Attempting to black-list one machine on my LAN

[taylorkh]

I am using a CentOS 7 box with two NICs to share my Internet connection to my LAN, provide a firewall (firewalld), DCHP and share a VPN connection. The Internet facing interface is in the Drop zone. No packets are allowed in unless asked for from behind the firewall. The LAN facing interface is in the Public zone. Services SSH and VNC are permitted in the Public zone. This has been working fine for several months.

Recently I had the need to block one computer (a VMWare CentOS6 virtual machine actually) from accessing the Internet. I added a rich rule to the firewall Public zone thus

Code: Select all

[root@taylor16 ken]# firewall-cmd  --add-rich-rule="rule family='ipv4' source address='10.42.0.217' drop" --zone=public

I can no longer ping the firewall box (10.42.0.1) from the black-listed computer nor establish an SSH connection to the firewall box from the black-listed computer. This is what I would expect to happen.

If I try to access something on the Internet, however,

Code: Select all

ken@localhost Desktop]$ ping www.centos.org
PING www.centos.org (85.12.30.226) 56(84) bytes of data.
64 bytes from 85.12.30.226: icmp_seq=1 ttl=49 time=116 ms
64 bytes from 85.12.30.226: icmp_seq=2 ttl=49 time=116 ms


ken@localhost Desktop]$ traceroute www.centos.org
traceroute to www.centos.org (85.12.30.226), 30 hops max, 60 byte packets
 1  10.42.0.1 (10.42.0.1)  0.934 ms  0.723 ms  0.549 ms
 2  10.8.0.1 (10.8.0.1)  33.423 ms  35.287 ms  37.089 ms
 3  v32.ce02.wdc-01.us.leaseweb.net (192.96.203.93)  39.211 ms v32.ce01.wdc-01.us.leaseweb.net (192.96.203.92)  40.329 ms  42.044 ms
 4  be-7.br02.wdc-01.us.leaseweb.net (108.59.15.112)  44.416 ms ae-3.br01.wdc-01.us.leaseweb.net (108.59.15.120)  45.558 ms ae-2.br01.wdc-01.us.leaseweb.net (108.59.15.118)  48.195 ms
 5  38.88.128.61 (38.88.128.61)  49.989 ms 38.88.128.9 (38.88.128.9)  51.917 ms  53.695 ms
 6  be2323.ccr41.iad02.atlas.cogentco.com (154.54.44.1)  55.838 ms  56.296 ms  57.881 ms
 7  be3084.ccr42.dca01.atlas.cogentco.com (154.54.30.65)  60.397 ms be3083.ccr41.dca01.atlas.cogentco.com (154.54.30.53)  36.736 ms  37.664 ms
 8  be2806.ccr41.jfk02.atlas.cogentco.com (154.54.40.105)  42.676 ms be2807.ccr42.jfk02.atlas.cogentco.com (154.54.40.109)  42.263 ms be2806.ccr41.jfk02.atlas.cogentco.com (154.54.40.105)  43.258 ms
 9  be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186)  110.198 ms be2490.ccr42.lon13.atlas.cogentco.com (154.54.42.86)  117.465 ms be2317.ccr41.lon13.atlas.cogentco.com (154.54.30.186)  112.105 ms
10  be12488.ccr42.ams03.atlas.cogentco.com (130.117.51.42)  126.665 ms  130.938 ms be12194.ccr41.ams03.atlas.cogentco.com (154.54.56.94)  127.347 ms
11  be2440.agr21.ams03.atlas.cogentco.com (130.117.50.6)  124.980 ms be2434.agr21.ams03.atlas.cogentco.com (130.117.2.241)  136.011 ms  131.904 ms
12  xe-7-2.rt1.ams3.baseip.com (149.6.128.198)  143.074 ms  137.450 ms  145.718 ms
13  xe-1-1.rt1.ams1.baseip.com (91.148.255.65)  143.739 ms  143.595 ms  139.939 ms
14  85.12.30.226 (85.12.30.226)  138.046 ms !X  135.625 ms !X  141.284 ms !X

That result I do not expect. I examined the connection with Zenmap and found that, even with the rule in place, port 53 (DNS) is open on the firewall box when viewed from the black-listed computer. I have tried black-listing a physical computer on my LAN. Same results so I do not think it is virtual machine related. I have discussed this issue over on LinuxQuestions but have not come up with an answer https://www.linuxquestions.org/question ... 175625564/

If the firewall drops all packets from the black-listed IP address/computer, how does the computer access DNS on the firewall box and how does it pass traffic through the firewall box to the Internet. I am confused. Can someone suggest a way to block one computer from the Internet?

TIA,

Ken

[TrevorH]

Your rule affects packets hitting the INPUT chain not the FORWARD chain.

[taylorkh]

Thank you TrevorH,

That would make sense. However, I am unable to figure out (using firewall-cmd) what is in the forwarding chain much less how to control it. If I look at my public zone

Code: Select all

[root@taylor16 ken]# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s20u1
  sources: 
  services: vnc-server ssh
  ports: 5905/tcp 5901/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="10.42.0.217" drop

[root@taylor16 ken]# firewall-cmd --zone=public --list-forward-ports

[root@taylor16 ken]# firewall-cmd --direct --get-all-chains

[root@taylor16 ken]# firewall-cmd --permanent --direct --get-all-chains

I must be missing something in the area of comprehension or execution (or both.)

Ken

[taylorkh]

Thank you again TrevorH,

I did some reading about ipchains. On this HOWTO page http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-4.html , if I read the diagram correctly...an incoming packet hits the "input" chain before it gets to the "forward" chain. In my example, a packet from the blacklisted IP address should be disposed of at the input chain and never make it any further. Unless I am totally missing something.

Ken

[TrevorH]

Reading about how ipchains did it 20 years ago probably isn't the best bet Linux generally replaced ipchains with iptables sometime in the 2.0 kernel series I think.

[taylorkh]

Good point. However, I believe we are really dealing with Netfilter in the kernel. ipchains, iptables, fiewwalld are, as I understand, simply programs to allow the human to interact with and configure what Netfilter does. That said...

How do I make the firewall ACTUALLY drop all packets from the black-listed IP address and not further process (forward) them (using firewalld which I somewhat understand unlike iptables)?

Ken

[taylorkh]

I have done some reading on iptables - enough perhaps to be dangerous. I now understand that packets which are just passing through the firewall computer and NOT ADDRESSED SPECIFICALLY to the firewall computer are not processed by the INPUT chain. OK, this makes sense. I examined my FORWARD chain

Code: Select all

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Ant then I added a rule to whack my black-listed IP address

Code: Select all

iptables -A FORWARD -s 10.42.0.217 -j DROP

When I examined iptables again

Code: Select all

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
DROP       all  --  10.42.0.217          anywhere   

See the last line. I think this looks promising. However, it does not stop the black-listed computer from accessing the Internet. I then reloaded the firewall. Now ALL of my LAN is blocked from the Internet (except for the firewall computer itself.) When I attempted to remove the offending rule

Code: Select all

[root@taylor16 ken]# iptables -D FORWARD -s 10.42.0.217 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).

That is not good. I looked at the state of things in iptables

Code: Select all

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

My home made rule is not there. I think it might have been disappeared when I reloaded the firewall. I have not tested to confirm this. I rebooted the firewall computer and my LAN is now able to reach the Internet once again.

This has been an interesting exercise but I am still not seeing a success path Or perhaps I am. I think I need to bump my DROP rule above

Code: Select all

ACCEPT     all  --  10.42.0.0/24         anywhere            

if I am correct in understanding that a packet will be examined by each rule in turn until it matches a rule. How do I "promote" my appended (to the bottom) rule to the start of the chain???

Ken

[taylorkh]

One more question (actually 2)... I recall that the iptables and firewalld SERVICES cannot be run concurrently. I am running firewalld but NOT iptables

Code: Select all

[root@taylor16 ken]# ps aux | grep firewalld
root       639  0.0  0.7 334116 28764 ?        Ssl  12:35   0:01 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root      3141  0.0  0.0 112664   980 pts/0    S+   13:02   0:00 grep --color=auto firewalld
[root@taylor16 ken]# ps aux | grep iptables
root      3157  0.0  0.0 112660   980 pts/0    S+   13:03   0:00 grep --color=auto iptables

The iptables tutorial I am reading warns

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes.

The command for RHEL/CentOS being service iptables save.

When I added my rule in the post above was it added to the "runtime" firewall vs. the "permanent" firewall - in firewall-cmd speak? If I cannot run the two services concurrently, does the iptables COMMAND have any effect on the firewall as configured by firewall-cmd?

Ken