search

arno-iptables-firewall / aif

GNU General Public License v2.0
149 stars 24 forks source link

TCP_OPEN restrict to certain interfaces #100

Open soundart opened 4 months ago

soundart commented 4 months ago

Hi,

I would like to have several internal nets wg0 10.0.0.0/24 ,wg1 10.0.1.0/24 which are isolated from each other and have different configuration wrt to NAT.

I am using the debian package arno-iptables-firewall 2.1.1-2

Both wg0/wg1 nets are created by wireguard

6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
7: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.1.1/24 scope global wg1
       valid_lft forever preferred_lft forever

My debian managed config is:

cat conf.d/00debconf.conf | grep -v ^

EXT_IF="ens3" EXT_IF_DHCP_IP=1 OPEN_TCP="{ens3,wg0}#22 {ens3,wg0}#53 ens3#8443 ens3#8444:8449" OPEN_UDP="{ens3,wg0}#53 ens3#443 ens3#444 ens3#8443" INT_IF="wg0 wg1" NAT=1 INTERNAL_NET="10.0.0.0/24 10.0.1.0/24" NAT_INTERNAL_NET="10.0.0.0/24" HOST_OPEN_UDP="10.0.0.1~53" HOST_OPEN_TCP="10.0.0.1~53" OPEN_ICMP=0

This does not seem to work:

a) I do not want port 22 to be open on wg1

But nmap reports: `

nmap 10.0.1.1

Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-28 10:44 CET
Nmap scan report for 10.0.1.1
Host is up (0.025s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8443/tcp open https-alt
`

/usr/sbin/arno-iptables-firewall status

shows:

''' Chain EXT_INPUT_CHAIN (2 references) pkts bytes target prot opt in out source destination
0 0 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix "AIF:Port 0 OS fingerprint: " 0 0 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix "AIF:Port 0 OS fingerprint: " 0 0 POST_INPUT_DROP_CHAIN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 0 0 POST_INPUT_DROP_CHAIN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:0 0 0 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix "AIF:TCP source port 0: " 0 0 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix "AIF:UDP source port 0: " 0 0 POST_INPUT_DROP_CHAIN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:0 0 0 POST_INPUT_DROP_CHAIN udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:0 0 0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 0 0 ACCEPT tcp -- 10.0.0.1 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- 10.0.0.1 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- {ens3 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- wg0} 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- {ens3 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- wg0} 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- ens3 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 0 0 ACCEPT tcp -- ens3 0.0.0.0/0 0.0.0.0/0 tcp dpts:8444:8449 0 0 ACCEPT udp -- {ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- wg0} 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT udp -- ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:444 0 0 ACCEPT udp -- ens3 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 0 0 POST_INPUT_DROP_CHAIN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 EXT_BROADCAST_CHAIN all -- 0.0.0.0/0 255.255.255.255
0 0 EXT_BROADCAST_CHAIN all -- 0.0.0.0/0 46.38.251.255
0 0 EXT_MULTICAST_CHAIN all -- 0.0.0.0/0 224.0.0.0/4
0 0 LOG 2 -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "AIF:IGMP packet: " 9 464 POST_INPUT_CHAIN all -- * 0.0.0.0/0 0.0.0.0/0
'''

Which looks quite wrong with the curly brackets. I see no error from the tool reported. If I change the config to OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449" then nmap still reports port 22 open on the wg1 network

abelbeck commented 4 months ago

The curly brackets are not correct

OPEN_TCP="{ens3,wg0}#22  ...

I would not use OPEN_TCP / OPEN_UDP for the wireguard interfaces, but rather NAT_FORWARD_TCP / NAT_FORWARD_UDP to reach the NAT_INTERNAL_NET from the external interface.

soundart commented 3 months ago

Thank you. I tried NAT_FORWARD_TCP last weekend and yesterday, but somehow I am mentally stuck.

The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1

My problem: What is INTERNAL_NET in this case? I tried 127.0.0.1and I had the impression, that this net is special. At least manual the tests with the wireguard client of my telephone did not succeed, but I might have messed up.

Is 127.0.0.1 a good choice?

Do I have to set:

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# ------------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0

If I want to allow access from the external interface wg0 to the port 22 of the internal net? What exactly is a local port? I have some services listening to all interfaces like ssh. It is listening on 0.0.0.0:22

abelbeck commented 3 months ago

The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1

Given that info, try something like:

EXT_IF="eth0"
EXT_IF_DHCP_IP=1
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

(Optional) Only if Wireguard traffic needs to go outbound, outside of tunnel:

NAT=1
NAT_INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

Then to allow inbound Wireguard to wg0 (ex. port 51820) Note: Adjust 0/0 to a more restrictive range if desired.

HOST_OPEN_UDP="0/0~51820"

This should allow you to use an external Wireguard peer to connect to your Wireguard instance and SSH over the tunnel.

Try little steps at a time.

soundart commented 3 months ago

Hi,

I experimented a bit more and did not achieve the level of separation I want.

Basically ports are reachable on the internal_net, where I do not expect them.

If I scan from my laptop the internal address 10.0.1.1 interface wg1 of the server I see:

nmap -p 22-9000 10.0.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 21:42 CEST
Nmap scan report for 10.0.1.1
Host is up (0.029s latency).

PORT   STATE SERVICE
22/tcp open  ssh
8443/tcp open  https-alt
8444/tcp open  pcsync-http              
8446/tcp open  unknown                                                                
8447/tcp open  unknown       
8448/tcp open  unknown      
8449/tcp open  unknown

I have currently this configured wrt to wg1 and ssh:

OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449"
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

I did an iptables-save -f /tmp/xx of the iptables config and:

# rg 22 /tmp/xx
126:-A EXT_INPUT_CHAIN -i ens3 -p tcp -m tcp --dport 22 -j ACCEPT
127:-A EXT_INPUT_CHAIN -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
140:-A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN

I thought port 22 would be open on ens3 and wg0, but not on wg1.