Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
A Firewalled Internet Access to Internal Subnet
View posts since last visit
View your posts
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security Report this topic
View previous topic :: View next topic  
Author Message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Mon Mar 21, 2016 2:27 pm    Post subject: A Firewalled Internet Access to Internal Subnet This post has been reported. Reply with quote Edit/Delete this post

title: A Firewalled Internet Access to Internal Subnet
---
My old iptables rules I put in a separate ADDENDUM post to this post:

https://forums.gentoo.org/viewtopic-t-1041028.html#7895454
(or simply just the very next post)

That script is based on this article:

Configuring iptables firewall on Gentoo
http://gentoovps.net/configuring-iptables-firewall/

I keep it in /root . And when I change things in it, I simply run it:
Code:

# ./rules.sh

and the changes are taken into` the system.

I'm trying to mix filtering (the above linked rules is that) and NAT. First time doing NAT.

After lots of other tries, I decided to start as simple as possible.

By the book:

Linux 2.4 NAT HOWTO
(section: I just want masquerading! Help!)
http://netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1
which refers to:

Linux 2.4 Packet Filtering HOWTO
(section: Mixing NAT and Packet Filtering)
http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-9.html

A note: those books are still the main references from http://netfilter.org ;-) . (No newer wisdom has replaced those in the way of complete replacement tutorials.)

On host by the name of g0n I have eth0 (not used here), eth1, and eth2.

eth1
====
some 7 yrs old aDSL router, with disabled DHCP server, working (I hope) as
simply static network local router, set to:

Code:

192.168.2.0/24
192.168.2.1   the router itself (interface is there on http://192.168.2.1/ to deal with it, and I hope it's not getting in the way ;-) )
192.168.2.2 g0n's IP on it
192.168.2.3 a Devuan-to-be host (currently 1 yr old Debian machine there)


All pingable, all working before the simple by-the-book NAT deployed.

eth2
====
newer aDSL router, with regular settings as providers ship it to users in Croatia, sure, with DHCP
Code:

192.168.1.0/24
192.168.1.1 the router itself (with the interface similar to the one on eth1 above)
192.168.1.X the host g0n gets an IP dynamically, usually 192.168.1.2, or 192.168.1.3


I want to be able to go to the internet with my future Devuan machine.

I want to do it through my Gentoo host.

Why?

Because I want to be able to dumpcap all and anything that happens when I go online, since the environment is still very censored/intruded upon/hostile in Croatia from the old regime that hasn't been routed yet at all, and if I don't keep track of what happens, I could be rigged again
(
that claim is far from being without substance, have a look:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
( the post about my provider, who out of thin air, accuses me for spamming and blocks my emailing)
https://forums.gentoo.org/viewtopic-t-999436.html#7682770
or:
( the post where Schmoog and Yooch try to clickjack me )
https://forums.gentoo.org/viewtopic-t-999436.html#7685200
among others ;-)
).


I also want to be able to attach M$ Windows machines and go to the internet with it, to check pages when I work them, how they look, and stuff, and only ignorants and fools trust M$...

So I read a lot, and made quite a few attempts to little to no avail.

And eventually I decided to start as simple as possible.

My kernel is grsecurity-hardened, but I have temporarily disabled the Role Based Access Control, and will keep it disabled during these tries. to have less suspects why it doesn't work.

Combining the info from Rusty's books aforementioned with just the minimal entries from my formerly used script, I put together my new rules.sh in /root:
Code:

#!/bin/bash

# vars
ipt=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$ipt --flush
$ipt --delete-chain

# Masquerade out eth2
$ipt -t nat -A POSTROUTING -o eth2 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from eth2.
$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP
$ipt -A FORWARD -i eth2 -m state --state NEW,INVALID -j DROP

#
# Save settings #
echo " * saving settings"
/etc/init.d/iptables save


And I ran it (from the /root where I keep it):
Code:

# ./rules.sh


And now the rules look like this, and right there I might have some clue why it works half-way only, have a look:

Code:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i eth2 -m state --state INVALID,NEW -j DROP
-A FORWARD -i eth2 -m state --state INVALID,NEW -j DROP
#

The clue could be that the simple example from the 14 to 16 yrs old "books" (tutorials) can not be applied, because the rules that show to have been set, the:
Code:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

have not been set by my script, but are either Gentoo's defaults, or iptables upstream package defaults, maybe since who knows how many yrs ago, but surely not since Rusty coded the iptables and wrote those books. Or they are some malfunction of something in my machine...

What got in those "-P INPUT DROP" and "-P FORWARD DROP". Not the rules that I applied as above!

Anyway, how do I modify the advice from the books to get the NAT, along with the filtering, working... ?

Those couldn not be Gentoo's defaults. I looked up /etc/init.d/iptables, and while I only partly understand it, that still doesn't look to be the case for me...

Here is how it (doesn't) work, in full technical detail:

Take the dumpcap and verify it from here:
http://www.croatiafidelis.hr/foss/cap/cap-160321-NAT/
or the solo link:
http://www.croatiafidelis.hr/foss/cap/cap-160321-NAT/dump_160321_0112_g0n_SOLO.pcap

And now I noticed something in the logs that complicates this issue even more.
Even more, so I'll post it separately on its own, in the next post, id est after the ADDENDUM post with the rules.sh.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)


Last edited by miroR on Mon Mar 21, 2016 4:43 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Mon Mar 21, 2016 2:28 pm    Post subject: Report this post Reply with quote Edit/Delete this post

This is the /root/rules.sh script that has worked fine for me (or at least I believe so) for longer than a year.

It is based on:

Configuring iptables firewall on Gentoo
http://gentoovps.net/configuring-iptables-firewall/
[*]

and surely, the lines with " -s 192.168.3.0/24" are mostly unused in my online Gentoo clone, but may be good to have them for my Air-Gapped (
Air-Gapped Gentoo Install, Tentative
https://forums.gentoo.org/viewtopic-t-987268.html
)
, which this online clone, that I browse online and post with, is cloned from (
how I clone my system is in the PART 2 of
Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html#7613044
).

Code:

#!/bin/bash

# vars
ipt=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$ipt --flush
$ipt --delete-chain

# Set default policies for all three default chains
echo " * setting default policies"
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level error --log-prefix mrfw_no_syn
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established (NOT: and related) packets
#$ipt -A INPUT -m state --state ESTABLISHED -j LOG --log-level error --log-prefix mrfw_est
$ipt -A INPUT -m state --state ESTABLISHED -j ACCEPT

# Open the following ports, gXn
echo " * allowing ssh on eth0 on port 22"
$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level error --log-prefix mrfw_soho_ssh
$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo " * allowing http in from SOHO"
$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level error --log-prefix mrfw_soho_tcp
$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo " * allowing udp in from SOHO"
$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p udp -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level error --log-prefix mrfw_soho_udp
$ipt -A INPUT -i eth0 -s 192.168.3.0/24 -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo " * allowing dns on port 53"
$ipt -A INPUT -p udp -m udp --dport 53 -j LOG --log-level error --log-prefix mrfw_dns
$ipt -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
$ipt -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j LOG --log-level error --log-prefix mrfw_http_80
$ipt -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT

echo " * allowing https on port 443"
$ipt -A INPUT -p tcp --dport 443 -m state --state ESTABLISHED -j LOG --log-level error --log-prefix mrfw_https_443
$ipt -A INPUT -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT

echo " * allowing ping sendmsg"
$ipt -A OUTPUT -p ICMP --icmp-type 8 -j LOG --log-level error --log-prefix mrfw_ping
$ipt -A OUTPUT -p ICMP --icmp-type 8 -j ACCEPT

echo " * allowing ping responses"
$ipt -A INPUT -p ICMP --icmp-type 8 -j LOG --log-level error --log-prefix mrfw_ping
$ipt -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
$ipt -A INPUT -j LOG --log-level error --log-prefix mrfw_drop
$ipt -A INPUT -j DROP

#
# Save settings #
echo " * saving settings"
/etc/init.d/iptables save

---
[*] Somewhat related to the above iptables but possibly more related to VPN, I could't open anything form that http://gentoovps.net today, and the logs (from my /var/log/messages) were:
Code:

Mar 21 10:23:33 g0n kernel: [33400.060236] mrfw_dropIN=eth2 OUT= MAC=00:0e:2e:ec:10:5b:2c:95:7f:14:4e:c6:08:00 SRC=72.11.150.106 DST=192.168.1.2 LEN=88 TOS=0x00 PREC=0x00 TTL=55 ID=47196 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.2 DST=206.253.165.112 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=27534 DF PROTO=TCP SPT=39310 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 ]

..[10 very similar lines --but for the ID=XXXXX and little if any else-- cut out here]...

Mar 21 10:24:03 g0n kernel: [33430.109303] mrfw_dropIN=eth2 OUT= MAC=00:0e:2e:ec:10:5b:2c:95:7f:14:4e:c6:08:00 SRC=72.11.150.106 DST=192.168.1.2 LEN=88 TOS=0x00 PREC=0x00 TTL=55 ID=47207 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.2 DST=206.253.165.112 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=54489 DF PROTO=TCP SPT=39312 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 ]

Tell that to the Gentooer who owns that site. I believe he'll want to know about it! And he'll want to fix it. Or tell me if anything in my iptables is to blame ;-) , but the former is more likely ;-) .
Why am I almost confident it's not my iptables to blame? Not just because I can open anything else as soon as I plug into the aDSL router, but also because I have:
206.253.165.112
Code:

$ grep 206.253.165.112  dump_160321_1012_g0n_SOLO.hosts
206.253.165.112   gentoovps.net

but I don't have:
Code:

$ grep 72.11.150.106  dump_160321_1012_g0n_SOLO.hosts
$

( and the hosts file in question I got like this:
Code:

# tshark -r dump_160321_1012_g0n_SOLO.pcap -qz hosts > dump_160321_1012_g0n_SOLO.hosts


where dump_160321_1012_g0n_SOLO.pcap was at the time of the online bout, when I also tried to open pages from gentoovps.net , taken simply with this script:

Code:

#!/bin/bash
dumpcap=dump_$(date +%y%m%d_%H%M)_$(hostname)_SOLO.pcap
echo $dumpcap
sudo -s touch $dumpcap
sudo dumpcap -i any -w $dumpcap &

)
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Mon Mar 21, 2016 2:31 pm    Post subject: Report this post Reply with quote Edit/Delete this post

From my /var/log/rc.log (
to which iptables log into, because there is
the line:
Code:

rc_use="logger"

in /etc/conf.d/iptables (which is by default commented out)
):
Code:

rc default logging started at Mon Mar 21 01:07:08 2016
...
 * Loading iptables state and starting firewall ...
Warning: weird character in interface `192.168.1.0/24' ('/' and ' ' are not allowed by the kernel).
Warning: weird character in interface `192.168.1.0/24' ('/' and ' ' are not allowed by the kernel).
 [ ok ]

But there is nothing in the iptables rules in the previous post with 192.168.1.0/24 string, except that that is my eth2 interface.
(
But I never specified it in any conf files. It just gets recognized and gives my online connected host its 192.168.1.X as explained in the first post, when I simply run:
Code:

# /etc/init.d/net.eth2 start

where:
Code:

# ls -l /etc/init.d/net.eth2
lrwxrwxrwx 1 root root 6 2016-03-18 13:08 /etc/init.d/net.eth2 -> net.lo
#

(I didn't add it to rc.)
)

Here's the listing of the iptables:
Code:

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state
INVALID,NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state
INVALID,NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
#

and the:
Code:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i eth2 -m state --state INVALID,NEW -j DROP
-A FORWARD -i eth2 -m state --state INVALID,NEW -j DROP
#

just as already given in te first post.

From /usr/portage/profiles/use.local.desc:
Code:

net-firewall/iptables:conntrack - Build against net-libs/libnetfilter_conntrack when enables the connlabel matcher
net-firewall/iptables:netlink - Build against libnfnetlink which enables the nfnl_osf util
net-firewall/iptables:nftables - Support nftables kernel interface
net-firewall/iptables:pcap - Build against net-libs/libpcap which enables the nfbpf_compile util

And I have it:
Code:

# emerge -p iptables

These are the packages that would be merged, in order:

Calculating dependencies                   ... done!     
[ebuild   R    ] net-firewall/iptables-1.6.0:0/11::gentoo  USE="ipv6 -conntrack -netlink -nftables -pcap -static-libs" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB
#


That doesn't seem to be wrong, that I built it without those, as:
Code:

net-firewall/iptables:conntrack - Build against net-libs/libnetfilter_conntrack when enables the connlabel matcher

seems to be about some advanced labeling of connections as I partly understood
from 'man iptables-extensions', and having:
Code:

# equery l conntrack-tools
 * Searching for conntrack-tools ...
[IP-] [  ] net-firewall/conntrack-tools-1.4.3:0
#

the conntrack-tools installed, my /var/log/conntrackd-stats.log writes
down all the connections fine, I check that log from time to time...

And also the " -netlink -nftables -pcap" are for some advanced stuff.

So what causes the error at the top of this post, and why the:
Code:

# iptables -S
-P INPUT DROP
-P FORWARD DROP

which appears to invalidate the
Code:

-A INPUT -i eth2 -m state --state INVALID,NEW -j DROP
-A FORWARD -i eth2 -m state --state INVALID,NEW -j DROP
#

which rules I gave by the Rusty's books?

Namely, if all is dropped anyway with "-P INPUT DROP" and "-P FORWARD DROP", what's the use of the two
lines:
Code:

$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP
$ipt -A FORWARD -i eth2 -m state --state NEW,INVALID -j DROP

that I put in my /root/rules.sh script?

There, the issue that I have. Surely now I have to go back to my for-longer-than-a-year by now used set of rules.sh, and enable the grsec RBAC, and connect online to post this.

I have to do that because I can't connect with these settings above described.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Mon Mar 21, 2016 11:49 pm    Post subject: Report this post Reply with quote Edit/Delete this post

In short, my error is not because of my system malfunctioning, but my lack of knowledge.

When I introduced a new table, actually two, the NAT table and the MANGLE tables, I ought to have inserted the commands to flush those tables too [*], because this command:

[from my /root/rules.sh which I explained in the first two or three posts:]
Code:

# Flush old rules, old custom tables
echo " * flushing old rules"
$ipt --flush
$ipt --delete-chain

only flushes the FILTER table.

And here's how flushing it does it
Code:

g0n ~ # iptables -t nat --flush
g0n ~ # iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
g0n ~ # iptables -t nat -S^C
g0n ~ # /etc/init.d/iptables status
 * status: started
g0n ~ # /etc/init.d/iptables restart
 * Saving iptables state ...                                              [ ok ]
 * Stopping firewall ...                                                  [ ok ]
 * Loading iptables state and starting firewall ...                       [ ok ]
g0n ~ #


And here's when all is flushed:
Code:

g0n ~ # iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
g0n ~ # iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
g0n ~ # iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
g0n ~ #


So, in the rules.sh, at the top (and I like better the short -F and -X instead of --flush and --delete-chain), I should have inserted after these lines:
Code:

# Flush old rules, old custom tables
echo " * flushing old rules"
$ipt -F
$ipt -X

other lines for NAT and MANGLE:
Code:

echo " * flushing old rules in nat table"
$ipt -t nat -F
$ipt -t nat -X

echo " * flushing old rules in mangle table"
$ipt -t mangle -F
$ipt -t mangle -X


But there is more missing for the firewall and access to internal network to work. I still have issue, and wasn't able to deploy it.

But I think I'll be moving to nftables as it appears to be gaining more and more acceptance over iptables and there already is ample documentation and there should be more and more examples and tutorials to benefit from worldwide, as iptables is removed keeping for its developers an honorable place in history.
---
[*] Here's how it looked like without the flushing of the mangle and nat tables, upon trying to deploy new rules that didn't have the below:

Code:

# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           
MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           
MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           
MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           
MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           
MASQUERADE  all  --  192.168.2.0/24       0.0.0.0/0           
MASQUERADE  all  --  192.168.2.3          0.0.0.0/0           
MASQUERADE  all  --  192.168.2.3          0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
#

_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)


Last edited by miroR on Wed Mar 23, 2016 3:23 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Tue Mar 22, 2016 2:50 pm    Post subject: Report this post Reply with quote Edit/Delete this post

Let's see how to learn about nftables...

These pieces of correspondence by true FOSS people to me feel like important events in history. I mean it.

http://marc.info/?l=netfilter&m=144615512521885&w=2
the author of the Nftables Arch Wiki that I think I'll have to be studying

http://marc.info/?l=netfilter&m=144615614622429&w=2
> Happy to add to the wiki -- but how do I get an account?
Just contacted you in private to pass you the account information.

That was the main developer of Nftables, Pablo Neira Ayuso, to Johannes Ernst.

And I got there from Gentoo Forums, from this topic:

from iptables to nftables: I need serious guidance.
https://forums.gentoo.org/viewtopic-t-987148.html

where SirRobin2318's posts are at:
https://forums.gentoo.org/viewtopic-t-987148.html#7523282
and
https://forums.gentoo.org/viewtopic-t-987148.html#7524106
both worth reading carefully.

I think the above connects in the way that it means that I'll probably thank him if I manage to learn it. If I manage. It doesn't look easy at all...

Both for the Arch Linux Nftables wiki page:
https://wiki.archlinux.org/index.php/Nftables#Limit_rate_and_tcp_flags_IP.2FIPv6_Firewall

, and for the contributions at:

http://people.netfilter.org/wiki-nftables/index.php/Main_Page

And surely I'll study the Gentoo Nftables Wiki pages:
https://wiki.gentoo.org/wiki/Nftables
and
https://wiki.gentoo.org/wiki/Nftables/Examples

--

Oh, I'm sorry for this post being a little upside down. Kind readers, forgive
me, I'm overwhelmed with this work. I mean it. It feels so interesting, but it
also feels so hard to understand...

What I should have said first, in this post, is that:

It's probably time to embrace Nftables and leave Iptables.

The issue that I have could be buggy behavior by Iptables, since you can read
similarly here:

http://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables

where find:

Note that iptables comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. Thus, all chains are registered even if you only need one of them. We got reports in the past that unused base chains are harming performance, even if you add no rules at all.

But I'm only guessing, I don't know the why of my issue with Iptables described in the previous post.
NOTE 2016-03-23 15h+01:00: I figured out some of what I was doing wrong, and I posted it, in the post previous to this.

Currently still not many users of Nftables... Just a handful of topics found on Gentoo Forums with the search word "nftables".
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Wed Mar 23, 2016 10:11 pm    Post subject: Report this post Reply with quote Edit/Delete this post

I need to move to using persistent ethers.

As per the Gentoo Install Handbook,

Code:

# rm /etc/udev/rules.d/80-net-name-slot.rules
# rmdir /etc/udev/rules.d


removed. And a little more work close to trivial for even me. So, what
previously were, are now:

Code:

eth0 -->  enp5s0
eth1 -->  enp6s0
eth2 -->  enp4s6


And the nftables install, which has been, since only faily recently, available in all the testing branches (but is not yet available for users of stable), is fresh:
Code:

# equery k nftables
* Checking net-firewall/nftables-0.5-r2 ...
   32 out of 32 files passed

g0n ~ #

;-)

Won't be unchanged for long!

Code:

# bzcat /usr/share/doc/nftables-0.5-r2/TODO.bz2
...
- kill mangle table, make rerouting a configurable table/chain property
- kill nat table? harder because of more special handling
...


means I may be trying to test incomplete features...


Had already done this:

Code:

rc-update delete iptables default


and now:
Code:

# rc-update add nftables default
 * service nftables added to runlevel default
#


In quick terms, I followed the guides. It cleared out to work with the tips from Nftables Gentoo Wiki, main, and Examples pages, but the links were useful too.

For my detailed use, I'll be making the backups like this (this is expanded from the main Ntfables page on Gentoo Wiki):
Code:

# nft_bak=nft_$(date +%y%m%d_%H%M).nft
# echo "nft flush ruleset" > $nft_bak
# nft list ruleset >> $nft_bak

With the use of this method, I have currently only:
Code:
# ls -l nft*.nft
-rw-r--r-- 1 root root  384 2016-03-23 19:28 nft_160323_1927.nft
-rw-r--r-- 1 root root 3099 2016-03-23 21:40 nft_160323_2140.nft
g0n ~ #

but I'll likely have'em galore in some time and be going back to reuse my backups in painstaking attempts to get the NAT working for my interior subnet... Aaaarghhh!! I already feel the headache killing me...

Otherwise, all the instructions are there, some of them the nft binary tells you, e.g. when there is no /var/lib/nftables/rules-save from any previous runs, it will instruct you to like this:

Code:

g0n ~ # /etc/init.d/nftables start
 * Caching service dependencies ...                                        [ ok ]
 * Not starting nftables.  First create some rules then run:
 * rc-service nftables save
 * ERROR: nftables failed to start
g0n ~ #


I think I can try and go online, with this protection for my machine (sure I also have I believe properly deployed grsec RBAC policies and generally care to keep to true *nix programs only: no systemd, no dbus and affiliates, but that does not have to be the reader's way).

I'll be having more questions or solutions.

Because I've only yet, hopefully successfully (first time going online with it) deployed Nftables, and I want so much more, as the title of this topic says...
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Fri Mar 25, 2016 10:06 am    Post subject: Report this post Reply with quote Edit/Delete this post

Studying:

( the main Nftables Wiki)
http://people.netfilter.org/wiki-nftables/index.php/Main_Page

where after you look for title "Performing Network Address Translation (NAT)",
and use that link:
http://people.netfilter.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29

in bottom it reads:
Quote:

Incompatibilities

You cannot use iptables and nft to perform NAT at the same time. So make sure
that the iptable_nat module is unloaded:

Code:

% rmmod iptable_nat



First of all, I don't use modules. Instead I put in "=y" where some guides tell to put "=m". I suppose that doesn't make much of a difference. (As it hasn't made any for, say, installing my TV-cards.)

I looked it up in my:
Code:

# ls -l /usr/src/linux
lrwxrwxrwx 1 root root 20 2016-03-08 13:45 /usr/src/linux -> linux-4.4.4-hardened
#

kernel, and there is no such conf option to be found (I've already done some
reconfiguration, but I'm left perplexed just a little; I'm showing you, and
grep'ing on, the previous configuration):
Code:

g0n linux # pwd
/usr/src/linux
g0n linux # grep -i iptable .config.old
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y
# iptables trigger is under Netfilter config (LED target)
g0n linux #


Implicitly that tells you there is no "iptable_nat" module. But conflicts, incompatibilities, may be there, just under different names...

Here's what I've done, can be seen from the two different kernel .config files, the old, .config.old, and the new, .config:
Code:

g0n linux # ls -l .config*
-rw-r--r-- 1 root root 111106 2016-03-25 08:26 .config
-rw-r--r-- 1 root root 112446 2016-03-22 16:58 .config.old
g0n linux #

Here:
Code:

g0n linux # diff .config*
53c53
< CONFIG_LOCALVERSION="-160325"
---
> CONFIG_LOCALVERSION="-160322"
786a787
> # CONFIG_NF_CONNTRACK_ZONES is not set
819a821
> CONFIG_NETFILTER_SYNPROXY=y
849a852
> # CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
852a856,858
> CONFIG_NETFILTER_XT_TARGET_CT=y
> CONFIG_NETFILTER_XT_TARGET_DSCP=y
> CONFIG_NETFILTER_XT_TARGET_HL=y
861a868
> # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
864a872,873
> # CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
> # CONFIG_NETFILTER_XT_TARGET_TRACE is not set
866a876
> # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
957,958c967,986
< # CONFIG_IP_NF_IPTABLES is not set
< # CONFIG_IP_NF_ARPTABLES is not set
---
> CONFIG_IP_NF_IPTABLES=y
> CONFIG_IP_NF_MATCH_AH=y
> CONFIG_IP_NF_MATCH_ECN=y
> CONFIG_IP_NF_MATCH_RPFILTER=y
> CONFIG_IP_NF_MATCH_TTL=y
> CONFIG_IP_NF_FILTER=y
> CONFIG_IP_NF_TARGET_REJECT=y
> # CONFIG_IP_NF_TARGET_SYNPROXY is not set
> CONFIG_IP_NF_NAT=y
> CONFIG_IP_NF_TARGET_MASQUERADE=y
> CONFIG_IP_NF_TARGET_NETMAP=y
> CONFIG_IP_NF_TARGET_REDIRECT=y
> CONFIG_IP_NF_MANGLE=y
> CONFIG_IP_NF_TARGET_CLUSTERIP=y
> CONFIG_IP_NF_TARGET_ECN=y
> CONFIG_IP_NF_TARGET_TTL=y
> CONFIG_IP_NF_RAW=y
> CONFIG_IP_NF_ARPTABLES=y
> CONFIG_IP_NF_ARPFILTER=y
> CONFIG_IP_NF_ARP_MANGLE=y
977c1005,1023
< # CONFIG_IP6_NF_IPTABLES is not set
---
> CONFIG_IP6_NF_IPTABLES=y
> CONFIG_IP6_NF_MATCH_AH=y
> CONFIG_IP6_NF_MATCH_EUI64=y
> CONFIG_IP6_NF_MATCH_FRAG=y
> CONFIG_IP6_NF_MATCH_OPTS=y
> CONFIG_IP6_NF_MATCH_HL=y
> CONFIG_IP6_NF_MATCH_IPV6HEADER=y
> CONFIG_IP6_NF_MATCH_MH=y
> CONFIG_IP6_NF_MATCH_RPFILTER=y
> CONFIG_IP6_NF_MATCH_RT=y
> CONFIG_IP6_NF_TARGET_HL=y
> CONFIG_IP6_NF_FILTER=y
> CONFIG_IP6_NF_TARGET_REJECT=y
> CONFIG_IP6_NF_TARGET_SYNPROXY=y
> CONFIG_IP6_NF_MANGLE=y
> CONFIG_IP6_NF_RAW=y
> CONFIG_IP6_NF_NAT=y
> CONFIG_IP6_NF_TARGET_MASQUERADE=y
> CONFIG_IP6_NF_TARGET_NPT=y
g0n linux #

I achieved it actually all by disabling only three options that were previously enabled, theses:
Code:

g0n linux # diff .config .config.old  | grep '< '
< CONFIG_LOCALVERSION="-160325"
< # CONFIG_IP_NF_IPTABLES is not set
< # CONFIG_IP_NF_ARPTABLES is not set
< # CONFIG_IP6_NF_IPTABLES is not set
g0n linux #

And, maybe for more clarity, here's how they look like in the menuconfig:
Code:

 → Networking support → Networking options → Network packet filtering framework (Netfilter) → IP: Netfilter Configuration
    < > IP tables support (required for filtering/masq/NAT)
   < > ARP tables support

and:
Code:

 → Networking support → Networking options → Network packet filtering framework (Netfilter) → IPv6: Netfilter Configuration
    < > IP6 tables support (required for filtering)

And that got all the diff btwn the (my my two local versions):
Code:

< CONFIG_LOCALVERSION="-160325"
---
> CONFIG_LOCALVERSION="-160322"

above.

Is that correct thing to do? Along with emerge -C iptables ? Namely I see there are issues with iproute2:


sys-apps/iproute2-4.5.0[-iptables]: error: redeclaration of enumerator ‘IFF_*’
https://bugs.gentoo.org/show_bug.cgi?id=577464#attach_428450

and I'm slow, so I will updated in a day or two, when this is likely fixed, and keep with the old:

Code:

# equery l iproute2
 * Searching for iproute2 ...
[IP-] [  ] sys-apps/iproute2-4.4.0:0
#


So since:
Code:

g0n ~ # equery  d iptables
 * These packages depend on iptables:
sys-apps/iproute2-4.4.0 (iptables ? >=net-firewall/iptables-1.4.20)
g0n ~ # cat >> /etc/portage/package.use
sys-apps/iproute2 -iptables
g0n ~ # emerge -tuDN iproute2

which appeared to have compiled and installed correctly, I could show the log,
but equery didn't pick it up yet, have a look:
Code:

g0n ~ # equery  d iptables
 * These packages depend on iptables:
sys-apps/iproute2-4.4.0 (iptables ? >=net-firewall/iptables-1.4.20)
g0n ~ # emerge -p iproute2

These are the packages that would be merged, in order:

Calculating dependencies                    ... done!           
[ebuild   R    ] sys-apps/iproute2-4.4.0::gentoo  USE="berkdb ipv6 -atm -iptables -minimal (-selinux)" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB
g0n ~ #


Never mind, I'll try and compile the not-the-newest in testing kernel, and reboot, and see if this inexistent dependency still shows in equery line...

Done:
Code:

# uname -r
4.4.4-hardened-160325
#

Very courious I am now. Will the equery see the change? Suspense, suspense.
Silence... What will happen...

Code:

# equery d iptables
 * These packages depend on iptables:

It's a slow system... Nothing for a while... And then:
Code:

# equery d iptables
 * These packages depend on iptables:
sys-apps/iproute2-4.4.0 (iptables ? >=net-firewall/iptables-1.4.20)


That's not right...

Will it break iproute2 if I remove iptables? Don't know... Somebody tell me!

I'm not removing it for now... Should not do harm to my tentatives with nftables, I hope.

According to:

ERROR: sys-apps/iproute2-4.5.0::gentoo failed (compile phase
https://forums.gentoo.org/viewtopic-t-1040708.html#7896308

it should be a build time dependency only...

I read carefully most of the:

http://people.netfilter.org/wiki-nftables/

with an eye on NAT, of course...

but I still need more guides. Will be searching for more NAT and MASQUERADE related Nftables guide now, I think...

If you know of some good ones that I could use for my purpose, do tell!
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Fri Mar 25, 2016 10:27 am    Post subject: Report this post Reply with quote Edit/Delete this post

BTW, to be out of doubt on things, here the nftables deployed in my system, by following and using:

https://wiki.gentoo.org/wiki/Nftables/Examples

I used what was given as a typical workstation example.

This is the file (from which nftables reloads, and into which it saves its rules):
/var/lib/nftables/rules-save:
Code:

table ip filter {
   chain input {
      type filter hook input priority 0; policy drop;
      ct state invalid counter packets 0 bytes 0 drop  comment "drop invalid packets"
      ct state { related, established} counter packets 15169 bytes 13242959 accept  comment "accept all connections related to connections made by us"
      iifname "lo" accept  comment "accept loopback"
      iifname != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop  comment "drop connections to loopback not coming from loopback"
      ip protocol icmp counter packets 0 bytes 0 accept  comment "accept all icmp types"
      tcp dport ssh counter packets 0 bytes 0 accept  comment "accept ssh"
      counter packets 44 bytes 1408  comment "count dropped packets"
   }

   chain output {
      type filter hook output priority 0; policy accept;
      counter packets 14758 bytes 1475767  comment "count accepted packets"
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      counter packets 0 bytes 0  comment "count dropped packets"
   }
}
table ip nat {
   chain prerouting {
      type nat hook prerouting priority 0; policy accept;
      counter packets 0 bytes 0  comment "count accepted packets"
   }

   chain input {
      type nat hook input priority 0; policy accept;
      counter packets 0 bytes 0  comment "count accepted packets"
   }

   chain output {
      type nat hook output priority 0; policy accept;
      counter packets 0 bytes 0  comment "count accepted packets"
   }

   chain postrouting {
      type nat hook postrouting priority 0; policy accept;
      counter packets 1661 bytes 106346  comment "count accepted packets"
   }
}
table ip6 filter6 {
   chain input {
      type filter hook input priority 0; policy drop;
      ct state invalid counter packets 0 bytes 0 drop  comment "drop invalid packets"
      ct state { established, related} counter packets 1 bytes 60 accept  comment "accept all connections related to connections made by us"
      iifname "lo" accept  comment "accept loopback"
      iifname != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop  comment "drop connections to loopback not coming from loopback"
      ip6 nexthdr ipv6-icmp counter packets 96 bytes 7312 accept  comment "accept all icmp types"
      tcp dport ssh counter packets 0 bytes 0 accept  comment "accept ssh"
      counter packets 97 bytes 10864  comment "count dropped packets"
   }

   chain output {
      type filter hook output priority 0; policy accept;
      counter packets 188 bytes 23182  comment "count accepted packets"
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      counter packets 0 bytes 0  comment "count dropped packets"
   }
}
table ip6 nat6 {
   chain prerouting {
      type nat hook prerouting priority 0; policy accept;
      counter packets 0 bytes 0  comment "count accepted packets"
   }

   chain input {
      type nat hook input priority 0; policy accept;
      counter packets 0 bytes 0  comment "count accepted packets"
   }

   chain output {
      type nat hook output priority 0; policy accept;
      counter packets 0 bytes 0  comment "count accepted packets"
   }

   chain postrouting {
      type nat hook postrouting priority 0; policy accept;
      counter packets 29 bytes 5064  comment "count accepted packets"
   }
}


I haven't noticed anything not to work as expected, so far. But I have to admit I don't understand what is being counted in the postrouting, e.g. ...

And even if this is all correct, of course I need more that this, as the title of this topic says.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Fri Mar 25, 2016 6:03 pm    Post subject: Report this post Reply with quote Edit/Delete this post

The already mentioned:

https://wiki.archlinux.org/index.php/Nftables

contributed, it appears to me, by Johannes Ernst, is, upon second read, a superb tutorial.

Upon second read, as I don't get new languages in one read ;-) ; nftables is a nifty programming language in its own right.

I first found this trailblazer thread:
http://www.spinics.net/lists/netfilter/threads.html#56405
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/48255
(same thread, from two different, reliable, archives)

and figured out that the issue that Johannes solved there is exactly the kind of issue that I proposed to myself to accomplish, and have been working on for a few days already, most of the time.

Here is that issue which is just like mine, and it makes the first message of that thread:
http://article.gmane.org/gmane.comp.security.firewalls.netfilter.general/48255
http://www.spinics.net/lists/netfilter/msg56405.html
(same message, from two different, reliable, archives)

And so, I'll try and move from Gentoo Wiki Nftables Examples' Typical Workstation Ruleset that I currently have set up and working, to the Ruleset similar to Johannes', in that trailblazer thread on Netfilter ML, and which is also explained in the Archlinux Wiki (it's the same author who also mostly wrote that Arch wiki page, in all appearances).

I'll use the method such as explained here:
https://wiki.archlinux.org/index.php/Nftables#Atomic_Reloading

Except I'll combine in my creating of a timestamped ruleset file, and I won't be doing it in the /tmp, but in /root.

I'll apply for my case:
https://wiki.archlinux.org/index.php/Nftables#Different_rules_for_different_interfaces
and:
https://wiki.archlinux.org/index.php/Nftables#Masquerading

I already have the current set up backed up.

Code:

# nft_bak=nft_$(date +%y%m%d_%H%M).nft
#

gives it now the name:
Code:
# echo $nft_bak
nft_160325_1711.nft
#


I just copied and pasted into it the code given under:
Practical examples
Different rules for different interfaces

on Archlinux.

Code:
# cat > $nft_bak
 < I pasted it here >
#


And I modified it like this:
Code:

flush ruleset
table inet filter {
  chain input { # this chain serves as a dispatcher
    type filter hook input priority 0;

    iifname lo accept # always accept loopback
    iifname enp4s6 jump input_enp4s6
    iifname enp6s0 jump input_enp6s0

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
  }
  chain input_enp4s6 { # rules applicable to public interface interface
    ct state {established,related} accept
    ct state invalid drop
    udp dport bootpc accept
    tcp dport bootpc accept
    reject with icmp type port-unreachable # all other traffic
  }
  chain input_enp6s0 {
    ct state {established,related} accept
    ct state invalid drop
    udp dport bootpc accept
    tcp dport bootpc accept
    tcp port http accept
    tcp port https accept
    reject with icmp type port-unreachable # all other traffic
  }
  chain ouput { # we let everything out
    type filter hook output priority 0;
    accept
  }
 }

Nothing else in this first attempt, but add the:
Code:

flush ruleset

at top to flush all the current ruleset, and changed the interface names to my real-life current interfaces.

And trying to load it:
Code:

# nft -f nft_160325_1711.nft

nft_160325_1711.nft:23:19-24: Error: syntax error, unexpected accept
    tcp port http accept
                  ^^^^^^
nft_160325_1711.nft:24:20-25: Error: syntax error, unexpected accept
    tcp port https accept
                   ^^^^^^

gets me this error above. Why?

I really not sure, all my understanding of Nftables is still fuzzy, but "tcp port" is probably a typo. Shouldn't it be "tcp dport"?

Code:

# cat  nft_160325_1711.nft | sed 's/tcp port/tcp dport/' >  nft_160325_$(date +%H%M).nft
# diff  nft_160325_1711.nft nft_160325_1730.nft
23,24c23,24
<     tcp port http accept
<     tcp port https accept
---
>     tcp dport http accept
>     tcp dport https accept
#


Was I right?
Code:

# nft -f nft_160325_1730.nft
#

No errors. And it took a second or longer to load. Maybe successful?

Let's see. It does appear so.
Code:

# nft list ruleset
table inet filter {
   chain input {
      type filter hook input priority 0; policy accept;
      iifname "lo" accept
      iifname "enp4s6" jump input_enp4s6
      iifname "enp6s0" jump input_enp6s0
      meta nfproto ipv4 reject
   }

   chain input_enp4s6 {
      ct state { related, established} accept
      ct state invalid drop
      udp dport bootpc accept
      tcp dport bootpc accept
      meta nfproto ipv4 reject
   }

   chain input_enp6s0 {
      ct state { related, established} accept
      ct state invalid drop
      udp dport bootpc accept
      tcp dport bootpc accept
      tcp dport http accept
      tcp dport https accept
      meta nfproto ipv4 reject
   }

   chain ouput {
      type filter hook output priority 0; policy accept;
      accept
   }
}


I'll post this, and, being Good Friday today, and me a faithful, will first be away to church for some time.

It's good to post this sooner and see if other readers see this as a typo, or whether I imagine it.

And if it is a typo, and if nobody else reports it to Archlinux Wiki in the meantime, I'll try and report it so Archlinux people correct it...
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Sat Mar 26, 2016 6:30 am    Post subject: Report this post Reply with quote Edit/Delete this post

I reported the typo (in only second attempt did I do it correctly ;-) ):

http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.general/48566
http://www.spinics.net/lists/netfilter/msg56695.html
(on spinics only the first incorrect report shows to me yet)

---

But importantly, I think I only now have grasped :oops: why my setup couldn't work without extra configuration...

The enp6s0 interface, through which I want to connect my local network machines to the internet is served, as I explained in the opening post (under eth1 which it then was):
Quote:

some 7 yrs old aDSL router, with disabled DHCP server, working (I hope) as
simply static network local router


And I was attempting, all this time, to get the members of that network to get their connection into an internet connection...

No! It's still not clear to me how to do it, but I'm pretty sure that the network that would be, in its members mangled-connected to the internet through the aDSL router seen on the enp4s6 interface, that must be a network that I have to set up on this machine!

It can't be a network served from another machine.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Sun Mar 27, 2016 3:31 am    Post subject: Report this post Reply with quote Edit/Delete this post

Note: this is just an entire one-day leg of my journey. Skip this post if you rush for (at the time of writing) likely solution
---
I was thinking. I mostly understand the basics of networking, and I have, although very slowly, solved a few obstacles so far on my journey to achieve a "Firewalled Internet Access to Internal Subnet" as the title of the topic says.

And I was thinking, remembering how some of the unmanaged ethernet switches that I had, used to suggest in their manuals, that the rest of the machines on the 4-port or 8-port switch that they were, could connect to the internet if the port no. 1 was connected to the aDSL router.

I know this is not a territory for the faint-hearted and I may be stubborn enough to keep trying.

However, it's not about only connecting other machines to the internet. It's about doing it in such a way to be able to capture and analyze all the traffic. I explained that the outside is potentially hostile, in the opening post.

I want to access, be it from my Windoze machine, or from a future Devuan machine the internet and do things, in such way as to be able to see all the traffic for myself. Windoze I don't trust (and am not a wizard who could control it fully, far from), and when I install on a new machine such as I will, hopefully, install Devuan, I don't see how I can have complete sight of all the traffic to and from that machine, to have control over it, other than if I somehow get it to pass through my Gentoo machine, where I can capture and analyze it before I conclude all is clean... Through my Gentoo machine which I'm pretty confident is likely sufficiently secure (grsec-hardened, RBAC deployed...)...

A switch I have:
http://dlink.com.sg/products/?idproduct=273
http://www.dlink.com/-/media/Consumer_Products/DGS/DGS%201008D/Manual/DGS%201008D_B1_Manual_v201.pdf
(but my model doesn't look like that; it was made around 2005 or so, it's more squarely made, will blunted edges)

I have been reluctant to use it anywhere near online, because I lost another one, because of something that happened online. (It was somehow b0rked from online, as were some of my ethers, else how come I only lost them when I connected online, and as long as I used them in the SOHO, nothing whatsoever happened.)

---

But I have recently changed direction, I think i have found my way. Will be clear in the next post.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Sun Mar 27, 2016 3:36 am    Post subject: Report this post Reply with quote Edit/Delete this post

And, after I've searched and read, searched and read... I think the solution for my case lies somewhere in this direction:

https://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html

applied to my Gentoo of course.

Will expand on this. Just wanted to give it for the impatient courious. Give me time to install things, study the matter and then elaborate, and to see if I need help about it, or if this will be a solution such that occasional others may find useful yoo.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Sun Mar 27, 2016 8:51 am    Post subject: Report this post Reply with quote Edit/Delete this post

From:
D.1 A bridge providing NAT and firewall capabilities
https://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html#sD.1
Code:

Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)
                                          |
                                          |
                                          |---- WWW Server (62.3.3.27 gw 62.3.3.25)
                                          |
                                          |
                                         LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)



Translating into my situation.
Note: I'll be struggling to grasp the concept. Help is welcome. Will try and give all the info I have.

Therefore the continuation of a line that I verbosely extended in my translation will be marked with square brackets on a repeated "----", but at start of line, like this: "[----]".

The setup on g0n before setting up bridge (non clearly put for lack of complete understanding of the concept yet).

Code:

Internet ---- router ( 192.168.1.1 )  ----

( provider's aDSL router serving local network 192.168.1.0/24 )
( the dynamic internet IPs that get assigned are never seen in userland )

( in "192.168.1.X" below the "X" is whatever this host gets by router's DHCP, usually 1-4 )
Code:

                                [----] bridge br0 (<192.168.1.X> gw 192.168.1.1 / 192.168.2.2)
                                          |
                                          |

I cut out the server here.
Code:

                                          |
                                         LAN --- my_lan (192.168.2.2 gw * )

Actually it can have LAN on my_lan, because I tried it previosly.

Here is how it looks on that my_lan from a machine running 1yr old Debian, in which I waant to install, probably from scratch, a minimalist Devuan, but in completely protected way, via my Gentoo box setup that I'm struggling to reach in this topic.

Code:

root@naibd6:/home/mr# ip route show
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.3
root@naibd6:/home/mr# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
root@naibd6:/home/mr# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@naibd6:/home/mr#


Take notice that there is no gateway yet on that interface. Some more info on it:

I had tried in this topic-tentative to set enp6s0 (previusly eth1) to 192.168.2.2 and I could ping it (now can't ping it, but only because I will, but have not set br0 on it yet) just like I can ping this old router's local network (192.168.2.1) below:

Code:

root@naibd6:/home/mr# ping -c1 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
From 192.168.2.3 icmp_seq=1 Destination Host Unreachable

--- 192.168.2.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

root@naibd6:/home/mr# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.943 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.404 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=0.401 ms
^C
--- 192.168.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.401/0.582/0.943/0.256 ms
root@naibd6:/home/mr#


Here's the setup on g0n without verbosity:
Code:

Internet ---- router ( 192.168.1.1 )  ----  enp4s6 (192.168.1.X by DHCP)
                                               |
                                               |
                                               |
                                            enp6s0 --- my_lan (192.168.2.2)


Here it is more fully (except I deleted the lines in all the pastes for the interface 192.168.3.0/24, because that is an inactive interface on enp5s0 --previously eth0--, at this time):
Code:

g0n ~ # ip route show
default via 192.168.1.1 dev enp4s6  src 192.168.1.3  metric 5
127.0.0.0/8 dev lo  scope host
192.168.1.0/24 dev enp4s6  proto kernel  scope link  src 192.168.1.3  metric 5
g0n ~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    5      0        0 enp4s6
loopback        0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     5      0        0 enp4s6
g0n ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    5      0        0 enp4s6
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     5      0        0 enp4s6
g0n ~ #

So far enp6s0 is not even in the route, as you can see.

This is how it looks like when I start that interface:
Code:

g0n ~ # /etc/init.d/net.enp4s6 start
 * Bringing up interface enp4s6
 *   config_enp4s6 not specified; defaulting to DHCP
 *   dhcp ...
 *     Running dhcpcd ...
DUID 00:01:00:01:1a:e5:27:80:8e:64:d7:e7:d3:d8
enp4s6: IAID 2e:7d:55:62
enp4s6: soliciting an IPv6 router
enp4s6: rebinding lease of 192.168.1.3
enp4s6: NAK: from 192.168.1.1
enp4s6: soliciting a DHCP lease
enp4s6: Router Advertisement from fe80::1
enp4s6: ignoring RA from fe80::1 (no public prefix, no managed address)
enp4s6: requesting DHCPv6 information
enp4s6: applying ignored RA from fe80::1
enp4s6: adding default route via fe80::1
enp4s6: offered 192.168.1.4 from 192.168.1.1
enp4s6: probing address 192.168.1.4/24
enp4s6: leased 192.168.1.4 for 86400 seconds
enp4s6: adding route to 192.168.1.0/24
enp4s6: adding default route via 192.168.1.1
forked to background, child pid 4040                                         [ ok ]
 *     received address 192.168.1.4/24                                       [ ok ]
g0n ~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    5      0        0 enp4s6
loopback        0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     5      0        0 enp4s6
g0n ~ # ip route
default via 192.168.1.1 dev enp4s6  src 192.168.1.4  metric 5
127.0.0.0/8 dev lo  scope host
192.168.1.0/24 dev enp4s6  proto kernel  scope link  src 192.168.1.4  metric 5
g0n ~ # ifconfig enp6s0
enp6s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 00:30:4f:31:4b:18  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17 



I'm really struggling. And really tried to give sufficient, and still not superfluous information.

Next is, if the information is sufficient for me to decide how to do it (meaning more thinking hard on this first)...

Next is, setting up the bridge.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)


Last edited by miroR on Sun Mar 27, 2016 12:29 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Sun Mar 27, 2016 11:38 am    Post subject: Report this post Reply with quote Edit/Delete this post

My new topic (not much time for it, but I wanted to report it):

kernel panic not anymore logged as it used to be
https://forums.gentoo.org/viewtopic-t-1041336.html

which I first posted here into this exact post you are reading, but decided to move it into a new topic.
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 815

PostPosted: Wed Mar 30, 2016 8:25 am    Post subject: Report this post Reply with quote Edit/Delete this post Delete this post

There's a little more here for kind readers:

PPPoE and static subnet setup
https://forums.gentoo.org/viewtopic-t-1040272.html
(the entire topic is relevant for my quest, and here is where I join in:
https://forums.gentoo.org/viewtopic-t-1040272.html#7899134

And here's the question, and offer to Netfilter ML:

Nftables or Iptables/Ebtables for a simple linux bridge?
http://marc.info/?l=netfilter&m=145928820814936&w=2

My offer may not be perfect at all. And that may be the reason it has not been replied to yet, or it may have not been replied, so far, for other reason. What do I know. I feel a little sad for that.

I feel a little sad for that, but have to go on. Before I start rolling my system back to Iptables setup, let my query more at one other place... In case those advanced users are around....

Wait...
_________________
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT + 1 Hour
Page 1 of 1
Watch this topic for replies
 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum