ClearOS Bug Tracker


View Revisions: Issue #22711 All Revisions ] Back to Issue ]
Summary 0022711: Firewall rules are wrong if more than one NIC is HotLAN
Revision 2019-02-16 08:00 by NickH
Description If you have two or more HotLAN's the FORWARD firewall rules are wrong:
enp0s3 = WAN
enp0s8 = LAN
enp0s9 = HotLAN
enp0s10 = HotLAN
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like:
iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP
You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface.

You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain:
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0

The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's.

Alternative solution:

Possibly even easier would be to not create any DROP rules. But for the default rules at the end, only create rules like:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

for LAN interfaces.

For HotLAN interfaces create rules like:
iptables -A FORWARD -i hotlan_if_x -o WAN_if_x -j ACCEPT

For each HotLAN interface you'd need to loop over all external interfaces. DROP rules would not then be needed as the default chain action is to DROP all unmatched packets.
Revision 2019-01-09 09:11 by NickH
Description If you have two or more HotLAN's the FORWARD firewall rules are wrong:
enp0s3 = WAN
enp0s8 = LAN
enp0s9 = HotLAN
enp0s10 = HotLAN
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like:
iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP
You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface.

You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain:
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0

The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's.

Alternative solution:

Possibly even easier would be to not create any DROP rules. But for the default rules at the end, only create rules like:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

for LAN interfaces.

For HotLAN interfaces create rules like:
iptables -A FORWARD -s hotlan_if_x -o WAN_if_x -j ACCEPT

For each HotLAN interface you'd need to loop over all external interfaces. DROP rules would not then be needed as the default chain action is to DROP all unmatched packets.
Revision 2019-01-09 08:10 by NickH
Description If you have two or more HotLAN's the FORWARD firewall rules are wrong:
enp0s3 = WAN
enp0s8 = LAN
enp0s9 = HotLAN
enp0s10 = HotLAN
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like:
iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP.
You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface.

You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain:
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0

The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's.