View previous topic :: View next topic |
Author |
Message |
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Sun Jul 14, 2024 12:20 am Post subject: choke firewall died, can't find firewall script |
|
|
My poor choke firewall has finally died. It was working at 8:00 am EDT July 12, 2024, and was no longer working by 10:00 am EDT. It was *VERY* old -- it had either a celeron or a core 2 duo cpu and was running 32 bit linux. Its been a long time since it was rebooted, so when I got physically in front of it, I confirmed it had power, as the pilot light was lit. I tried to reboot it and it powered up (pilot lite lit up), but never entered the boot sequence or the BIOS setup screen. There was nothing on the screen, and no beeps from the BIOS signifying any error codes.
I am very close to moving the entire network to a new building, so I already had a new machine built to replace it, but I was waiting until the move to perform the substitution. I now have the new machine in place, running an i-5 cpu and 64 bit linux. I would be done except I cannot remember where I saved the firewall configuration script. I have backups for this machine on my backup server.
Surely the firewall configuration is saved somewhere on disk so it can re-instantiate itself on reboot. Where is that configuration saved?
Is it possible to examine this file and reconstruct a text version of the configuration? This is a fairly simple firewall. It sits between my DMZ and my LAN, so the workstations on the LAN are masqueraded to the DMZ, and then they are masqueraded again by the gateway firewall, which sits between the DMZ and the internet.
I checked on my backup server, and the version of iptables is the same on the old dead machine and the new replacement one:
Code: |
jehoiada ~ # iptables --version
iptables v1.8.10 (legacy)
|
I found what must be a very old firewall script, but when I run it, iptables complains about the table named "nat", saying there is no such table, so I am pretty sure that script was obsolete, probably many years ago.
Lacking a way to reconstruct my firewall configuration, can anybody suggest a simple firewall script for iptables being used as a choke firewall?
I appreciate any help, but its been many years since I did anything with iptables. That old firewall has been in place well over 10 years. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22619
|
Posted: Sun Jul 14, 2024 1:20 am Post subject: |
|
|
The Gentoo init script for iptables normally reads/writes /var/lib/iptables/rules-save. Do you have that file?
You probably do want a nat table, so if it is not working, your new firewall may not be usable until you fix your kernel configuration. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5093 Location: Bavaria
|
Posted: Sun Jul 14, 2024 2:01 am Post subject: Re: choke firewall died, can't find firewall script |
|
|
Moriah wrote: | [...] This is a fairly simple firewall. It sits between my DMZ and my LAN, so the workstations on the LAN are masqueraded to the DMZ, and then they are masqueraded again by the gateway firewall, which sits between the DMZ and the internet.[...] |
I understand this as:
LAN <-> Your dead choke FW <-> DMZ <-> Edge FW <-> WAN/Internet
If this is correct you will need NAT (masquerading) only in your Edge FW; there is no need to do NAT between LAN and DMZ because routing is quite sufficient here. _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Sun Jul 14, 2024 2:17 am Post subject: |
|
|
@Hu: Yes, I have the saved firewall rules on my backup server, but it doesn't look like anything I can just load, or edit and load.
I think you are right: I need to check my kernel config, as I am likely missing some options relaterd to nat.
@pietinger: I only need the nat so masqueraded machines on the lan can reach the server on the dmz, and they are using the ip address the server presents to the internet at large, and the server is static natted by the gateway firewall, so I translate the internet visible address of the server to the static natted address of the server on the dmz so the workstations can see the web and email servers without having to edit their /etc/hosts file every time a laptop moves from my lan to a remote wifi connection.
Since the natting seems to be the complaint of iptables, I will have to look at the kernel setup as it relates to iptables and nat. I will try to look into this tomorrow, but I am getting sleepy now, so I am going to bed. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Sun Jul 14, 2024 5:25 pm Post subject: |
|
|
OK, I remoived the NAT stuff, but it still doesn't work. My lan is 192.168.1.* and my DMZ is 192.168.2.* and the firewall script is:
Code: |
#!/bin/bash
#set -vx
# ----------------------------------------------------------------
# Set up the Linux kernel support for the firewall.
# Enable IP forwarding since it is disabled by default:
echo "1" > /proc/sys/net/ipv4/ip_forward
# Enable broadcast echo protection:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source routed packets:
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do echo 0 > $f
done
# Enable TCP SYN-cookie protection:
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP redirect acceptance:
for f in /proc/sys/net/ipv4/conf/*/accept_redirects
do echo 0 > $f
done
# Prohibit sending ICMP redirect messages:
for f in /proc/sys/net/ipv4/conf/*/send_redirects
do echo 0 > $f
done
# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the packet going out a different interface:
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do echo 1 > $f
done
# Log packets with impossible addresses:
#for f in /proc/sys/net/ipv4/conf/*/log_martians
#do echo 1 > $f
#done
# ----------------------------------------------------------------
# flush all chains in all tables
iptables -F
iptables -t mangle -F
# delete the RH-Lokkit-0-50-INPUT chain defined by rh9.0 installation
#iptables -X RH-Lokkit-0-50-INPUT
# establish default policy of accept everything
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy INPUT ACCEPT
iptables -t mangle --policy FORWARD ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT
iptables -t mangle --policy POSTROUTING ACCEPT
# ----------------------------------------------------------------
# Forward the LAN in both directions
iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ----------------------------------------------------------------
|
What could I be doing wrong? Please remember that this script is over 10 years old. I get no errors when I run the script. I tried running it like this:
Code: |
root@jehoiada ~ # /etc/init.d/iptables stop
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
root@jehoiada ~ # ./fw_new.sh
root@jehoiada ~ # /etc/init.d/iptables start
* Loading iptables state and starting firewall ... [ ok ]
root@jehoiada ~ #
|
But it doesn't seem to be forwarding pings from the LAN to the DMZ.
I am working this remotely by ssh-ing into the web server from a building several miles away from the network where this choke firewall is located. I ssh into the web server, then I ssh into the choke firewall. After I load and start the firewall, I ssh into a machine on the lan from the choke, and from there I can ping the choke, but not the web server, shich is on the other side of the choke. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5093 Location: Bavaria
|
Posted: Sun Jul 14, 2024 6:48 pm Post subject: |
|
|
Moriah,
I don't know how much you know about netfiler kernel modules, so please don't be angry if I write something you already know.
The kernel modules are the actual "firewall", the two programs "iptables" or "nftables" are actually only "helper programs" to transfer the rules for these modules to the kernel.
The kernel modules can do two things:
1. filter data packets,
AND
2. change data packets !
The filtering is what is known as a "firewall".
As I see it, you didn't do any filtering with the above script (because you simply allowed everything [1]), but only the modification of data packets ... NAT (network address translation) ...
There are two main ways to do NAT: Source NAT (SNAT) and Destination NAT (DNAT) ... (and of course you can do both IF you need both).
At the moment your script does NOT do the filtering (firewall) nor a NAT ... and is therefore completely worthless.
If you would describe your network in detail (ALL CLIENTS, ALL SERVER, ALL SWITCHES, ALL gateways + routers to your ISP) I could help you.
In general, I can therefore only say what a CLEAN network should look like (=best practice):
There are (mainly) two ways to run a DMZ (for small and medium sized networks; I dont talk about networks with 50.000 stations):
1. with one firewall, or
2. with two firewalls
See: https://en.wikipedia.org/wiki/DMZ_(computing)#Architecture
It is always claimed that the solution with two firewalls is more secure (e.g. because you can choose two different manufacturers).
Quite frankly, that's nonsense ... as long as we are talking about SMALL networks (yes, 100 clients, 10 VLANS in the LAN, and 4 servers in the DMZ IS a small network).
Regardless of whether solution (1) or (2) is used, there are two (three) things that are essential (and apply to both solutions):
A. No station in the LAN can reach the Internet directly. Each station in the LAN can reach only the servers in the DMZ - nothing else!
B. Each server in the DMZ has a personal firewall installed.
(C. All servers, gateways and the admin station have fixed IP addresses; DHCP is only available for the clients in the LAN; an IP address concept is in place. [2])
------
Details for A:
If you are wondering how a client in the LAN is supposed to surf the Internet, the answer is: In the DMZ there is a server on which a web proxy service is running. Yes, each client only gets the exact time from a server in the DMZ (which has an ntpd, for example). The name resolution (DNS) is also done by a server in the DMZ ... and e-mail is also only available from the DMZ ... and everything else too. Period. Off. End of story. Amen.
Details of B:
First of all we should ask why multiple servers in the DMZ ? I could just put in a S/390 and run all services in different VMs. Well, yes, it's safer if I have at least two machines: One machine that is directly accessible from the Internet (web server and e-mail) and a second machine that only provides all services for clients of the LAN (DNS, NTP, proxy). The larger a company is, the more servers are in the DMZ. What happens if a server in the DMZ is compromised? Yes, this server can address any other server of the DMZ directly ... there is no Edge-FW in between ... and that is precisely why a personal firewall is installed on each server itself.
Now we come to the exciting question of how the two "firewalls" should/must be configured:
a) The Core FW allows all clients to access the servers / server services in the DMZ and prohibits everything else.
b) The Edge FW allows incoming traffic to the web server and e-mail server + outgoing traffic from the DMZ servers to various servers on the Internet + outgoing HTTP/HTTPS traffic FROM the proxy to the entire Internet. In addition, this Edge FW must also operate NATting, because we want to connect from a private network (with private IP addresses) to the global internet (with global IP addresses).
c) Each personal firewall only allows inbound traffic for the services it provides. If the server is also running an sshd (so that the admin station can access any server remotely), then one rule of this personal FW is: Allow incoming port 22 only from the admin station.
I have described a simple network with only one firewall here:
https://forums.gentoo.org/viewtopic-t-1114432.html
You might want to read this first:
https://forums.gentoo.org/viewtopic-p-8465650.html#8465650
1)
Moriah wrote: | Code: | ...
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT |
|
2) A simple address concept could be:
(For the sake of simplicity, I will only talk about IPv4 for now.)
IP adresses:
a) Every client in the LAN that gets its ip address from dhcp has a two or three-digit end address in net 10.0.0.0/? (e.g. 10.0.0.10/24).
b) Every Server in the DMZ has a two or three-digit end address in net 172.16.0.0/24 (e.g. 172.16.0.10/24).
c) GW for LAN is: 10.0.0.1 (this is the inner interface of coreFW)
d) GW for DMZ is: 172.16.0.1 (this is the inner interface of EdgeFW)
e) 2nd Interface of coreFW is 172.16.0.2
f) 2nd Interface of EdgeFW is 192.168.0.2 ... because the ADSL-modem-router has 192.168.0.1
g) the DHCP server in LAN has: 10.0.0.2
h) the admin station in LAN has: 10.0.0.3
Routing:
a) Every station in LAN has only ONE default GW (10.0.0.1)
b) Every server in DMZ has 1. default GW 172.16.0.1 and 2. additional route to net 10 via 172.16.0.2
c) coreFW has has only ONE default GW (10.0.0.1) (because of its 2 interfaces it knows both internal nets)
d) edgeFW has has 1. default GW (192.168.0.1) and 2. additional route to net 10 via 172.16.0.2 (this is ONLY necessary because the Admin station want do also SSH to this machine )
[Administrator edit: added explicit [url] tag. Forum auto-linking does not work when the URL contains parentheses. -Hu]
Thank you, Hu ... sometimes I am very inattentive _________________ https://wiki.gentoo.org/wiki/User:Pietinger
Last edited by pietinger on Sun Jul 14, 2024 9:38 pm; edited 1 time in total |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22619
|
Posted: Sun Jul 14, 2024 6:57 pm Post subject: |
|
|
Moriah wrote: | @Hu: Yes, I have the saved firewall rules on my backup server, but it doesn't look like anything I can just load, or edit and load. | That seems strange. The saved file is not valid input when the Gentoo init script runs iptables-restore? Moriah wrote: | OK, I remoived the NAT stuff, but it still doesn't work. | You will need NAT at some point. You may or may not need it quite yet. Moriah wrote: | My lan is 192.168.1.* and my DMZ is 192.168.2.* and the firewall script is: Code: | #!/bin/bash
#set -vx |
| Missing set -eu. Moriah wrote: | Code: | echo "1" > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
| These could be handled via /etc/sysctl.conf, I think. Moriah wrote: | Code: | for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do echo 0 > $f
done |
| As I understand Documentation/networking/ip-sysctl.rst, you could get by with only setting this for all, in which case that too can be done in /etc/sysctl.conf. Moriah wrote: | Code: | # flush all chains in all tables
iptables -F
iptables -t mangle -F |
| This does not flush nat, which you will want at some point. Also, this whole block is non-atomic, which may lead to surprising results. That is why I always push people to use iptables-restore instead of homegrown scripts. Moriah wrote: | What could I be doing wrong? | In my opinion, using a non-atomic script to load rules is inherently wrong. However, to your more immediate question, you appear not to have any filtering going on, so I do not see how this script could block any traffic. Moriah wrote: | Please remember that this script is over 10 years old. I get no errors when I run the script. I tried running it like this: Code: | root@jehoiada ~ # /etc/init.d/iptables stop
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
root@jehoiada ~ # ./fw_new.sh
root@jehoiada ~ # /etc/init.d/iptables start
* Loading iptables state and starting firewall ... [ ok ]
root@jehoiada ~ # |
| I think that last step will load the saved rules, overriding any iptables changes made by fw_new.sh. If so, then the shown iptables rules of your fw_new.sh are irrelevant (though the sysctl changes are worth seeing, and I see nothing wrong with them). We need to see the rules that are actually in use. You can find them in /var/lib/iptables/rules-save. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2380 Location: Kentucky
|
Posted: Sun Jul 14, 2024 8:41 pm Post subject: |
|
|
I think I'm going to apply a different approach. I also replaced my gateway firewall some time ago, and it is running the same identical hardware as this new choke firewall. I think I am going to copy the .config from that gateway firewall to the choke firewall and rebuild the kernel. I know NAT is working there, along with forwarding, which seems to be an issue withe the choke right now.
Sorry to be so pragmatic, but I really need to get this choke working as quickly as possible. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|