you can see the broadcast packets on all interfaces then they
all are on the same network.

> Right now I'm writing the FORWARD rules assuming that when the real
> hardware is in place it will function as I expect.  I'm using -i eth0
> and -o eth1 for new traffic originating from Network A going to B  and
> -i eth1 and -o eth0 for new traffic originating from Network B to A.  
> Based on my original diagram below.  Does that sound reasonable?

Sure.

Re: FORWARD chain and Interfaces

[netfilter]

On Sun, 22 May 2011 00:05 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> netfilter@buglecreek.com a écrit :
> > On Sat, 21 May 2011 22:51 +0200, "Pascal Hambourg"
> >>
> >> How are the virtual machine network interfaces connected together ?
> >> Did you create two separate virtual links ?
> >> One explanation could be that all interfaces are connected to the same
> >> virtual link, so traffic coming to the router could arrive at any of its
> >> two interfaces.
> > 
> > That's an interesting idea.  I'm not sure how Parallels sets up the
> > interfaces.
> 
> How then do you know which interface of the router is connected to which
> network ?

I'm basing the router connections to the various networks by the IP
addresses and network Addresses.  When I say I don't know how Parallels
sets up the interfaces I mean I do not know the underling code that they
use.  Using standard tools (ifconfig, route, traceroute etc) all seems
normal.

Sending a broadcast packet (good idea) from network B I see the packet
show up at network A machine and on both interfaces of the firewall.  I
even see the packets show up on network A when the firewall/router is
turned off.  Both Net A and Net B are assigned IPs on two entirely
different networks.  Obviously, this is not the expected behavior.  I
assumed that when I created two virtual machines and assigned them
entirely different IPs on different networks they would be isolated from
each other and not be able to see traffic (broadcasts etc) from the
other net.   I will have to look at how the virtual machines are setup,
maybe there is something I missed.  It clearly does not function as I
expected.  My hope was to simulate real life different nets connected by
the firewall/router.  

> 
> A quick test could be to send broadcast packets from A then B while
> listening on all interfaces of the other machines with tcpdump or the
> like. If you can see the broadcast packets on all interfaces then they
> all are on the same network.
> 
> > Right now I'm writing the FORWARD rules assuming that when the real
> > hardware is in place it will function as I expect.  I'm using -i eth0
> > and -o eth1 for new traffic originating from Network A going to B  and
> > -i eth1 and -o eth0 for new traffic originating from Network B to A.  
> > Based on my original diagram below.  Does that sound reasonable?
> 
> Sure.
> 

Re: FORWARD chain and Interfaces

[Pascal Hambourg]

netfilter@buglecreek.com a écrit :
> On Sun, 22 May 2011 00:05 +0200, "Pascal Hambourg"
>>
>> How then do you know which interface of the router is connected to which
>> network ?
> 
> I'm basing the router connections to the various networks by the IP
> addresses and network Addresses.

That is not enough. The virtualization system (Parallels for you) deals
only with the link (ethernet) layer, not the IP layer. You can set up
multiple IP subnets on the same link but they are not isolated.

> Sending a broadcast packet (good idea) from network B I see the packet
> show up at network A machine and on both interfaces of the firewall.  I
> even see the packets show up on network A when the firewall/router is
> turned off.

So all interfaces are connected to the same link, just as I thought.

> Both Net A and Net B are assigned IPs on two entirely
> different networks.  Obviously, this is not the expected behavior.

It is expected behaviour when all interfaces are connected to the same
link. Think as if all interfaces are connected to the same switch and
you didn't define separate VLANs.

Ideally you need to set up two separate virtual links and define which
interface is connected to which link. Other options include :

a) Use tagged VLAN interfaces (see vconfig). This requires only one
ethernet interface on the router. E.g. :
VLAN 1 for network A, machines use eth0.1
VLAN 2 for network B, machines use eth0.2

b) Set /proc/sys/net/ipv4/all/arp_ignore to 1 on the router so each
interface replies only to ARP requests for its own address. This way the
other machines will send packets only to the correct interface.

Note that these options do not provide the same level of security as
separate links.

Re: FORWARD chain and Interfaces

[netfilter]

On Sun, 22 May 2011 10:48 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> netfilter@buglecreek.com a écrit :
> > On Sun, 22 May 2011 00:05 +0200, "Pascal Hambourg"
> >>
> >> How then do you know which interface of the router is connected to which
> >> network ?
> > 
> > I'm basing the router connections to the various networks by the IP
> > addresses and network Addresses.
> 
> That is not enough. The virtualization system (Parallels for you) deals
> only with the link (ethernet) layer, not the IP layer. You can set up
> multiple IP subnets on the same link but they are not isolated.
> 
> > Sending a broadcast packet (good idea) from network B I see the packet
> > show up at network A machine and on both interfaces of the firewall.  I
> > even see the packets show up on network A when the firewall/router is
> > turned off.
> 
> So all interfaces are connected to the same link, just as I thought.
> 
> > Both Net A and Net B are assigned IPs on two entirely
> > different networks.  Obviously, this is not the expected behavior.
> 
> It is expected behaviour when all interfaces are connected to the same
> link. Think as if all interfaces are connected to the same switch and
> you didn't define separate VLANs.
> 
> Ideally you need to set up two separate virtual links and define which
> interface is connected to which link. Other options include :
> 
> a) Use tagged VLAN interfaces (see vconfig). This requires only one
> ethernet interface on the router. E.g. :
> VLAN 1 for network A, machines use eth0.1
> VLAN 2 for network B, machines use eth0.2
> 
> b) Set /proc/sys/net/ipv4/all/arp_ignore to 1 on the router so each
> interface replies only to ARP requests for its own address. This way the
> other machines will send packets only to the correct interface.
> 
> Note that these options do not provide the same level of security as
> separate links.
> 

Good information.  I only use virtualization on a intermittent basis and
then only to test various things when I am not able to use other means. 
Normally what you describe above is not a big issue since I'm usually
not trying to route packets between virtual machines.  I'll look at some
of the solutions you outline above for future test scenarios. 
Appreciate the help figuring out why I was seeing the "strange"
behavior.