Re: [CentOS] firewall help request

[Tony Mountifield]

In article ,
Paul Heinlein  wrote:
> On Tue, 16 Jun 2020, Leroy Tennison wrote:
> 
> > I have a gateway machine (currently Centos 7 with IPV4 only) with two
> > NICs.  One is connected to the internet, the other to an internal
> > network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
> > android phones, linux boxes) using NAT.  I wish to block all outgoing
> > connects to any external IP address on port 22 (ssh) originating from
> > any internal machine except one (which has a known internal IP address).
> >
> > I've tried some commands using 'iptables' to accomplish this, but so
> > far have failed.  If anyone has a suggestion, I'd really appreciate
> > it.  In addition, a suitable version for 'firewalld' could be useful,
> > as an upgrade to Centos 8 is in plan.
> >
> > Examples of what I've tried, and then tested.  None of them stopped
> > an outgoing SSH from an internal system.
> >
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> 
> I'm not sure it's your INPUT table that needs that rule. I don't have 
> any NAT machines for experimentation, but my initial hunch is that 
> you'd want OUTPUT rules, e.g.,
> 
> iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

No, the OUTPUT chains apply to traffic originating within the machine
itself (the gateway machine).

But for traffic being forwarded by the gateway, it will use the FORWARD
chains rather than the INPUT chains. So probably something like this:

iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Simon Matter via CentOS]

> At 03:47 PM 6/16/2020, Kenneth Porter wrote:
>>The rule is in the wrong chain. The INPUT chain affects packets that
>>terminate at the same machine. You want to block packets that will
>>be passed on to the Internet, so your rule needs to be in the
>>FORWARD chain. (The OUTPUT chain affects packets that originate at
>>your machine.)
>>
>>Here's a nice collection of diagrams showing how packets flow
>>through the system:
>>
>>
>
>
> Ah ... Caught it.  So here is the IPTABLES method to block output on
> port 22 from internal machines on a gateway:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j DROP
>
> So, for example, if your internal interface is, for example,
> /dev/enp2s0, you'd write
>
>iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
>
> If you want to log such attempts, preceed it with a log
> request.  Since I'm using the -I command (insert at top), it means
> the log request is entered second:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
>
>
> If someone can suggest a firewall-cmd equivalent, it would be nice.

For that kind of firewalling, I suggest to use Shorewall instead:

https://shorewall.org/

IMHO it's the better tool for where you need more than a "personal" firewall.

Regards,
Simon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Kenneth Porter]

--On Tuesday, June 16, 2020 5:20 PM -0700 david  wrote:


If someone can suggest a firewall-cmd equivalent, it would be nice.


Alas, firewalld is targeted at end nodes and doesn't really provide much 
facility for routers. Its big advantage there is in setting up a reasonable 
default firewall for the gateway itself. The only real gateway support is 
to enable masquerade on the external interface.


I use firewalld direct rules for controlling the forwarded packets. They 
look like iptables rules and get injected into firewalld's own subchains. 
Use "iptables -L -v -n" to dump the whole mess into a file for examination.


In /etc/firewalld/direct.xml, you could add an XML passthrough node like 
this:


-I FWDI_internal_deny 1 -p tcp --dport 22 -j 
DROP


This assumes your internal zone is named internal. Change the chain name to 
match your zone name. You don't need to specify the interface name here 
because the FWDI_internal chain is only invoked if the inbound interface 
matches an interface in that zone.


Also note that the -I option takes a chain name and a number indicating 
where to insert a rule. I use 1 to put the rule at the start of any rules 
that firewalld has already inserted. So if you need a LOG rule, you'll want 
to put the nodes in reverse order in the XML file so they get inserted 
backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[david]

At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will 
be passed on to the Internet, so your rule needs to be in the 
FORWARD chain. (The OUTPUT chain affects packets that originate at 
your machine.)


Here's a nice collection of diagrams showing how packets flow 
through the system:






Ah ... Caught it.  So here is the IPTABLES method to block output on 
port 22 from internal machines on a gateway:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j DROP


So, for example, if your internal interface is, for example, 
/dev/enp2s0, you'd write


  iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP

If you want to log such attempts, preceed it with a log 
request.  Since I'm using the -I command (insert at top), it means 
the log request is entered second:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"



If someone can suggest a firewall-cmd equivalent, it would be nice.

David in SF

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Kenneth Porter]

The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will be 
passed on to the Internet, so your rule needs to be in the FORWARD chain. 
(The OUTPUT chain affects packets that originate at your machine.)


Here's a nice collection of diagrams showing how packets flow through the 
system:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Paul Heinlein]

On Tue, 16 Jun 2020, Leroy Tennison wrote:


I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP


I'm not sure it's your INPUT table that needs that rule. I don't have 
any NAT machines for experimentation, but my initial hunch is that 
you'd want OUTPUT rules, e.g.,


iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 1:26 PM david  wrote:

>
> ...  I'm assuming
> that your advice about LAN represents the internal network because on
> most routers, it is, and WAN is the internet connection.
>
>
>
yeah, LAN == Local Area Network,  WAN == Wide Area Network, generally
meaning the internet.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[david]

At 12:30 PM 6/16/2020, John Pierce wrote:

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


At your suggestion, the command became

iptables -I INPUT -p tcp --dport 22 -i enp3s0 -s 10.0.0.0/24 -j DROP

where enp3s0 is the internal NIC with address 10.0.0.1.  I'm assuming 
that your advice about LAN represents the internal network because on 
most routers, it is, and WAN is the internet connection.


And ssh worked :-(
unfortunately

I know that many ISPs block outgoing port 25, so I know this is do-able.

David 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall help request

[Leroy Tennison]

Is your policy accept?  It is possible to trace the packet through the 
netfilter path by setting up raw table rules with TRACE as the target and 
logging turned on (search the web for details - probably too much to post here) 
but be aware that you need a very controlled test because the syslog entries 
will likely be an order of magnitude greater than the actual packet count.


From: CentOS  on behalf of david 
Sent: Tuesday, June 16, 2020 2:21 PM
To: CentOS mailing list 
Subject: [EXTERNAL] [CentOS] firewall help request

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Folks

I'm struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall help request

[david]

Folks

I'm struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently Centos 7 with IPV4 only) with two 
NICs.  One is connected to the internet, the other to an internal 
network (10.0.0.0/24) of mixed hardware (windows7, android tablets, 
android phones, linux boxes) using NAT.  I wish to block all outgoing 
connects to any external IP address on port 22 (ssh) originating from 
any internal machine except one (which has a known internal IP address).


I've tried some commands using 'iptables' to accomplish this, but so 
far have failed.  If anyone has a suggestion, I'd really appreciate 
it.  In addition, a suitable version for 'firewalld' could be useful, 
as an upgrade to Centos 8 is in plan.


Examples of what I've tried, and then tested.  None of them stopped 
an outgoing SSH from an internal system.


  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos