Hi All
My understanding of the Egress firewall is that it control traffic from LAN to WAN i.e leaving the ClearOS gateway.
I have COS setup as a gateway with 3 network cards
2 cards on different LANs 192.168.0.0/20 and 192.168.16.0/20 with the 3rd card on 10.0.0.0/24 (internet connection)
So the Egress firewall should only block traffic leaving on the WAN interface?
*****CORRECTION******
I have service running on 192.168.16.6 on port 3142 which becomes inaccessible from other LAN hosts unless I add a rule to the Egress firewall.
Connection is blocked from subnet 0.0 to 16.0 but both hosts on the LAN
Have I got the concept of the Egress firewall wrong?
Screenshot of rule attached
My understanding of the Egress firewall is that it control traffic from LAN to WAN i.e leaving the ClearOS gateway.
I have COS setup as a gateway with 3 network cards
2 cards on different LANs 192.168.0.0/20 and 192.168.16.0/20 with the 3rd card on 10.0.0.0/24 (internet connection)
So the Egress firewall should only block traffic leaving on the WAN interface?
*****CORRECTION******
I have service running on 192.168.16.6 on port 3142 which becomes inaccessible from other LAN hosts unless I add a rule to the Egress firewall.
Connection is blocked from subnet 0.0 to 16.0 but both hosts on the LAN
Have I got the concept of the Egress firewall wrong?
Screenshot of rule attached
Attachments:
Share this post:
Responses (7)
-
Accepted Answer
-
Accepted Answer
Answering both posts, yes it looks like the egress firewall acts on the interface entering ClearOS so with you default policy, it blocks LAN1 <-> LAN2 traffic.
Don't worry about DHCP. The initial DHCP request is a broadcast message (to 255.255.255.255) and this never gets forwarded between the LANs. One of the DHCP replies gives the IP of the replying server which, in your case should be local to each LAN (even if it is ClearOS, it should reply with the local ClearOS LAN IP to that subnet).
Re DNS I use a custom set of rules:
You can adapt it for your own purposes and you'd need a pair for each LAN interface. eth1 is my LAN interface and 172.17.2.1 is the DHCP server (which, in my case, is ClearOS). The "! -d 172.17.2.1" is pretty redundant and just stops you changing the destination of traffic already going to 172.17.2.1 but it really does not matter if you do change it (to itself). I have a rule for udp as DNS falls back to udp if the tcp reply is too big. With these rules in place you don't need to use any DNS egress rules.iptables -t nat -I PREROUTING -p tcp --dport 53 ! -d 172.17.2.1 -i eth1 -j DNAT --to-destination 172.17.2.1
iptables -t nat -I PREROUTING -p udp --dport 53 ! -d 172.17.2.1 -i eth1 -j DNAT --to-destination 172.17.2.1 -
Accepted Answer
-
Accepted Answer
Hi Nick
Thanks for the reply.
So the Egress firewall does operate between subnets and not just LAN-> WAN.
The one issue I have is that the 2 subnets have different DHCP settings - if I forward all traffic from 0.0 to 16.0 will this include DHCP traffic? If this is the case then I presume I can forward all traffic but block DHCP ports?
I have a custom firewall rule to force DNS traffic through ClearOS to assist in blocking https sites. -
Accepted Answer
Have you set a default to drop all traffic and allow exceptions? If so it looks like the policy is working at interface level so is blocking traffic between your two LAN interfaces. If you want that default policy and you want LAN-LAN traffic, can I suggest you add couple of extra dorwarding rules to each subnet. If you can't do that in the Egress module add a couple of rules:
There are other ways of doing it by interface as well using -i and -o.iptables -I FORWARD -s 192.168.0.0/20 -d 192.168.16.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.16.0/20 -d 192.168.0.0/24 -j ACCEPT
What are you doing with DNS lookups (tcp:53)? You block them at the top and allow them further down. The allows will never happen. If you want to force users to use your own DNS Server (ClearOS?) you can set a couple of rules to transparently redirect the lookups from the users' chosen IP addresses to ClearOS and they will never know.
[edit]
I've just re-read your rules and you're only blocking udp:53 and not most of the lookups which will happen on tcp:53. I am not sure what the intention is here?
[/edit] -
Accepted Answer
Hi Nick
Output below
Chain INPUT (policy DROP 1 packets, 125 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
40 1876 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
5 204 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- eth1 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth1 * 169.254.0.0/16 0.0.0.0/0
127K 76M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
75405 3761K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
19285 2020K ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0
1 29 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:989
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:990
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:636
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:1433
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.253 udp dpt:1434
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:3000
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.253 udp dpt:3000
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.253 udp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:2222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.253 tcp dpt:81
1156 410K ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
41102 57M ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
110 7026 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.2.4 tcp dpt:3389
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.2.4 tcp dpt:3389
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 xxxxxxxxxxx 3 tcp dpt:1875
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 xxxxxxxxxxx 3 tcp dpt:1875
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.1.8 tcp dpt:80
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.1.8 tcp dpt:80
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 192.168.16.1 udp dpt:1194
0 0 ACCEPT udp -- * eth2 0.0.0.0/0 192.168.16.1 udp dpt:1194
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.16.1 00 tcp dpt:32400
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.16.1 00 tcp dpt:32400
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.16.6 tcp dpt:9191
6 1530 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.16.6 tcp dpt:9191
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.16.1 tcp dpt:2222
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.16.1 tcp dpt:2222
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.16.1 00 tcp dpt:8443
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.16.1 00 tcp dpt:8443
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.16.1 00 tcp dpt:3389
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.16.1 00 tcp dpt:3389
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 192.168.16.1 tcp dpt:8001
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.16.1 tcp dpt:8001
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:1875
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:1875
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:21
4 200 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:21
86 6840 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:5222
225 79519 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:5222
847 37888 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:80
891 57202 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:80
11864 6939K ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:443
21582 5221K ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:143
2 96 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:143
1229 68121 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:993
951 68181 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:993
6 456 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:123
22 1672 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:123
32 1571 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:995
78 6035 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:587
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:587
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:587
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:873
55 9702 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:139
6 304 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:139
11 672 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:445
7 356 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:8888
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:8888
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:2221
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:2221
18 1120 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:7
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:7
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:465
170 227K ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:465
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:636
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:636
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:1433
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:1433
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:1434
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:1434
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:8383
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:8383
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:9091
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:9091
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:161
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:161
72 3998 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:5938
3 168 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:5938
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:9091
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:9091
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:7777
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:7777
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:8000
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:8000
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:8001
7 1209 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:8001
0 0 ACCEPT tcp -- * * 192.168.0.0/20 0.0.0.0/0 tcp dpt:8530
0 0 ACCEPT tcp -- * * 192.168.16.0/20 0.0.0.0/0 tcp dpt:8530
0 0 ACCEPT udp -- * * 192.168.0.0/20 0.0.0.0/0 udp dpt:8530
0 0 ACCEPT udp -- * * 192.168.16.0/20 0.0.0.0/0 udp dpt:8530
38067 33M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 192.168.0.0/20 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 192.168.0.0/20 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 192.168.0.0/20 0.0.0.0/0 icmp type 11
563 95916 DROP all -- * * 192.168.0.0/20 0.0.0.0/0
0 0 ACCEPT icmp -- * * 192.168.16.0/20 0.0.0.0/0 icmp type 0
106 8904 ACCEPT icmp -- * * 192.168.16.0/20 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 192.168.16.0/20 0.0.0.0/0 icmp type 11
1076 202K DROP all -- * * 192.168.16.0/20 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127K 76M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
48557 389M ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
21719 24M ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0
113 47652 ACCEPT icmp -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:989
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:990
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:443
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:873
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:8443
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:636
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:1433
0 0 ACCEPT udp -- * eth1 10.0.0.253 0.0.0.0/0 udp spt:1434
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:3000
0 0 ACCEPT udp -- * eth1 10.0.0.253 0.0.0.0/0 udp spt:3000
0 0 ACCEPT udp -- * eth1 10.0.0.253 0.0.0.0/0 udp spt:1194
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:2222
0 0 ACCEPT tcp -- * eth1 10.0.0.253 0.0.0.0/0 tcp spt:81
38364 3137K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »