* Can't override filter section OUTPUT DROP / INPUT DROP Policy
@ 2017-08-25 14:16 gazoxtapod
2017-08-25 16:12 ` netfilter
0 siblings, 1 reply; 4+ messages in thread
From: gazoxtapod @ 2017-08-25 14:16 UTC (permalink / raw)
To: netfilter
Esteemed List Participants and Lurkers: NEWBIE ALERT!
==============================================================
Raspberry Pi 2 - Raspbian GNU/Linux 8 (jessie)
iptables v1.4.21 - ufw v0.33-2
==============================================================
I'm trying to use the Pi2 as an appliance to monitor DSL Usage from my
DSL modem (192.168.0.1), which is between a (nearly default
configuration) firewall router for my LAN and the ISP. The Pi2 box
project, when completed, is strictly an appliance that is a client to
the modem, reading date/time and DSL usage and error status, and
displaying this on an LCD display.
* I need to allow the Pi2 to negotiate a DHCP request for an IP address
from the router on bootup. (This is the system default - no need to do
anything)
* I need to allow the Pi2 to make a periodic connection to the modem and
fetch data. (I do this with Python Requests - it works)
* I am trying to block all other types of incoming and outgoing
connections. This is what I can NOT do.
I have tried to research this extensively and at least found this thread
which is somewhat similar to my basic approach:
. . DROP policy, serious vulnerability?
. . http://www.spinics.net/lists/netfilter/msg56020.html
I have tried various tests using 'ufw' and 'iptables' with little to no
success. I did discover that "ufw" commands are persistent, and
"iptables" are dynamic, but not persistent (I think that is right?).
Here is what I 'think' I am trying to do:
sudo iptables -P INPUT DROP <-- P:Policy
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -s 192.168.0.1 -j ACCEPT <--A:Append s:source
j:jump
sudo iptables -A INPUT -s 192.168.0.1 -j ACCEPT <--don't need this?
I found the rule for what I think is the DHCP negotiation in the
unmodified original iptables --list:
-A ufw-before-input -p udp --sport 67 --dport 68 -j accept
OK. I did discover that "iptables -F" cleans out everything in the
(non-persistent) --list very nicely and leaves only the 3 filter section
default policies. With "ufw enable", as soon as I set "default deny
outgoing" (-P OUTPUT DROP) as the policy, NOTHING I do overrides that
and I have no browser connection ability to the modem. As soon as I set
"default deny incoming" (-P INPUT DROP) as the policy, NOTHING I do
overrides that. I have been using "ping" from an adjacent desktop on
the LAN (192.168.1.104) to test incoming connections, and it works only
with "ufw disable" ... EVERYTHING works wide open when disabled, as
expected, so the firewall router is not getting in the way.
I have managed to get the --list in this configuration, but all access
to the modem (via the browser) and is blocked. (using ping system URL,
ping blocked as well):
root@artypi:~# iptables -L -v
Chain INPUT (policy DROP 2 packets, 64 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 192.168.0.1 anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 192.168.0.1 anywhere
* Is the order of the Policies and the rules wrong? can it be changed?
* How can I achieve my objectives to block all access, except allow
Python Requests (and browser?) access to the modem?
After that, is the above rule for DHCP correct if I use INPUT and/or
OUTPUT chains instead of the "ufw-before-input" chain?
Thank you for your gracious patience, and for any and all comments,
suggestions, and assistance.
Blessings in abundance, all the best, & ENJOY!
Art in Carlisle, PA USA
P.S.: I also found this article, but it didn't seem to help me at all:
Iptables Drop rule - strange behaviour,
https://www.spinics.net/lists/netfilter/msg52940.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Can't override filter section OUTPUT DROP / INPUT DROP Policy
2017-08-25 14:16 Can't override filter section OUTPUT DROP / INPUT DROP Policy gazoxtapod
@ 2017-08-25 16:12 ` netfilter
2017-08-25 16:16 ` netfilter
2017-08-25 20:03 ` gazoxtapod
0 siblings, 2 replies; 4+ messages in thread
From: netfilter @ 2017-08-25 16:12 UTC (permalink / raw)
To: gazoxtapod, netfilter
Without knowing the network topology you're using, suggesting an
approach can be challenging.
With the right topology, your firewall rules can become nearly "trivial"
For something like this, I would suggest either a second physical
interface (a USB Ethernet dongle) or a VLAN to easily segregate traffic
between the Pi and the modem from that between the RPi and your
"trusted" access servers.
I'm not sure how you're connecting to the modem, as the modem-router
connection typically acts as a bridge, rather than a routed segment,
with the router's external interface obtaining DHCP information (IPv4
and IPv6 both, if enabled) from themodem.
I can see several ways of "tapping into" the modem-router connection:
192.168.0.1/24 -- modem's administrative interface
203.0.113.123/24 -- hypothetical ISP-assigned address
192.168.168.0/24 -- internal network, assigned by router's DHCPd
Approach 1 -- Provide staticroute to modem
Modem ----- Router IF_ext Router IF_int ----- internal
net ----- RPi
203.0.113.123/24 - DHCP 192.168.168.1/24 -- static
192.168.168.200/24 -- DHCP
192.168.0.2/24 - static 192.168.0.4/24 -- static
For this to work, you'll likely need at least
* RPi
* Static route to 192.168.0.1 via 192.168.168.1
* Router, arp might figure it out, but may need "help" with
* Static route to 192.168.0.1 as link-local on IF_ext
* Static route to 192.168.0.4 as link-local on IF_int
That's pretty ugly to me, and doesn't restrict modem access as neatly
and flexibly as using a VLAN would (I'm assuming the VLAN is tagged on
the internal net)
Approach 2 -- Bridge to VLAN
Modem ----- Router IF_ext Router IF_int ----- internal
net ----- RPi
203.0.113.123/24 - DHCP 192.168.168.1/24 - static
192.168.168.200/24 - DHCP
Router IF_ext:1 Router IF_ext.1234 RPi.1234 (or
second adapter)
192.168.0.2/24 - static 192.168.0.3/24 - static
192.168.0.4/24 - static
Now the router can be configured to bridge the virtual interface
IF_ext:1 to the VLAN interface IF_ext.1234. Only internal hosts that
have access to VLAN 1234 have access to the modem. No special routing
tricks should be required, assuming the bridge is configured properly.
Approach 3 -- RPi as bridge
Bridge the traffic between the modem and the router through the RPi
This can be a pretty clean solution, but, alas, the RPi architecture
limits the on-board Ethernet adapter to about 90 Mbps (all RPi versions,
at this time).
Approach 4 -- Proxy connections to the modem
Configure the router to proxy connections to the modem. This can be done
through NAT, or running nginx or the like on the router. Access controls
on the proxy limit access to the modem. Proxy prevents modem from
connecting to the internal net.
On 8/25/17 7:16 AM, gazoxtapod wrote:
> [...]
> I'm trying to use the Pi2 as an appliance to monitor DSL Usage from my
> DSL modem (192.168.0.1), which is between a (nearly default
> configuration) firewall router for my LAN and the ISP. The Pi2 box
> project, when completed, is strictly an appliance that is a client to
> the modem, reading date/time and DSL usage and error status, and
> displaying this on an LCD display.
>
> * I need to allow the Pi2 to negotiate a DHCP request for an IP
> address from the router on bootup. (This is the system default - no
> need to do anything)
> * I need to allow the Pi2 to make a periodic connection to the modem
> and fetch data. (I do this with Python Requests - it works)
> * I am trying to block all other types of incoming and outgoing
> connections. This is what I can NOT do.
>
[...]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Can't override filter section OUTPUT DROP / INPUT DROP Policy
2017-08-25 16:12 ` netfilter
@ 2017-08-25 16:16 ` netfilter
2017-08-25 20:03 ` gazoxtapod
1 sibling, 0 replies; 4+ messages in thread
From: netfilter @ 2017-08-25 16:16 UTC (permalink / raw)
To: netfilter, gazoxtapod, netfilter
Ugh, here are the diagrams again, hopefully "protected" against spacing
changes this time!
On 8/25/17 9:12 AM, netfilter@allycomm.com wrote:
> . Approach 1 -- Provide staticroute to modem
>
> . Modem ----- Router IF_ext Router IF_int -----
> internal net ----- RPi
> . 203.0.113.123/24 - DHCP 192.168.168.1/24 -- static
> 192.168.168.200/24 -- DHCP
> . 192.168.0.2/24 - static 192.168.0.4/24 -- static
>
> . Approach 2 -- Bridge to VLAN
>
> . Modem ----- Router IF_ext Router IF_int -----
> internal net ----- RPi
> . 203.0.113.123/24 - DHCP 192.168.168.1/24 - static
> 192.168.168.200/24 - DHCP
> . Router IF_ext:1 Router
> IF_ext.1234 RPi.1234 (or second adapter)
> . 192.168.0.2/24 - static 192.168.0.3/24 - static
> 192.168.0.4/24 - static
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Can't override filter section OUTPUT DROP / INPUT DROP Policy
2017-08-25 16:12 ` netfilter
2017-08-25 16:16 ` netfilter
@ 2017-08-25 20:03 ` gazoxtapod
1 sibling, 0 replies; 4+ messages in thread
From: gazoxtapod @ 2017-08-25 20:03 UTC (permalink / raw)
To: netfilter
System TOPOLOGY:
LAN Static IP _________
Desktop ----------------------| |
| | _________
Tablet ) ) ) ) ) \ DHCP | | | |
WiFi AP -----| LinkSys | ?? | ZyXEL |
Cell Phone ) ) ) / | BEFSX41 |----| PK5100Z |---- ISP DSL
DHCP | Router | | Modem |
Desktop ----------------------| | |_________|
DHCP | |
RPi2 -------------------------|_________|
I am strong in hardware and test software, but VERY weak in networking.
Everything WORKS just fine right now. I am just paranoid about
leaving a device available continuously for connection to the Internet
if I don't have to. My desktop system doesn't even have a hard/SSD
drive ... it is a Linux Mint LiveMedia system running from ROM SD or USB
flash drive, and it is powered down or disconnected from the Internet
when not in use. Before I do any secure transactions, I reboot a virgin
system.
I have seen a lot of demand for a "DSL Usage Monitor" due to data caps
imposed by ISPs. I looked for a solution because my wife wants
streaming TV, but didn't find anything worthwhile. I pulled the Pi out
of my "Junk Box" when I came up with this idea. The RPi2 appears to be
a great solution ... cheap ... only a cheap LCD display (20x4) required
... wired or WiFi ... and it works GREAT:
PYTHON REQUESTS CODE: Courtesy of "Roger Shruber" #Python
===================== Payload is the login arguments strings
s = requests.Session()
resp = s.post(login_url, data=payload)
rawout = s.get(data_url)
rawdata = str(rawout.text)
print rawdata <-- parse this data!
That's how EASY it is! I want to keep it as simple and plug-and-play as
possible. If using the same modem, the only things that have to be
loaded are the account arguments. Why complicate elegant simplicity? I
plan to publish the results as a template for a DIY project for others
who are worried about data caps. Plug it in and watch it!
However, why not make it as bullet-proof as possible, IF IT DOESN'T
COMPLICATE THINGS ... beyond all recognition. Hence, IF the Pi firewall
can be configured to block all extraneous access, let's DO IT! I'm just
to dumb and stubborn to think that it can't be done, but then I've been
wrong MANY times before. I know NOTHING about VLANs, proxys, and d#!n
little about iptables.
So, thanks for your input, but no, I'm not putting more hardware into
the system and I really don't want to change the topology and I don't
want to mess with the router. I just need help in tweaking the firewall
rules, or convincing me that it really can't be done. Hey, that's what
the iptables are for, isn't it ... controlling access to fit the needs
of the system?
This is excruciatingly simple, but halfway close:
. . sudo iptables -P INPUT DROP <-- P:Policy
. . sudo iptables -P OUTPUT ACCEPT
So I'm really hoping for an answer: Why doesn't the table in my op work?
I sincerely do thank everyone for their patient pondering of this case.
Blessings in abundance, all the best, & ENJOY!
Art
On 08/25/2017 04:12 PM, netfilter@allycomm.com wrote:
> Without knowing the network topology you're using, suggesting an
> approach can be challenging.
> With the right topology, your firewall rules can become nearly "trivial"
>
> I would suggest either a second physical
> interface (a USB Ethernet dongle) or a VLAN to easily segregate traffic
>
> Approach 1 -- Provide staticroute to modem ...
>
> Approach 2 -- Bridge to VLAN ...
>
> Approach 4 -- Proxy connections to the modem ...
>
>
> On 8/25/17 7:16 AM, gazoxtapod wrote:
>> [...]
>> I'm trying to use the Pi2 as an appliance to monitor DSL Usage from my
>> DSL modem (192.168.0.1), which is between a (nearly default
>> configuration) firewall router for my LAN and the ISP. The Pi2 box
>> project, when completed, is strictly an appliance that is a client to
>> the modem, reading date/time and DSL usage and error status, and
>> displaying this on an LCD display.
>>
>> * I need to allow the Pi2 to negotiate a DHCP request for an IP
>> address from the router on bootup. (This is the system default - no
>> need to do anything)
>> * I need to allow the Pi2 to make a periodic connection to the modem
>> and fetch data. (I do this with Python Requests - it works)
>> * I am trying to block all other types of incoming and outgoing
>> connections. This is what I can NOT do.
>>
> [...]
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-08-25 20:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-25 14:16 Can't override filter section OUTPUT DROP / INPUT DROP Policy gazoxtapod
2017-08-25 16:12 ` netfilter
2017-08-25 16:16 ` netfilter
2017-08-25 20:03 ` gazoxtapod
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.