Bitbull Tech Notes - home of free minds ...

iptables config to isolate and route networks on KVM hosts for testing

here I have isolated and nated 3 networks: 192.168.{10,15.33}.x

 

# Generated by iptables-save v1.4.21 on Sat Nov 26 12:02:53 2016
*mangle
:PREROUTING ACCEPT [2855:275135]
:INPUT ACCEPT [2238:219430]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1484:256521]
:POSTROUTING ACCEPT [1484:256521]
-A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Nov 26 12:02:53 2016
# Generated by iptables-save v1.4.21 on Sat Nov 26 12:02:53 2016
*nat
:PREROUTING ACCEPT [977:101237]
:INPUT ACCEPT [513:58953]
:OUTPUT ACCEPT [120:9090]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o enp5s0 -j MASQUERADE
-A POSTROUTING -s 192.168.10.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.10.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.33.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.33.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.33.0/24 ! -d 192.168.33.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.33.0/24 ! -d 192.168.33.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.33.0/24 ! -d 192.168.33.0/24 -j MASQUERADE
-A POSTROUTING ! -s 192.168.33.0/24 -d 192.168.33.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.15.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.15.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.15.0/24 ! -d 192.168.15.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.15.0/24 ! -d 192.168.15.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.15.0/24 ! -d 192.168.15.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat Nov 26 12:02:53 2016
# Generated by iptables-save v1.4.21 on Sat Nov 26 12:02:53 2016
*filter
:INPUT ACCEPT [2238:219430]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1484:256521]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -o virbr2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -i virbr2 -j ACCEPT
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.33.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.33.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.15.0/24 -o virbr3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.15.0/24 -i virbr3 -j ACCEPT
-A FORWARD -i virbr3 -o virbr3 -j ACCEPT
-A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Sat Nov 26 12:02:53 2016

Protect Thinlinc HTML5 Client with fail2ban (tlwebaccess)

Thinlinc's HTML5 client is a great option to provide zero support RemoteAccess.
Security is a bit week, at least the daemon is running with root and the noVNC client had also some security issues in the past.

Anyway, with fail2ban 0.91 and above you can adapt the multiline patterns you need to do a proper banning of failed logins.

Logfile: /var/log/tlwebaccess.log

Failed Login Pattern:

2015-12-02 09:07:28 INFO tlwebaccess[13758]: Connection from ::ffff:8.7.6.1, port 46540
2015-12-02 09:07:31 ERROR tlwebaccess[13759]: Failed authentication for user u'dfasd'

/etc/fail2ban/jail.local

# set your lans into
ignoreip = 127.0.0.1/8 10.10.0.0/16

destemail = support@domain.com
sender = support@domain.com

# depending on your os filewall 
banaction = ufw

# JAILS
[tlwebaccess]
enabled  = true
port     = 300
filter   = tlwebaccess
logpath  = /var/log/tlwebaccess.log
findtime = 300
bantime  = 36000
maxretry = 3

/etc/fail2ban/filter.d/tlwebaccess.conf

# Fail2Ban configuration file
#
# Author: Chris Ruettimann<chris@bitbull.ch>
#

[Init]
maxlines = 4

[Definition]
_daemon = tlwebaccess

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = .* Connection from ::.*:<HOST>, .*\n.* ERROR tlwebaccess.\d*.: Failed authentication for user .*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

 

After testing, banning should word like this.

2015-12-02 09:07:24,988 fail2ban.filter         [2166]: INFO    [tlwebaccess] Found 8.7.5.1
2015-12-02 09:07:32,025 fail2ban.filter         [2166]: INFO    [tlwebaccess] Found 8.7.5.1
2015-12-02 09:07:37,048 fail2ban.filter         [2166]: INFO    [tlwebaccess] Found 8.7.5.1
2015-12-02 09:07:37,973 fail2ban.actions        [2166]: NOTICE  [tlwebaccess] Ban 8.7.5.1

 

 

 

log traffic with iptables

Recently I had to Log nated traffic in PREROUTING chain on CentOS7 , is still impossible in firewalld !!!! :-(

So I switched back to iptables firewall, which is still possible in CentOS7, I hope RHEL8 will have a better firewalling solution.
The idea of firewalld is ok, but firewalld brings more limitations than features.

How to switch back to iptables:

yum remove firewalld
yum install iptables-services iptables
systemctl enable iptables
systemctl restart iptables

And finally here is the way to log the chains you need:

vi /etc/sysconfig/iptables
*nat
-A PREROUTING -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES PREROUTING "
# do not nat apache traffic
-A PREROUTING -s 10.8.0.0/16  -d 10.0.40.10/32 -p tcp -m tcp --dport 80  -j DNAT --to-destination 10.0.40.10:80
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 21  -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 80  -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.40.10:3129
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT  -m limit --limit 1/s --limit-burst 7   -j LOG --log-prefix "[IPTABLES INPUT "
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#http transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
#https transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3129 -j ACCEPT
#classic proxy
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES FORWARD "
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Home