Hello
I have not been able to get my ICMP admin prohibited message back out of
my bridging firewall. Logging the packets as they transition through the
machine I get:
Sep 11 11:34:34 loathing kernel: ICMP-Admin-Prohibited: IN=br0 OUT=br0
PHYSIN=eth0 PHYSOUT=eth1 SRC=xxx.xxx.223.129 DST=xxx.xxx.88.63 LEN=60
TOS=0x00 PREC=0x00 TTL=123 ID=2624 PROTO=ICMP TYPE=8 CODE=0 ID=1024
SEQ=768
This log message is generated by the following set of iptables:
###############################################################################
# Reject with ICMP Admin Prohibited
echo " ------------------------------------"
echo " Reject ICMP with Admin Prohibited to our LAN"
if [ "$LOG_ALL" = "1" ]; then
$IPT -A FORWARD -d $LAN_ADDRESSES -p icmp --icmp-type echo-request -j
LOG --log-level 6 --log-prefix "ICMP-Admin-Prohibi\
ted: "
fi
$IPT -A FORWARD -d $LAN_ADDRESSES -p icmp --icmp-type echo-request -j
REJECT --reject-with icmp-admin-prohibited
This appears to be working as expected, the messages are being rejected
and a reply is generated. It appears that the newly generated ICMP reply
is returning back through the firewall over the bridge interface.
NOTE: See the description of the interfaces below...
Sep 11 11:34:34 loathing kernel: xxx.xxx.88.2-ICMP-(ACCEPT): IN=br0
OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=xxx.xxx.88.2 DST=xxx.xxx.223.129
LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=65058 PROTO=ICMP TYPE=3 CODE=13
[SRC=xxx.xxx.223.129 DST=xxx.xxx.88.63 LEN=60 TOS=0x00 PREC=0x00 TTL=123
ID=2624 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=768 ]
In my rules I check for packets with INVALID State and then drop them.
NOTE: I am basing my firewall on the two books, Linux Firewalls Second
Edition by Robert L Ziegler, and Red Hat Linux Firewalls by Bill McCarty.
This is the point were I am confused, I don't understand why the following
--state INVALID -j DROP command are dropping my ICMP replies? These have
been in my firewall rules for some time and are only causing a problem
with trying to change the ICMP replies.
###############################################################
echo " Allow Special replies for ICMP"
if [ "$LOG_ALL" = "1" ]; then
$IPT -A FORWARD -s xxx.xxx.88.2 -p icmp -j LOG --log-level 6
--log-prefix "xxx.xxx.88.2-ICMP-(ACCEPT): "
fi
#$IPT -A FORWARD -s xxx.xxx.88.2 -p icmp -j ACCEPT
###############################################################
echo " Initializing State Rules for Rejection"
if [ "$LOG_ALL" = "1" ]; then
$IPT -A FORWARD -m state --state INVALID -j LOG --log-level 6
--log-prefix "INVALID-STATE-(DROP): "
$IPT -A INPUT -m state --state INVALID -j LOG --log-level 6
--log-prefix "INVALID-STATE-IN-(DROP): "
$IPT -A OUTPUT -m state --state INVALID -j LOG --log-level 6
--log-prefix "INVALID-STATE-OUT-(DROP): "
fi
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
###############################################################
The messages in the logs report the following INVALID date drop messages.
If I try and ping a machine that I don't wan't people to ping you get a
reply but why the invalid state?
Sep 11 11:34:34 loathing kernel: INVALID-STATE-(DROP): IN=br0 OUT=br0
PHYSIN=eth1 PHYSOUT=eth0 SRC=xxx.xxx.88.2 DST=xxx.xxx.223.129 LEN=88
TOS=0x00 PREC=0xC0 TTL=255 ID=65058 PROTO=ICMP TYPE=3 CODE=13
[SRC=xxx.xxx.223.129 DST=xxx.xxx.88.63 LEN=60 TOS=0x00 PREC=0x00 TTL=123
ID=2624 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=768 ]
-------------------------------------------------------------------
My firewall is setup with the following interfaces:
"eth2"
This is the interface for connecting using ssh. In general no other
traffic is allowed out this interface.
The other allowed traffic is the ICMP admin prohibited traffic because
this is the only interface with an IP adresses.
NOTE: that currently this interface is connected to the protected site of
the firewall, I have considered that it could be moved to the other side.
------------------------------
The interfaces are used in the firewall rules by checking the
direction of the packet as it transits the interfaces.
example
$IPT -A FORWARD -i eth0 -o eth1 ....
------------------------------
"eth0"
This is the interface that faces the cicso router, it is the outside
network. This interface faces the world.
"eth1"
This is the interface to the building, it is the interface with the
machines that are being protected.
"br0"
This interface is the bridge between "eth1" and "eth0", it is used to
manage the packets between the outside and the inside
"lo"
The localhost interface used by the machine itself to talk to itself.
--------------------------------------
[root@loathing root]# ifconfig
br0 Link encap:Ethernet HWaddr 00:04:75:8D:F0:BB
inet6 addr: fe80::204:75ff:fe8d:f0bb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:475770 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:33858703 (32.2 Mb) TX bytes:378 (378.0 b)
eth0 Link encap:Ethernet HWaddr 00:04:75:8D:F0:BB
inet6 addr: fe80::204:75ff:fe8d:f0bb/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:3494735 errors:0 dropped:0 overruns:1 frame:0
TX packets:3231853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3225387150 (3075.9 Mb) TX bytes:715540757 (682.3 Mb)
Interrupt:5 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:50:BA:BD:C3:2B
inet6 addr: fe80::250:baff:febd:c32b/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:26025681 errors:10 dropped:0 overruns:0 frame:0
TX packets:3491400 errors:0 dropped:0 overruns:2 carrier:0
collisions:252750 txqueuelen:1000
RX bytes:2982031197 (2843.8 Mb) TX bytes:3224679262 (3075.2 Mb)
Interrupt:10 Base address:0xc000
eth2 Link encap:Ethernet HWaddr 00:10:DC:33:E9:C6
inet addr:xxx.xxx.88.2 Bcast:xxx.xxx.95.255 Mask:255.255.248.0
inet6 addr: fe80::210:dcff:fe33:e9c6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:308904 errors:0 dropped:0 overruns:0 frame:0
TX packets:1457 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27528489 (26.2 Mb) TX bytes:352337 (344.0 Kb)
Interrupt:11 Base address:0xe400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:140 (140.0 b) TX bytes:140 (140.0 b)
----------------------------------
Linux version 2.6.3-7mdk (nplanel@xxxxxxxxxxxxxxxxxxx) (gcc version 3.3.2
(Mandrake Linux 10.0 3.3.2-6mdk)) #1 Wed Mar 17 15:56:42 CET 2004
------------------------------
Module Size Used by
ipt_multiport 1856 16
ipt_state 1728 151
ipt_REJECT 6464 1
ip_conntrack_ftp 71668 0
ipt_LOG 5312 60
iptable_mangle 2624 0
iptable_nat 23116 0
ip_conntrack 31152 3 ipt_state,ip_conntrack_ftp,iptable_nat
iptable_filter 2624 1
ip_tables 16704 7
ipt_multiport,ipt_state,ipt_REJECT,ipt_LOG,iptable_mangle,iptable_nat,iptable_filter
bridge 33780 0
------------------------
[root@loathing root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
xxx.xxx.88.0 * 255.255.248.0 U 0 0 0
eth2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default xxx.xxx.88.1 0.0.0.0 UG 0 0 0
eth2
[root@loathing root]#
