Join Log in
Score:0
avatar Server

Masquerade / firewalld target : impacts on filtering?

za flag
Carbon69

I opened a question here, but as I found some new elements, I prefer to open a new one.

Here is my situation, that can be reproduced:

Fresh Centos7 OS. Configuration of two interfaces eth1 and eth2 with ip adresses X and Y

-----------------> @X CENTOS @Y -----------------> @Z  -------
    dst_IP = A                      dst_IP = A
    src_IP = B                      dst_IP = B

edit /etc/firewalld/zones/TEST.xml, add the two interfaces, activate masquerade. The firewalld target is set to "default" by default.

add a route as following :

Destination     Gateway     GenMask
A               Z           255.255.255.255

Then activate ip forward an deactivate rp_filter :

sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.eth1.rp_filter=2
sysctl net.ipv4.conf.eth2.rp_filter=2

In this situation, if I route a packet (@dest=A) to CentOS, the paquet is routed to Z. -> Why firewalld does not block it? as there is no rule to accept it

If I disable masquerade , the paquet is not routed anymore. -> Why ?

With masquerade activated, if I change the target from default to DROP, the paquet is not routed anymore -> So the "default" target is not strictly identiqual to "DROP" target. What are exactly the differences? I couldn't find any information about this

120
0 + 0
Score:0
Martin avatar Server
kz flag
Martin

First of all, you are activating rp_filter, and not deactivating it (to deactivate, you would have to set it to zero).

Info about Reverse Path filtering.

One question is answered easily: without masquerade, the destination router sees a source IP of B, but doesn't have a correct route to send the reply to. Because of this and the reverse path filtering, the packet gets dropped.

Second, you have to differentiate between a firewall and a forwarding firewall. One is intented for packets which have one of the interface IPs as dst / src ip (meaning coming from / going to the device!) and the other is intended for packets which are just passing through the device.

So what is happening ? Your CentOS sees a packet with Source IP B, Destination IP A, and is trying to forward it. To do this, it looks at its routing table - There is a route active, that all packets meant for Destination A should go through the router Z.

Now the masquerading comes into effect - the Source IP B is replaced by Y, and the packet is forwarded to Z - still with destination IP A !

I can only guess what the firewall does - you'd have to post your complete firewall ruleset for a complete picture - but my guess is, that you are confusing "routing through Z" with "Destination Z". The latter would probably get dropped, the first wouldn't.

Please post your complete firewall ruleset for a final answer!

0 + 0
za flag
Carbon69
Hi Martin, thank you for your answer !
0
Reply
za flag
Carbon69
I will post more details in an answer. The difference between firewall and forwarding firewall is probably what I'm missing, but I can't find any documentation about this for Linux firewalld
0
Reply
Martin avatar
kz flag
Martin
there are lots of front-ends for linux firewalls, firewalld is just one of them. Most of them are using ```iptables``` under the hood. iptables is provided by the linux kernel (because that is the place where packets are mangled / filtered) and has been around for quite some time, and is well documented. I would recommend reading on that topic.
0
Reply
Score:0
avatar Server
za flag
Carbon69

More precisions:

For this issue, I only consider the fact that, listening on Centos interface @Y, the paquets is routed, or dropped. I don't take into account the reply by Z, that does not actually work if I activate/deactivate masquerade on CentOS without adjusting Z configuration.

In this context, what explains that masquerade activation have an impact on the routed packets being dropped or not by firewalld before getting out on interface @Y ? As for the "default" target in firewalld?

My firewalld ruleset in completely empty, I made this setup from a new CentOS for working on this issue. No iptables or firewalld rules were added.

Here is the result of iptables -L -n and iptables -L -t nat -n :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDI_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDO_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_direct (1 references)
target     prot opt source               destination


Chain FWDI_TEST (2 references)
target     prot opt source               destination
FWDI_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_TEST_allow (1 references)
target     prot opt source               destination

Chain FWDI_TEST_deny (1 references)
target     prot opt source               destination

Chain FWDI_TEST_log (1 references)
target     prot opt source               destination

Chain FWDO_TEST (2 references)
target     prot opt source               destination
FWDO_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_TEST_allow (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain FWDO_TEST_deny (1 references)
target     prot opt source               destination

Chain FWDO_TEST_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_TEST    all  --  0.0.0.0/0            0.0.0.0/0           [goto]
IN_TEST    all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination


Chain IN_TEST (2 references)
target     prot opt source               destination
IN_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain IN_TEST_allow (1 references)
target     prot opt source               destination

Chain IN_TEST_deny (1 references)
target     prot opt source               destination

Chain IN_TEST_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination



Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PREROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0
PREROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
PREROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

Chain POSTROUTING_ZONES (1 references)
target     prot opt source               destination
POST_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
POST_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain POSTROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain POSTROUTING_direct (1 references)
target     prot opt source               destination

Chain POST_TEST (2 references)
target     prot opt source               destination
POST_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
POST_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
POST_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain POST_TEST_allow (1 references)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain POST_TEST_deny (1 references)
target     prot opt source               destination

Chain POST_TEST_log (1 references)
target     prot opt source               destination

Chain PREROUTING_ZONES (1 references)
target     prot opt source               destination
PRE_TEST   all  --  0.0.0.0/0            0.0.0.0/0           [goto]
PRE_TEST   all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain PREROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain PREROUTING_direct (1 references)
target     prot opt source               destination

Chain PRE_TEST (2 references)
target     prot opt source               destination
PRE_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
PRE_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
PRE_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain PRE_TEST_allow (1 references)
target     prot opt source               destination

Chain PRE_TEST_deny (1 references)
target     prot opt source               destination

Chain PRE_TEST_log (1 references)
target     prot opt source               destination
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.