Can't override filter section OUTPUT DROP / INPUT DROP Policy

Can't override filter section OUTPUT DROP / INPUT DROP Policy

[gazoxtapod]

Esteemed List Participants and Lurkers:    NEWBIE ALERT!
==============================================================
Raspberry Pi 2 - Raspbian GNU/Linux 8 (jessie)
iptables v1.4.21  -  ufw v0.33-2
==============================================================
I'm trying to use the Pi2 as an appliance to monitor DSL Usage from my 
DSL modem (192.168.0.1), which is between a (nearly default 
configuration) firewall router for my LAN and the ISP.  The Pi2 box 
project, when completed, is strictly an appliance that is a client to 
the modem, reading date/time and DSL usage and error status, and 
displaying this on an LCD display.

* I need to allow the Pi2 to negotiate a DHCP request for an IP address 
from the router on bootup. (This is the system default - no need to do 
anything)
* I need to allow the Pi2 to make a periodic connection to the modem and 
fetch data. (I do this with Python Requests - it works)
* I am trying to block all other types of incoming and outgoing 
connections. This is what I can NOT do.

I have tried to research this extensively and at least found this thread 
which is somewhat similar to my basic approach:
  . . DROP policy, serious vulnerability?
  . . http://www.spinics.net/lists/netfilter/msg56020.html

I have tried various tests using 'ufw' and 'iptables' with little to no 
success.  I did discover that "ufw" commands are persistent, and 
"iptables" are dynamic, but not persistent (I think that is right?).

Here is what I 'think' I am trying to do:

sudo iptables -P INPUT DROP        <--  P:Policy
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -s 192.168.0.1 -j ACCEPT  <--A:Append s:source 
j:jump
sudo iptables -A INPUT -s 192.168.0.1 -j ACCEPT   <--don't need this?

I found the rule for what I think is the DHCP negotiation in the 
unmodified original iptables --list:
-A ufw-before-input -p udp --sport 67 --dport 68 -j accept

OK.  I did discover that "iptables -F" cleans out everything in the 
(non-persistent) --list very nicely and leaves only the 3 filter section 
default policies.  With "ufw enable", as soon as I set "default deny 
outgoing" (-P OUTPUT DROP) as the policy, NOTHING I do overrides that 
and I have no browser connection ability to the modem.  As soon as I set 
"default deny incoming" (-P INPUT DROP) as the policy, NOTHING I do 
overrides that.  I have been using "ping" from an adjacent desktop on 
the LAN (192.168.1.104) to test incoming connections, and it works only 
with "ufw disable" ... EVERYTHING works wide open when disabled, as 
expected, so the firewall router is not getting in the way.

I have managed to get the --list in this configuration, but all access 
to the modem (via the browser) and is blocked. (using ping system URL, 
ping blocked as well):

root@artypi:~# iptables -L -v
Chain INPUT (policy DROP 2 packets, 64 bytes)
  pkts bytes target   prot opt in   out  source      destination
     0     0 ACCEPT   all  --  any  any  192.168.0.1 anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target   prot opt in   out  source      destination

Chain OUTPUT (policy DROP 2 packets, 152 bytes)
  pkts bytes target   prot opt in   out  source      destination
     0     0 ACCEPT   all  --  any  any  192.168.0.1 anywhere

* Is the order of the Policies and the rules wrong? can it be changed?
* How can I achieve my objectives to block all access, except allow 
Python Requests (and browser?) access to the modem?

After that, is the above rule for DHCP correct if I use INPUT and/or 
OUTPUT chains instead of the "ufw-before-input" chain?

Thank you for your gracious patience, and for any and all comments, 
suggestions, and assistance.
Blessings in abundance, all the best, & ENJOY!
Art in Carlisle, PA USA

P.S.: I also found this article, but it didn't seem to help me at all: 
Iptables Drop rule - strange behaviour, 
https://www.spinics.net/lists/netfilter/msg52940.html

Re: Can't override filter section OUTPUT DROP / INPUT DROP Policy

[netfilter]

Without knowing the network topology you're using, suggesting an 
approach can be challenging.


With the right topology, your firewall rules can become nearly "trivial"


For something like this, I would suggest either a second physical 
interface (a USB Ethernet dongle) or a VLAN to easily segregate traffic 
between the Pi and the modem from that between the RPi and your 
"trusted" access servers.

I'm not sure how you're connecting to the modem, as the modem-router 
connection typically acts as a bridge, rather than a routed segment, 
with the router's external interface obtaining DHCP information (IPv4 
and IPv6 both, if enabled) from themodem.

I can see several ways of "tapping into" the modem-router connection:

192.168.0.1/24    -- modem's administrative interface

203.0.113.123/24  -- hypothetical ISP-assigned address

192.168.168.0/24  -- internal network, assigned by router's DHCPd



Approach 1 -- Provide staticroute to modem

Modem ----- Router IF_ext                Router IF_int ----- internal 
net ----- RPi
203.0.113.123/24 - DHCP 192.168.168.1/24 -- static             
192.168.168.200/24 -- DHCP
             192.168.0.2/24   - static 192.168.0.4/24     -- static

For this to work, you'll likely need at least
* RPi
   * Static route to 192.168.0.1 via 192.168.168.1
* Router, arp might figure it out, but may need "help" with
   * Static route to 192.168.0.1 as link-local on IF_ext
   * Static route to 192.168.0.4 as link-local on IF_int

That's pretty ugly to me, and doesn't restrict modem access as neatly 
and flexibly as using a VLAN would (I'm assuming the VLAN is tagged on 
the internal net)



Approach 2 -- Bridge to VLAN


Modem ----- Router IF_ext                Router IF_int ----- internal 
net ----- RPi
203.0.113.123/24 - DHCP 192.168.168.1/24 - static      
         192.168.168.200/24 - DHCP
Router IF_ext:1 Router IF_ext.1234                     RPi.1234 (or 
second adapter)
             192.168.0.2/24   - static    192.168.0.3/24   - static 
              192.168.0.4/24     - static

Now the router can be configured to bridge the virtual interface 
IF_ext:1 to the VLAN interface IF_ext.1234. Only internal hosts that 
have access to VLAN 1234 have access to the modem. No special routing 
tricks should be required, assuming the bridge is configured properly.



Approach 3 -- RPi as bridge

Bridge the traffic between the modem and the router through the RPi

This can be a pretty clean solution, but, alas, the RPi architecture 
limits the on-board Ethernet adapter to about 90 Mbps (all RPi versions, 
at this time).



Approach 4 -- Proxy connections to the modem

Configure the router to proxy connections to the modem. This can be done 
through NAT, or running nginx or the like on the router. Access controls 
on the proxy limit access to the modem.  Proxy prevents modem from 
connecting to the internal net.




On 8/25/17 7:16 AM, gazoxtapod wrote:
> [...]
> I'm trying to use the Pi2 as an appliance to monitor DSL Usage from my 
> DSL modem (192.168.0.1), which is between a (nearly default 
> configuration) firewall router for my LAN and the ISP.  The Pi2 box 
> project, when completed, is strictly an appliance that is a client to 
> the modem, reading date/time and DSL usage and error status, and 
> displaying this on an LCD display.
>
> * I need to allow the Pi2 to negotiate a DHCP request for an IP 
> address from the router on bootup. (This is the system default - no 
> need to do anything)
> * I need to allow the Pi2 to make a periodic connection to the modem 
> and fetch data. (I do this with Python Requests - it works)
> * I am trying to block all other types of incoming and outgoing 
> connections. This is what I can NOT do.
>
[...]

Re: Can't override filter section OUTPUT DROP / INPUT DROP Policy

[netfilter]

Ugh, here are the diagrams again, hopefully "protected" against spacing 
changes this time!

On 8/25/17 9:12 AM, netfilter@allycomm.com wrote:
> . Approach 1 -- Provide staticroute to modem
>
> . Modem ----- Router IF_ext                Router IF_int ----- 
> internal net ----- RPi
> .             203.0.113.123/24 - DHCP 192.168.168.1/24 -- static      
>        192.168.168.200/24 -- DHCP
> .             192.168.0.2/24   - static 192.168.0.4/24   -- static
>
> . Approach 2 -- Bridge to VLAN
>
> . Modem ----- Router IF_ext                Router IF_int ----- 
> internal net ----- RPi
> .             203.0.113.123/24 - DHCP 192.168.168.1/24 - static      
>         192.168.168.200/24 - DHCP
> .             Router IF_ext:1              Router 
> IF_ext.1234                     RPi.1234 (or second adapter)
> .             192.168.0.2/24   - static 192.168.0.3/24   - static 
>              192.168.0.4/24     - static

Re: Can't override filter section OUTPUT DROP / INPUT DROP Policy

[gazoxtapod]

System TOPOLOGY:

       LAN         Static IP    _________
Desktop ----------------------|         |
                               |         |     _________
Tablet ) ) ) ) ) \       DHCP |         |    |         |
                  WiFi AP -----| LinkSys | ?? |  ZyXEL  |
Cell Phone ) ) ) /            | BEFSX41 |----| PK5100Z |---- ISP DSL
                        DHCP   | Router  |    |  Modem  |
Desktop ----------------------|         |    |_________|
                        DHCP   |         |
RPi2 -------------------------|_________|

I am strong in hardware and test software, but VERY weak in networking. 
  Everything WORKS just fine right now.  I am just paranoid about 
leaving a device available continuously for connection to the Internet 
if I don't have to.  My desktop system doesn't even have a hard/SSD 
drive ... it is a Linux Mint LiveMedia system running from ROM SD or USB 
flash drive, and it is powered down or disconnected from the Internet 
when not in use.  Before I do any secure transactions, I reboot a virgin 
system.

I have seen a lot of demand for a "DSL Usage Monitor" due to data caps 
imposed by ISPs.  I looked for a solution because my wife wants 
streaming TV, but didn't find anything worthwhile.  I pulled the Pi out 
of my "Junk Box" when I came up with this idea.  The RPi2 appears to be 
a great solution ... cheap ... only a cheap LCD display (20x4) required 
... wired or WiFi ... and it works GREAT:

PYTHON REQUESTS CODE:   Courtesy of "Roger Shruber" #Python
=====================  Payload is the login arguments strings
s = requests.Session()
resp = s.post(login_url, data=payload)
rawout = s.get(data_url)
rawdata = str(rawout.text)
print rawdata              <-- parse this data!

That's how EASY it is!  I want to keep it as simple and plug-and-play as 
possible.  If using the same modem, the only things that have to be 
loaded are the account arguments.  Why complicate elegant simplicity?  I 
plan to publish the results as a template for a DIY project for others 
who are worried about data caps.  Plug it in and watch it!

However, why not make it as bullet-proof as possible, IF IT DOESN'T 
COMPLICATE THINGS ... beyond all recognition.  Hence, IF the Pi firewall 
can be configured to block all extraneous access, let's DO IT!  I'm just 
to dumb and stubborn to think that it can't be done, but then I've been 
wrong MANY times before.  I know NOTHING about VLANs, proxys, and d#!n 
little about iptables.

So, thanks for your input, but no, I'm not putting more hardware into 
the system and I really don't want to change the topology and I don't 
want to mess with the router.  I just need help in tweaking the firewall 
rules, or convincing me that it really can't be done.  Hey, that's what 
the iptables are for, isn't it ... controlling access to fit the needs 
of the system?

This is excruciatingly simple, but halfway close:
  . . sudo iptables -P INPUT DROP        <--  P:Policy
  . . sudo iptables -P OUTPUT ACCEPT

So I'm really hoping for an answer: Why doesn't the table in my op work?

I sincerely do thank everyone for their patient pondering of this case.
Blessings in abundance, all the best, & ENJOY!
Art

On 08/25/2017 04:12 PM, netfilter@allycomm.com wrote:
> Without knowing the network topology you're using, suggesting an
> approach can be challenging.
> With the right topology, your firewall rules can become nearly "trivial"
>
> I would suggest either a second physical
> interface (a USB Ethernet dongle) or a VLAN to easily segregate traffic
>
> Approach 1 -- Provide staticroute to modem  ...
>
> Approach 2 -- Bridge to VLAN  ...
>
> Approach 4 -- Proxy connections to the modem  ...
>
>
> On 8/25/17 7:16 AM, gazoxtapod wrote:
>> [...]
>> I'm trying to use the Pi2 as an appliance to monitor DSL Usage from my
>> DSL modem (192.168.0.1), which is between a (nearly default
>> configuration) firewall router for my LAN and the ISP.  The Pi2 box
>> project, when completed, is strictly an appliance that is a client to
>> the modem, reading date/time and DSL usage and error status, and
>> displaying this on an LCD display.
>>
>> * I need to allow the Pi2 to negotiate a DHCP request for an IP
>> address from the router on bootup. (This is the system default - no
>> need to do anything)
>> * I need to allow the Pi2 to make a periodic connection to the modem
>> and fetch data. (I do this with Python Requests - it works)
>> * I am trying to block all other types of incoming and outgoing
>> connections. This is what I can NOT do.
>>
> [...]
>