Firewall VM, rule not working, what has gone wrong?

[Drew White]

Hi folks,

I'm trying to get my ProxyVM to work properly the way I want it to, but the firewall is not cooperating and I feel there is either something I am doing wrong, OR something in Qubes initial configuration causing an issue, but I can't find what is wrong.

Any good help would be greatly appreciated.

Thanks in advance!

The result I'm looking for is to block everything outgoing from vif+ to any ip range OTHER than what I specify.

The hashed out are ones that I tried, but they failed.
In the end I brought it back to the first one, the base simplicity, but even that still doesn't work (and I didn't think it would really, but I tried it anyway).

iptables -i $eth -s 1.2.3.0/24 -j ACCEPT
iptables -o $eth -d 1.2.3.0/24 -j ACCEPT
iptables -o $eth -j DROP
iptables -i $eth -j DROP

#iptables -I PREROUTING 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -p tcp -m tcp -j ACCEPT
#iptables -I PREROUTING 1 -i vif+ -o $eth -d 1.2.3.024 -p udp -m udp -j ACCEPT
#iptables -I PREROUTING 3 -i vif+ -m state --state NEW -p tcp -m tcp -j DROP
#iptables -I PREROUTING 3 -i vif+ -p udp -m udp -j DROP
#
#iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -p tcp -m tcp -j ACCEPT
#iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -p udp -m udp -j ACCEPT
#iptables -I FORWARD 3 -i vif+ -j DROP
#
#iptables -I INPUT 1 -i vif+ -d 1.2.3.0/24 -m state --state NEW -p tcp -m tcp -j ACCEPT
#iptables -I INPUT 1 -i vif+ -d 1.2.3.0/24 -p udp -m udp -j ACCEPT
#iptables -I INPUT 3 -i vif+ -j DROP
#
#iptables -I OUTPUT 1 -o $eth -d 1.2.3.0/24 -m state --state NEW -p tcp -m tcp -j ACCEPT
#iptables -I OUTPUT 1 -o $eth -d 1.2.3.0/24 -p udp -m udp -j ACCEPT
#iptables -I OUTPUT 3 -o $eth -j DROP

[Unman]

Oh Drew,
Geek is confirmed.

If you want to control traffic from the vif+ interfaces, you need the
FORWARD chain.

The default rules allow RELATED,ESTABLISHED traffic both ways in FORWARD
chain, and drop all traffic between vifs - you know this already.

What you want (assuming $eth is defined) is:
iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -j ACCEPT
iptables -I FORWARD 3 -i vif+ -o $eth -j DROP

This is because the ESTABLISHED rule is by default #1, you insert 1
before, and then I3 to insert the DROP rule after.
You were almost there but got the count wrong.

unman

[Chris Laprise]

On 05/31/2016 09:27 PM, Drew White wrote:
> Hi folks,
>
> I'm trying to get my ProxyVM to work properly the way I want it to,
> but the firewall is not cooperating and I feel there is either
> something I am doing wrong, OR something in Qubes initial
> configuration causing an issue, but I can't find what is wrong.
>
> Any good help would be greatly appreciated.
>
> Thanks in advance!
>
> The result I'm looking for is to block everything outgoing from vif+
> to any ip range OTHER than what I specify.
>
> The hashed out are ones that I tried, but they failed.
> In the end I brought it back to the first one, the base simplicity,
> but even that still doesn't work (and I didn't think it would really,
> but I tried it anyway).

Syntax errors...

>
> iptables -i $eth -s 1.2.3.0/24 -j ACCEPT
> iptables -o $eth -d 1.2.3.0/24 -j ACCEPT
> iptables -o $eth -j DROP
> iptables -i $eth -j DROP

^ This block is missing a command and chain name, such as '-A INPUT'.

> #iptables -I PREROUTING 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state
> --state NEW -p tcp -m tcp -j ACCEPT
> #iptables -I PREROUTING 1 -i vif+ -o $eth -d 1.2.3.024 -p udp -m udp
> -j ACCEPT
> #iptables -I PREROUTING 3 -i vif+ -m state --state NEW -p tcp -m tcp
> -j DROP
> #iptables -I PREROUTING 3 -i vif+ -p udp -m udp -j DROP

^ This block is trying to use the default table, which doesn't have a
PREROUTING chain. Try specifying '-t nat'.

Chris

[Drew White]

Hi Unman,

Happy to hear from someone that I knew has been able to assist in the past.

On Thursday, 2 June 2016 11:12:14 UTC+10, Unman wrote:

Oh Drew,
Geek is confirmed.

Geek? GEEK?? I'm not just an ordinary geek my friend. I'm a super geek! :/ lol
 

If you want to control traffic from the vif+ interfaces, you need the
FORWARD chain.

I've got forwards for all my InterVM Network and my bridged virtuals and more.
 

The default rules allow RELATED,ESTABLISHED traffic both ways in FORWARD
chain, and drop all traffic between vifs - you know this already.

 

What you want (assuming $eth is defined) is:
iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -j ACCEPT
iptables -I FORWARD 3 -i vif+ -o $eth -j DROP

This is because the ESTABLISHED rule is by default #1, you insert 1
before, and then I3 to insert the DROP rule after.
You were almost there but got the count wrong.

And yes, $eth is defined after discovery of identifiers.
I recently had a huge issue with it when I transferred from
Fedora to Debian.. ifconfig differences.. But I resolved it all,
and it's all now working apart from this bit for traffic restrictions.

Ahh, okay. I'll give it a shot and inform you of the results.
So for the incoming connections, it's the same methodology, just switched source and destination around?

And ...

iptables -I FORWARD 3 -i vif+ -o $eth -j DROP

Does it really need the interfaces specified if I have the ... ...

iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -j ACCEPT

iptables -I FORWARD 1 -o vif+ -i $eth -s 1.2.3.0/24 -m state --state NEW -j ACCEPT

can't it be ... ?
iptables -I FORWARD 3 -j DROP 

[Drew White]

One more thing.. Where in that section can I specify the
port/port range to have the communications on?

Is it possible to have a range?
Or do I have to specify each and every port?

[Drew White]

On Thursday, 2 June 2016 11:12:14 UTC+10, Unman wrote:

Oh Drew,
Geek is confirmed.

If you want to control traffic from the vif+ interfaces, you need the
FORWARD chain.

The default rules allow RELATED,ESTABLISHED traffic both ways in FORWARD
chain, and drop all traffic between vifs - you know this already.

What you want (assuming $eth is defined) is:
iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -j ACCEPT
iptables -I FORWARD 3 -i vif+ -o $eth -j DROP

This is because the ESTABLISHED rule is by default #1, you insert 1
before, and then I3 to insert the DROP rule after.
You were almost there but got the count wrong.

unman

Hi Unman,

I tried it and I've found that it requires the extras.
 
This is what I have that now works perfectly thanks.

iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 1 -o vif+ -i $eth -s 1.2.3.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -i vif+ -j DROP
iptables -I FORWARD 3 -i $eth -j DROP


IPTABLES now looks like this...
-------------------------------------------------------------------------------------------

Chain INPUT (policy DROP)
target     prot opt source               destination        
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  1.2.3.0/24          anywhere             state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             1.2.3.0/24          state NEW,RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           
ACCEPT     udp  --  10.137.2.2          gateway              udp dpt:domain
ACCEPT     udp  --  10.137.2.2          10.137.2.254         udp dpt:domain
ACCEPT     tcp  --  10.137.2.2          gateway              tcp dpt:domain
ACCEPT     tcp  --  10.137.2.2          10.137.2.254         tcp dpt:domain
ACCEPT     icmp --  10.137.2.2          anywhere           
DROP       tcp  --  10.137.2.2          10.137.255.254       tcp dpt:us-cli
ACCEPT     all  --  10.137.2.2          anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

-------------------------------------------------------------------------------------------

After the 4th rule in FORWARD, I can just remove everything else can't I?
Since it's now completely restricted from rule 1-4?
Or do they still have some effect?