Open soundart opened 8 months ago
The curly brackets are not correct
OPEN_TCP="{ens3,wg0}#22 ...
I would not use OPEN_TCP / OPEN_UDP
for the wireguard interfaces, but rather NAT_FORWARD_TCP / NAT_FORWARD_UDP
to reach the NAT_INTERNAL_NET
from the external interface.
Thank you. I tried NAT_FORWARD_TCP last weekend and yesterday, but somehow I am mentally stuck.
The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1
My problem: What is INTERNAL_NET in this case? I tried 127.0.0.1and I had the impression, that this net is special. At least manual the tests with the wireguard client of my telephone did not succeed, but I might have messed up.
Is 127.0.0.1 a good choice?
Do I have to set:
# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# ------------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0
If I want to allow access from the external interface wg0 to the port 22 of the internal net? What exactly is a local port? I have some services listening to all interfaces like ssh. It is listening on 0.0.0.0:22
The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1
Given that info, try something like:
EXT_IF="eth0"
EXT_IF_DHCP_IP=1
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"
(Optional) Only if Wireguard traffic needs to go outbound, outside of tunnel:
NAT=1
NAT_INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"
Then to allow inbound Wireguard to wg0 (ex. port 51820)
Note: Adjust 0/0
to a more restrictive range if desired.
HOST_OPEN_UDP="0/0~51820"
This should allow you to use an external Wireguard peer to connect to your Wireguard instance and SSH over the tunnel.
Try little steps at a time.
Hi,
I experimented a bit more and did not achieve the level of separation I want.
Basically ports are reachable on the internal_net, where I do not expect them.
If I scan from my laptop the internal address 10.0.1.1 interface wg1 of the server I see:
nmap -p 22-9000 10.0.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 21:42 CEST
Nmap scan report for 10.0.1.1
Host is up (0.029s latency).
PORT STATE SERVICE
22/tcp open ssh
8443/tcp open https-alt
8444/tcp open pcsync-http
8446/tcp open unknown
8447/tcp open unknown
8448/tcp open unknown
8449/tcp open unknown
I have currently this configured wrt to wg1 and ssh:
OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449"
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"
I did an iptables-save -f /tmp/xx of the iptables config and:
# rg 22 /tmp/xx
126:-A EXT_INPUT_CHAIN -i ens3 -p tcp -m tcp --dport 22 -j ACCEPT
127:-A EXT_INPUT_CHAIN -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
140:-A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN
I thought port 22 would be open on ens3 and wg0, but not on wg1.
Hi,
I would like to have several internal nets wg0 10.0.0.0/24 ,wg1 10.0.1.0/24 which are isolated from each other and have different configuration wrt to NAT.
I am using the debian package arno-iptables-firewall 2.1.1-2
Both wg0/wg1 nets are created by wireguard
My debian managed config is:
cat conf.d/00debconf.conf | grep -v ^
EXT_IF="ens3" EXT_IF_DHCP_IP=1 OPEN_TCP="{ens3,wg0}#22 {ens3,wg0}#53 ens3#8443 ens3#8444:8449" OPEN_UDP="{ens3,wg0}#53 ens3#443 ens3#444 ens3#8443" INT_IF="wg0 wg1" NAT=1 INTERNAL_NET="10.0.0.0/24 10.0.1.0/24" NAT_INTERNAL_NET="10.0.0.0/24" HOST_OPEN_UDP="10.0.0.1~53" HOST_OPEN_TCP="10.0.0.1~53" OPEN_ICMP=0
This does not seem to work:
a) I do not want port 22 to be open on wg1
But nmap reports: `
nmap 10.0.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-28 10:44 CET
Nmap scan report for 10.0.1.1
Host is up (0.025s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8443/tcp open https-alt
`
/usr/sbin/arno-iptables-firewall status
shows:
''' Chain EXT_INPUT_CHAIN (2 references) pkts bytes target prot opt in out source destination
0 0 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix "AIF:Port 0 OS fingerprint: " 0 0 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix "AIF:Port 0 OS fingerprint: " 0 0 POST_INPUT_DROP_CHAIN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 0 0 POST_INPUT_DROP_CHAIN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:0 0 0 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix "AIF:TCP source port 0: " 0 0 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix "AIF:UDP source port 0: " 0 0 POST_INPUT_DROP_CHAIN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0 0 0 POST_INPUT_DROP_CHAIN udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:0 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 0 0 ACCEPT tcp -- 10.0.0.1 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- 10.0.0.1 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- {ens3 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- wg0} 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- {ens3 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- wg0} 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- ens3 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 0 0 ACCEPT tcp -- ens3 0.0.0.0/0 0.0.0.0/0 tcp dpts:8444:8449 0 0 ACCEPT udp -- {ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- wg0} 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT udp -- ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:444 0 0 ACCEPT udp -- ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 0 0 POST_INPUT_DROP_CHAIN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 EXT_BROADCAST_CHAIN all -- 0.0.0.0/0 255.255.255.255
0 0 EXT_BROADCAST_CHAIN all -- 0.0.0.0/0 46.38.251.255
0 0 EXT_MULTICAST_CHAIN all -- 0.0.0.0/0 224.0.0.0/4
0 0 LOG 2 -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "AIF:IGMP packet: " 9 464 POST_INPUT_CHAIN all -- * 0.0.0.0/0 0.0.0.0/0
'''
Which looks quite wrong with the curly brackets. I see no error from the tool reported. If I change the config to
OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449"
then nmap still reports port 22 open on the wg1 network