Firewall (iptables) with DROP Policies: configuration not well explained in Readme

enrysan0 commented 3 years ago

Hi,

first of all thanks for this piece of software.

I'm using only IPV4. IPV6 is disabled on my Server.

I had an hard time trying to configure my iptables firewall on Debian 10 VM hosted on Proxmox. The VM is NOT natted.

I followed these instruction from the README.md:

Traffic for the following ports, directions and addresses must be allowed.

incoming and outgoing traffic to udp/3702 with multicast source/destination:

239.255.255.250 for IPv4

ff02::c for IPv6

outgoing unicast traffic from udp/3702

incoming to tcp/5357

this configuration allowed my Server to shows up on Windows explorer on the the Client side. However after 5 minutes refreshing Windows explorer the Server was gone.

I investigated with wireshark, log from iptables and using: socat UDP4-RECVFROM:3702,ip-add-membership=239.255.255.250:IP:IF_IDX STDIO to see if the Server received the multicast packet.

At the end I found that to be able to see the Server also after 5 minutes refresh on Client I have also to open:

incoming unicast traffic to udp/3702
outgoing IGMP traffic to 224.0.0.251/32, 239.255.255.250/32, 224.0.0.22/32, 224.0.0.1/32
incoming IGMP traffic from 224.0.0.1/32

So my iptables rules for WSDD are (note that ens18 is one of my my network interfaces):

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

########
# WSDD #
#############
#INPUT TABLE#
#############

#WSDD 1. UDP 3702 IN    MULTICAST (239.255.255.250/32)
-A INPUT -i ens18 -p udp --dport 3702 -s 239.255.255.250/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 2. UDP 3702 OUT   MULTICAST (239.255.255.250/32)
-A INPUT -i ens18 -p udp --sport 3702 -s 239.255.255.250/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 3. UDP 3702 IN    UNICAST -->NEEDED<--
-A INPUT -i ens18 -p udp --dport 3702 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 4. UDP 3702 OUT   UNICAST
-A INPUT -i ens18 -p udp --sport 3702 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 5. TCP 5357 IN
-A INPUT -i ens18 -p tcp --dport 5357 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 6. IGMP
##IGMP OUT      MULTICAST (224.0.0.251/32)
-A INPUT -i ens18 -p igmp -s 224.0.0.251/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP OUT      MULTICAST (239.255.255.250/32)
-A INPUT -i ens18 -p igmp -s 239.255.255.250/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP OUT      MULTICAST (224.0.0.22/32)
-A INPUT -i ens18 -p igmp -d 224.0.0.22/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP IN       MULTICAST (224.0.0.1/32)
-A INPUT -i ens18 -p igmp -d 224.0.0.1/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP OUT      MULTICAST (224.0.0.1/32)
-A INPUT -i ens18 -p igmp -s 224.0.0.1/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

########
# WSDD #
##############
#OUTPUT TABLE#
##############

#WSDD 1. UDP 3702 IN    MULTICAST (239.255.255.250/32)
-A OUTPUT -o ens18 -p udp --sport 3702 -d 239.255.255.250/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 2. UDP 3702 OUT   MULTICAST (239.255.255.250/32)
-A OUTPUT -o ens18 -p udp --dport 3702 -d 239.255.255.250/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 3. UDP 3702 IN    UNICAST -->NEEDED<--
-A OUTPUT -o ens18 -p udp --sport 3702 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 4. UDP 3702 OUT    UNICAST
-A OUTPUT -o ens18 -p udp --dport 3702 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 5. TCP 5357 IN
-A OUTPUT -o ens18 -p tcp --sport 5357 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#WSDD 6. IGMP
##IGMP OUT      MULTICAST (224.0.0.251/32)
-A OUTPUT -o ens18 -p igmp -d 224.0.0.251/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP OUT       MULTICAST (239.255.255.250/32)
-A OUTPUT -o ens18 -p igmp -d 239.255.255.250/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP OUT      MULTICAST (224.0.0.22/32)
-A OUTPUT -o ens18 -p igmp -d 224.0.0.22/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP IN       MULTICAST (224.0.0.1/32)
-A OUTPUT -o ens18 -p igmp -s 224.0.0.1/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
##IGMP OUT      MULTICAST (224.0.0.1/32)
-A OUTPUT -o ens18 -p igmp -d 224.0.0.1/32 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

I run WSDD binded to the same network interface ens18:

wsdd --shortlog --ipv4only --interface ens18 --hostname XXX --workgroup WORKGROUP -p

I hope this could help others to save time to set up their configuration and/or be a base to improve the README.md.

christgau commented 3 years ago

Thanks for sharing your experiences!

At the end I found that to be able to see the Server also after 5 minutes refresh on Client I have also to open:

incoming unicast traffic to udp/3702

This is strange because according to the documentation unicast traffic to port 3702 is not intended by the protocol. I have to admit that I haven't yet checked if such traffic occurs but AFAIK this is not the case, so opening that port should not be required IMO.

outgoing IGMP traffic to 224.0.0.251/32, 239.255.255.250/32, 224.0.0.22/32, 224.0.0.1/32 incoming IGMP traffic from 224.0.0.1/32

I intentionally did not elaborate on IGMP rules in the readme/man page because I considered them a 'natural' implication of "multicast source/destination". Maybe I add a note on that.

christgau commented 3 years ago

Here is a ruleset that worked for me (for IPv4):

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            239.255.255.250      udp dpt:3702  # incoming traffic to udp/3702 with multicast destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:5357     # incoming to tcp/5357
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4          # for IGMP
ACCEPT     udp  --  0.0.0.0/0            239.255.255.250      udp dpt:3702  # outgoing traffic to udp/3702 with multicast destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:3702  # outgoing unicast traffic from udp/3702
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

The rules could be more restrictive w.r.t the sources and destinations, but in principle it works. Obviously the wording:

incoming and outgoing traffic to udp/3702 with multicast source/destination:

especially "source" is not correct here. I'll fix that in the readme/man page...

christgau / wsdd

Firewall (iptables) with DROP Policies: configuration not well explained in Readme #100