-i interface filter not working for firewall

-i interface filter not working for firewall

[victor oliveira]

I have 4 network interfaces, eth0, eth1 (external) and eth2, eht3 (internal).
I have started to add rules for the iptables.
These are the interfaces:
# External 1
ifconfig eth0   5.5.5.1 netmask 255.255.255.0
# External 2
ifconfig eth1   6.6.6.1 netmask 255.255.255.0
# Internal 1
ifconfig eth2   10.10.1.9 netmask 255.255.255.0
# Internal 2
ifconfig eth3   10.10.1.8 netmask 255.255.255.0

My intent is to only allow connection with the firewall for ssh by the
eth2 interface, so the following are my rules:

#1 SSH firewall to eth2
iptables -A INPUT -i eth2 -p tcp -m tcp --dport 22 -s 10.10.1.0/24 -d
10.10.1.0/24 -j ACCEPT
iptables -A OUTPUT -o eth2 -p tcp -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT
#21 marcando pacotes da eth2 para a rota da tabela 3
iptables -t mangle -A PREROUTING -i eth2 -s 10.10.1.0/24 -j MARK --set-mark 3
#22 marcando pacotes da eth2 para a rota da tabela 4
iptables -t mangle -A PREROUTING -i eth3 -s 10.10.1.0/24 -j MARK --set-mark 4
#3 NAT
iptables -t nat -A POSTROUTING -o eth1  -s 10.10.1.0/24 -j SNAT
--to-source 5.5.5.1
iptables -t nat -A POSTROUTING -o eth0  -s 10.10.1.0/24 -j SNAT
--to-source 5.5.5.2
#4 forward da eth2 (interna) para eth0
/sbin/iptables -A FORWARD -i eth0 -o eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
#7 forward da eth2 (interna) para eth1
/sbin/iptables -A FORWARD -i eth1 -o eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
#7 forward da eth3 (interna) para eth0
/sbin/iptables -A FORWARD -i eth0 -o eth3 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth3 -o eth0 -j ACCEPT
#8 deny para todos os pacotes
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
iptables -Z

My problem is the following: I am able to connect from my machine to
the firewall using both eth2 and eth3. However, note that the INPUT
default is DROP, and the only rule on the INPUT SHOULD be filtering
and only allowing connections to the eth2 and not the eth3
interface...

Any toughts ?

Regards,
Victor

Re: -i interface filter not working for firewall

[Martijn Lievaart]

victor oliveira wrote:

> My problem is the following: I am able to connect from my machine to
> the firewall using both eth2 and eth3. However, note that the INPUT
> default is DROP, and the only rule on the INPUT SHOULD be filtering
> and only allowing connections to the eth2 and not the eth3
> interface...


You rules are a bit messy, but it should probably work. Are you sure you 
connect through eth3? You do say it is from the same machine, if you are 
connected to eth2 and address the ip addres of eth3, you still come in 
through eth2.

HTH,
M4

Re: -i interface filter not working for firewall

[victor oliveira]

eth2 and eth3 are both connected to the same switch, and are not
virtual. Each with a different IP.
eth2 has the IP 10.10.1.8 and eth3 has the ip 10.10.1.9.
I´m using for testing a putty application from another machine, also
connected to the same switch.
I know it should be working but it is not.
Furthermore, I tested the mangle rules for multiple tables and it only
works without the -i option.
My "solution" was to change to different subdomains and just not use
the -i restriction...
any thoughts ?

On 12/3/06, Martijn Lievaart <m@rtij.nl> wrote:
> victor oliveira wrote:
>
> > My problem is the following: I am able to connect from my machine to
> > the firewall using both eth2 and eth3. However, note that the INPUT
> > default is DROP, and the only rule on the INPUT SHOULD be filtering
> > and only allowing connections to the eth2 and not the eth3
> > interface...
>
>
> You rules are a bit messy, but it should probably work. Are you sure you
> connect through eth3? You do say it is from the same machine, if you are
> connected to eth2 and address the ip addres of eth3, you still come in
> through eth2.
>
> HTH,
> M4
>
>



-- 
Victor Hugo de Oliveira

Concrete Solutions
+55 21 22402030
R. São José 90, 2121
20010-020
Rio de Janeiro, RJ, Brasil

Re: -i interface filter not working for firewall

[Pascal Hambourg]

Hello,

victor oliveira a écrit :
> eth2 and eth3 are both connected to the same switch, and are not
> virtual. Each with a different IP.

And I suppose they are not in separate VLANs. Don't search further.
By default, the Linux kernel will accept IP traffic and reply to ARP 
requests for any local address on any interface. Since eth2 and eth3 are 
on the same link, both interfaces receive ARP requests, and by default 
both reply with their own MAC address to ARP requests for the IP address 
of eth2, so IP traffic for that IP address may be sent to eth3 instead 
of eth2. If you want to change the default behaviour so that an 
interface replies to ARP requests only for its own IP address, check the 
following kernel parameters in /proc/sys/net/ipv4/conf/<interface>/ :

arp_filter - BOOLEAN
     1 - Allows you to have multiple network interfaces on the same
     subnet, and have the ARPs for each interface be answered
     based on whether or not the kernel would route a packet from
     the ARP'd IP out that interface (therefore you must use source
     based routing for this to work). In other words it allows control
     of which cards (usually 1) will respond to an arp request.

     0 - (default) The kernel can respond to arp requests with addresses
     from other interfaces. This may seem wrong but it usually makes
     sense, because it increases the chance of successful communication.
     IP addresses are owned by the complete host on Linux, not by
     particular interfaces. Only for more complex setups like load-
     balancing, does this behaviour cause problems.

     arp_filter for the interface will be enabled if at least one of
     conf/{all,interface}/arp_filter is set to TRUE,
     it will be disabled otherwise

arp_ignore - INTEGER
     Define different modes for sending replies in response to
     received ARP requests that resolve local target IP addresses:
     0 - (default): reply for any local target IP address, configured
     on any interface
     1 - reply only if the target IP address is local address
     configured on the incoming interface
     2 - reply only if the target IP address is local address
     configured on the incoming interface and both with the
     sender's IP address are part from same subnet on this interface
     3 - do not reply for local addresses configured with scope host,
     only resolutions for global and link addresses are replied
     4-7 - reserved
     8 - do not reply for all local addresses

     The max value from conf/{all,interface}/arp_ignore is used
     when ARP request is received on the {interface}

Try this :
echo 1 > /proc/sys/net/ipv4/conf/eth2/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/eth3/arp_ignore


However, my opinion is that having two interfaces on the same logical 
link (link-layer broadcast domain) is not a good idea, and having two 
interfaces in the same IP subnet is not a good idea either. Besides, 
what is the use of filtering traffic incoming on interfaces that are on 
the same network differently ?

Re: -i interface filter not working for firewall

[victor oliveira]

Now it´s working, tks.

The reason for it is the multiple routing tables I´m using. One
interface will route with load balance, and the other is routing on a
fixed route.
To isolate the problem with the mangle (also not working) I was
testing using the telnet filter. And now I have fixed it.
eht2 is loadbalancing to 2 outside connections eth0 and eth1, and eth3
only uses eth2.
Do you suggest another way to do it ? It took me a long time to
resolve the problem this way...

Regards,
Victor

On 12/4/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> victor oliveira a écrit :
> > eth2 and eth3 are both connected to the same switch, and are not
> > virtual. Each with a different IP.
>
> And I suppose they are not in separate VLANs. Don't search further.
> By default, the Linux kernel will accept IP traffic and reply to ARP
> requests for any local address on any interface. Since eth2 and eth3 are
> on the same link, both interfaces receive ARP requests, and by default
> both reply with their own MAC address to ARP requests for the IP address
> of eth2, so IP traffic for that IP address may be sent to eth3 instead
> of eth2. If you want to change the default behaviour so that an
> interface replies to ARP requests only for its own IP address, check the
> following kernel parameters in /proc/sys/net/ipv4/conf/<interface>/ :
>
> arp_filter - BOOLEAN
>     1 - Allows you to have multiple network interfaces on the same
>     subnet, and have the ARPs for each interface be answered
>     based on whether or not the kernel would route a packet from
>     the ARP'd IP out that interface (therefore you must use source
>     based routing for this to work). In other words it allows control
>     of which cards (usually 1) will respond to an arp request.
>
>     0 - (default) The kernel can respond to arp requests with addresses
>     from other interfaces. This may seem wrong but it usually makes
>     sense, because it increases the chance of successful communication.
>     IP addresses are owned by the complete host on Linux, not by
>     particular interfaces. Only for more complex setups like load-
>     balancing, does this behaviour cause problems.
>
>     arp_filter for the interface will be enabled if at least one of
>     conf/{all,interface}/arp_filter is set to TRUE,
>     it will be disabled otherwise
>
> arp_ignore - INTEGER
>     Define different modes for sending replies in response to
>     received ARP requests that resolve local target IP addresses:
>     0 - (default): reply for any local target IP address, configured
>     on any interface
>     1 - reply only if the target IP address is local address
>     configured on the incoming interface
>     2 - reply only if the target IP address is local address
>     configured on the incoming interface and both with the
>     sender's IP address are part from same subnet on this interface
>     3 - do not reply for local addresses configured with scope host,
>     only resolutions for global and link addresses are replied
>     4-7 - reserved
>     8 - do not reply for all local addresses
>
>     The max value from conf/{all,interface}/arp_ignore is used
>     when ARP request is received on the {interface}
>
> Try this :
> echo 1 > /proc/sys/net/ipv4/conf/eth2/arp_ignore
> echo 1 > /proc/sys/net/ipv4/conf/eth3/arp_ignore
>
>
> However, my opinion is that having two interfaces on the same logical
> link (link-layer broadcast domain) is not a good idea, and having two
> interfaces in the same IP subnet is not a good idea either. Besides,
> what is the use of filtering traffic incoming on interfaces that are on
> the same network differently ?
>
>

Re: -i interface filter not working for firewall

[Martijn Lievaart]

victor oliveira wrote:

>
> On 12/3/06, *Martijn Lievaart* <m@rtij.nl <mailto:m@rtij.nl>> wrote:
>
>     victor oliveira wrote:
>
>     > My problem is the following: I am able to connect from my machine to
>     > the firewall using both eth2 and eth3. However, note that the INPUT
>     > default is DROP, and the only rule on the INPUT SHOULD be filtering
>     > and only allowing connections to the eth2 and not the eth3
>     > interface...
>
>
>     You rules are a bit messy, but it should probably work. Are you
>     sure you
>     connect through eth3? You do say it is from the same machine, if
>     you are
>     connected to eth2 and address the ip addres of eth3, you still
>     come in
>     through eth2.
>
> eth2 and eth3 are both connected to the same switch, and are not
> virtual. Each with a different IP.
> eth2 has the IP 10.10.1.8 <http://10.10.1.8> and eth3 has the ip
> 10.10.1.9 <http://10.10.1.9>.
> I´m using for testing a putty application from another machine, also
> connected to the same switch.
> I know it should be working but it is not.
> Furthermore, I tested the mangle rules for multiple tables and it only
> works without the -i option.
> My "solution" was to change to different subdomains and just not use
> the -i restriction...
> any thoughts ?
>


[ Please don't toppost]

Aha, but linux answers arp requests on any interface. So in this setup,
an arp request for the address of eth3 can very well be answered by
eth2. In fact it probably was, given your results. Try to turn of
proxy_arp on the firewall or disconnect eth2 for the test. You'll
probably see very different results then.

HTH
M4