Join Log in
Score:0
Ed Greenberg avatar Server

firewalld/iptables deny before allow

hm flag
Ed Greenberg

I'm using a pretty straightforward firewalld rule set:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources: 
  services: dhcpv6-client mdns rdp ssh
  ports: 25565/tcp 2237/udp 50222/udp 3389/tcp 4000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.1.81" service name="sip" accept
    rule family="ipv4" source address="66.241.96.221" service name="sip" accept
    rule family="ipv4" source address="64.2.142.93" service name="sip" accept
    rule family="ipv4" source address="192.168.1.3" service name="sip" accept
    rule family="ipv4" source address="192.168.1.200" service name="sip" accept
    rule family="ipv4" service name="sip" reject

I would expect that all sip would be rejected EXCEPT for the addresses that are marked accept. What actually happens is that nothing gets through.

Reviewing iptables output, I find that deny seems to be processed before accept:

Chain INPUT_direct (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            224.0.0.1           

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_pre  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_post  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25565 ctstate NEW,UNTRACKED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:2237 ctstate NEW,UNTRACKED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:50222 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:4000 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  192.168.1.81         0.0.0.0/0            tcp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     udp  --  192.168.1.81         0.0.0.0/0            udp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  66.241.96.221        0.0.0.0/0            tcp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     udp  --  66.241.96.221        0.0.0.0/0            udp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  64.2.142.93          0.0.0.0/0            tcp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     udp  --  64.2.142.93          0.0.0.0/0            udp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  192.168.1.3          0.0.0.0/0            tcp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     udp  --  192.168.1.3          0.0.0.0/0            udp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  192.168.1.200        0.0.0.0/0            tcp dpt:5060 ctstate NEW,UNTRACKED
ACCEPT     udp  --  192.168.1.200        0.0.0.0/0            udp dpt:5060 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 ctstate NEW,UNTRACKED reject-with icmp-port-unreachable

Several questions:

  • Are all these chains and references created by firewalld and pushed into IPTABLES? I note that when I turn firewalld off, all this disappears from IPTABLES and when I turn firewalld back on, all of it comes back.

  • How can I tell firewalld to put allow before deny, so that my allowing and denying actually work?

I searched /usr/lib/firewalld and /etc/firewalld looking for some sort of template, but didn't find anything. Searching 'firewalld deny before allow' and other permutations didn't help either.

Many thanks.

100
0 + 1
A.B avatar
cl flag
A.B
Using `iptables-save -c` would be more useful: easily reproducible setup and also showing on what rules packets match. Also please be aware that SIP is a complex protocol usually requiring an Application-level Gateway or equivalent. firewalld might automatically handle setting up the ALG, but probably not with a rich rule. Involved ALG : https://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_SIP.html
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.