[iptables] Zone based rules

Discussion:

Jimmy Thrasibule

2013-04-09 15:41:39 UTC

Hi,

I've got a Linux box sitting between different local networks. I'd like
to set up access policies between each network so I though about a zone
based firewall.

Each zone is responsible of its incoming and outgoing traffic. However
this role is played by the same box and if a packet is accepted by a
zone, it cannot be denied by another zone.

Let me give you an example:

-----------
| Marketing |---------
----------- | eth0
----------
| Firewall |
----------
--------- | eth1
| Servers |-----------
---------

Marketing wants to reach a server. However, marketing is very large on
its outgoing traffic (allows everything) on the server side however we
would reject any SSH connection coming from marketing.

Here are the iptables rules I would go for:

# Zones creation.
-N ZONE_MRKT
-N MRKT_OUT

-N ZONE_SRV
-N SRV_IN

# Traffic coming from the zones.
-A FORWARD -i eth0 ZONE_MRKT
-A FORWARD -i eth1 ZONE_SRV

# Traffic to the zones.
-A FORWARD -o eth0 ZONE_MRKT
-A FORWARD -o eth1 ZONE_SRV

# Let's look at marketing.
-A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT
# Marketing allows any outgoing traffic.
-A MRKT_OUT -j ACCEPT

# Servers
-A ZONE_SRV -o eth1 -s any/0 -d ser.ver.s.net/mask -j SRV_IN
-A SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP

In this example traffic leaving a zone is checked first so any traffic
from marketing is allowed while the servers zone denies traffic from
marketing.

In can change the rules order but this will not solve the problem.
Another solution would be to mark the packet and then check the mark at
the end to decide on whether to accept or reject. But how about
performances on a large set of rules as the firewall will have to go
through all of them before taking a decision?

How would you manage such a case?

--
Jimmy

Gian Piero Carrubba

2013-04-09 18:54:35 UTC

Permalink

Post by Jimmy Thrasibule
In can change the rules order but this will not solve the problem.
Another solution would be to mark the packet and then check the mark at
the end to decide on whether to accept or reject. But how about
performances on a large set of rules as the firewall will have to go
through all of them before taking a decision?

Have you considered using RETURN instead of ACCEPT ?
Something like:

# Traffic coming from the zones.
-A FORWARD -i eth0 ZONE_MRKT_OUT
-A FORWARD -i eth1 ZONE_SRV_OUT

# Traffic to the zones.
-A FORWARD -o eth0 ZONE_MRKT_IN
-A FORWARD -o eth1 ZONE_SRV_IN

-A FORWARD -j ACCEPT

# Let's look at marketing.
-A ZONE_MKRT_OUT -j RETURN
-A ZONE_MKRT_OUT -j DROP # catch-all, useless here

# Servers
-A ZONE_SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
-A ZONE_SRV_IN -j DROP # catch-all

Post by Jimmy Thrasibule
How would you manage such a case?

I'm not sure if I've got the context right, here.
If the fw will be managed by a single person/team, I'd surely go for a
classic set of rules. I normally group the forward rules by the output
interface and use a reject catch-all chain (explicitly dropping "unfair"
packets), so i.e.:

-A FORWARD -o eth0 -j fwd_eth0
-A FORWARD -o eth1 -j fwd_eth1
-A FORWARD -o eth2 -j fwd_eth2 # internet nic ?

-A fwd_eth1 -i eth0 -p tcp --dport 22 -j DROP
-A fwd_eth1 -j reject-chain

-A fwd_eth2 -i eth0 -j ACCEPT
-A fwd_eth2 -j reject-chain

On the other hand, if the filtering rules should be managed autonomously
by the two departments (and I suspect this is the case), I'd probably go
for a multi-context/"virtual" system. Putting something together using
lxc and a virtual switch shouldn't be difficult.

Ciao,
Gian Piero.

Jimmy Thrasibule

2013-04-09 21:45:41 UTC

Permalink

Post by Gian Piero Carrubba
Have you considered using RETURN instead of ACCEPT ?
# Traffic coming from the zones.
-A FORWARD -i eth0 ZONE_MRKT_OUT
-A FORWARD -i eth1 ZONE_SRV_OUT
# Traffic to the zones.
-A FORWARD -o eth0 ZONE_MRKT_IN
-A FORWARD -o eth1 ZONE_SRV_IN
-A FORWARD -j ACCEPT
# Let's look at marketing.
-A ZONE_MKRT_OUT -j RETURN
-A ZONE_MKRT_OUT -j DROP # catch-all, useless here
# Servers
-A ZONE_SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
-A ZONE_SRV_IN -j DROP # catch-all

Indeed using RETURN here can do the trick.

--
Jimmy

Bastian Blank

2013-04-09 19:26:04 UTC

Permalink

Post by Jimmy Thrasibule
I've got a Linux box sitting between different local networks. I'd like
to set up access policies between each network so I though about a zone
based firewall.
Each zone is responsible of its incoming and outgoing traffic. However
this role is played by the same box and if a packet is accepted by a
zone, it cannot be denied by another zone.

Could you explain the theory behind this concept?

I prefer to specify the allowed stuff depending on egress first and
ingress second, it is pretty easy to understand. Also you want to use
ferm for iptables-based packet filters. A filter for your problem done
in my usual style would look like this:

domain (ip ip6) table filter chain FORWARD {
outerface $servers {
interface $marketing {
proto tcp dport 22 REJECT;
ACCEPT;
}
}

REJECT;
}

Post by Jimmy Thrasibule
# Traffic coming from the zones.
-A FORWARD -i eth0 ZONE_MRKT
-A FORWARD -i eth1 ZONE_SRV
# Traffic to the zones.
-A FORWARD -o eth0 ZONE_MRKT
-A FORWARD -o eth1 ZONE_SRV

Don't mix definitions for ingress and egress traffic. You will allow
spoofed traffic.

Post by Jimmy Thrasibule
# Let's look at marketing.
-A ZONE_MKRT -i eth0 -s mar.ket.ing.net/mask -d any/0 -j MRKT_OUT

The chain should already include the information that it comes from
marketing. Don't even think about doing checks by address.

Post by Jimmy Thrasibule
# Marketing allows any outgoing traffic.
-A MRKT_OUT -j ACCEPT

Now you accepted ssh to the servers.

Post by Jimmy Thrasibule
How would you manage such a case?

Don't try to be too clever. KISS is the key for creating a maintainable
setup.

Bastian

--
The man on tops walks a lonely street; the "chain" of command is often a noose.

Jimmy Thrasibule

2013-04-09 22:05:21 UTC

Permalink

Post by Bastian Blank

Could you explain the theory behind this concept?

I was thinking that it would simplify the set of rules if I divide it
between each interface. I would be like having one firewall for each
network (zone) but on the same machine.

One zone (in fact an interface on the box) would apply its own policy on
traffic coming in and out from it independently from other zones. This
would duplicate rules when talking between zones (ingress rule for a
zone should be duplicated as an egress rule in the other zone) but you
just have to go to the zone of your interest when you want to add on
remove a rule.

It would be like maintaining multiple firewalls for each network.

Post by Bastian Blank
I prefer to specify the allowed stuff depending on egress first and
ingress second, it is pretty easy to understand.

That's what I do usually but this bow sits between many network and
therefore has many interfaces. I

Post by Bastian Blank
Also you want to use ferm for iptables-based packet filters.

ferm looks good, I'll take a look.

Post by Bastian Blank
Don't mix definitions for ingress and egress traffic. You will allow
spoofed traffic.

True, but I wanted to have only one entry point for each zone. It would
be better to split ingress and egress.

Post by Bastian Blank

Post by Jimmy Thrasibule
# Marketing allows any outgoing traffic.
-A MRKT_OUT -j ACCEPT

Now you accepted ssh to the servers.

Yep and that's the problem. But using RETURN instead on ACCEPT can be a
solution indeed.

--
Jimmy

helpermn

2013-04-10 04:37:46 UTC

Permalink

Post by Jimmy Thrasibule
I've got a Linux box sitting between different local networks. I'd like
to set up access policies between each network so I though about a zone
based firewall.

Use Shorewall.

--
helpermn

Bastian Blank

2013-04-10 14:42:25 UTC

Permalink

Post by helpermn

Post by Jimmy Thrasibule
I've got a Linux box sitting between different local networks. I'd like
to set up access policies between each network so I though about a zone
based firewall.

Use Shorewall.

And what problem does this solve?

Bastian

--
Where there's no emotion, there's no motive for violence.
-- Spock, "Dagger of the Mind", stardate 2715.1

helpermn

2013-04-10 17:41:33 UTC

Permalink

Post by Bastian Blank

Post by helpermn

Post by Jimmy Thrasibule
I've got a Linux box sitting between different local networks. I'd like
to set up access policies between each network so I though about a zone
based firewall.

Use Shorewall.

And what problem does this solve?
Bastian

It solves all your problems. Even more.
You could analyse generated rules and chains to get knowledge about
how it should be done.

--
helpermn