Ticket #1516 (closed defect: invalid)
ffwdrules
| Reported by: | servisoft_mail@… | Owned by: | cperez@… |
|---|---|---|---|
| Milestone: | 1.4-maint | Component: | base |
| Severity: | critical | Keywords: | |
| Cc: |
Description
Hi, there is a firewall problem when I add a "Filtering rules from external networks to internal networks" We have a internal VM service and need to enable forward to it. I add a accepted rule from 192.168.0.0/24 to 192.168.0.3/32 and it not work, when i list firewall rules (iptables -L) the ffwdrules are incorrectly. Here is it:
Chain ffwdrules (1 references) target prot opt source destination RETURN all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 192.168.0.3
This is after the RETURN rule and newer is reached.
Thanks.
Attachments
-
ebox_network.jpg
(29.1 KB) -
added by servisoft_mail@… 4 years ago.
- eBox Network Bond0
Change History
comment:2 in reply to: ↑ 1 Changed 4 years ago by servisoft_mail@…
Replying to juruen@ebox-platform.com:
Can you post the the output of iptables -L -n -v and post it here within:
Here is the output:
Chain ffwdrules (1 references) pkts bytes target prot opt in out source destination 1144 497K RETURN all -- bond0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.0.0/24 192.168.0.3
Thanks
comment:3 Changed 4 years ago by servisoft_mail@…
Sorry but in preview it look normal, but posted not here i try without tabs:
Chain ffwdrules (1 references) pkts bytes target prot opt in out source destination 1144 497K RETURN all -- bond0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.0.0/24 192.168.0.3
comment:4 Changed 4 years ago by servisoft_mail@…
Sorry now i understand:
Chain ffwdrules (1 references):
pkts bytes target prot opt in out source destination: 1144 497K RETURN all -- bond0 * 0.0.0.0/0 0.0.0.0/0:
0 0 ACCEPT all -- * * 192.168.0.0/24 192.168.0.3:
thanks
comment:5 Changed 4 years ago by juruen@…
How come you have a bond0 interface? Can you tell me the exact configuration of all your interfaces?
comment:6 Changed 4 years ago by servisoft_mail@…
Yes, i make a script for load the bond0 interface after ebox, then ebox recognize it like a normal interface (i think):
my bonding script:
#!/bin/sh
case "$1" in
'start')
modprobe bonding
ifconfig bond0 up
ifenslave bond0 eth0 eth1 eth2
;;
'stop')
ifenslave bond0 -d eth0 eth1 eth2
ifconfig bond0 down
rmmod bonding
;;
'restart')
$0 stop
$0 start
;;
*)
echo "Usage: $0 { start | restart | stop }"
;;
esac
exit 0
eBox screenshot:
comment:7 Changed 4 years ago by servisoft_mail@…
sory, the script init before ebox (/etc/rc0.d/S12bonding and /etc/rc1.d/S12bonding)
comment:8 Changed 4 years ago by juruen@…
- Status changed from new to closed
- Resolution set to worksforme
Bond0 is not set as external, so it's considering it an internal network card. That's why it has a return. That return means, if something comes in or out the bond interface consider it internal traffic and do not apply "External to Internal" rules.
I'm closing this ticket for now. If you have more doubts, please, open it again.
comment:9 Changed 3 years ago by dmitriy.troshin@…
- Status changed from closed to reopened
- Resolution worksforme deleted
- Milestone changed from 1.2.10-maint to 1.4-maint
I have the same bug on standart ethernet interfaces. I have added one rule to "Packet Filter ▸ External networks to internal networks" simply to count forwarded bytes to one of my IP in LAN network.
# iptables -L ffwdrules -vn
Chain ffwdrules (1 references)
pkts bytes target prot opt in out source destination
85 4080 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 10.0.0.2
As you can see - bytes counter is still zero.
I think there is bug in trunk/client/firewall/src/EBox/Iptables.pm Now you have something like that:
714 my @internalIfaces = @{$self->{net}->InternalIfaces()};
715 foreach my $if (@internalIfaces) {
716 $if = $self->{net}->realIface($if);
717 push(@commands, pf("-A ffwdrules -i $if -j RETURN"));
718 }
719 my $iptHelper = new EBox::Firewall::IptablesHelper;
720 for my $rule (@{$iptHelper->ExternalToInternalRuleTable()}) {
721 push(@commands, pf("$rule"));
722 }
723 return \@commands;
I think it shoud be like that:
714 my @internalIfaces = @{$self->{net}->InternalIfaces()};
719 my $iptHelper = new EBox::Firewall::IptablesHelper;
720 for my $rule (@{$iptHelper->ExternalToInternalRuleTable()}) {
721 push(@commands, pf("$rule"));
722 }
715 foreach my $if (@internalIfaces) {
716 $if = $self->{net}->realIface($if);
717 push(@commands, pf("-A ffwdrules -i $if -j RETURN"));
718 }
723 return \@commands;
comment:10 Changed 3 years ago by jacalvo@…
- Owner changed from juruen@… to cperez@…
- Status changed from reopened to new
comment:11 Changed 3 years ago by cperez@…
- Status changed from new to closed
- Resolution set to invalid
Hi dimitry,
As you can see eth0 is an internal interface, so rules for *external* to internal networks won't affect to traffic coming from eth0.
That rule you have set will count external traffic coming to internal network.
Can you post the the output of iptables -L -n -v and post it here within: