[SOLVED] Open Firewall

[haychis]

Hello all.

Was running Ebox 2.xx for ages with no problems. Upgraded server and decided to install latest version. Core 3.0.21.
Running off Virtualbox, win7 host, guest additions installed.

Everything installed fine and seems to be running fine.

Single NIC (eth0) config (ticked as external in interfaces).

Only using it for proxy and firewall services. Proxy works as clients connect and access internet via transparent proxy.

I know that DROP is default policy for firewall.
I add a rule in all sections to ALLOW any section, any source and any destination.
I check log and still get DROPped packets.
I have removed all rules, and added ALLOW rules in each section, and still get DROPPED packets.

If I change IPTABLES policy from terminal to ACCEPT in INPUT,OUTPUT,FORWARD, and -F flush and -X, leaving me with no rules, it works. But of course as soon as firewall is restarted, the rules return.

Question is, how do I make the firewall accept everything and deny nothing? and why doesnt adding ALLOW ALL to all sections doesn't work ?

[christian]

For my knowledge, how did you set up transparent proxy with one single interface ?
Another comment (which unfortunately doesn't help solving you current issue): isn't Zentyal a  bit over-killing if goal is only to run proxy, furthermore in transparent mode ?

Back to your point: can you identify packets that are dropped and rules applying ?

[haychis]

It's how I had me previous set up with ver 2.xx.

Zentyal acts as the gateway for all my clients.

I set up Network/interfaces eth0, static, External(WAN) ticked (if I don't tick https doesn't work), static ip address (192.168.0.102) and netmask (255.255.255.0)
Network/Gateways points to my router 192.168.0.1
Network/DNS points to my router. (192.168.0.1)
HTTP Proxy/General Settings, just ticked Transparent proxy.

Set up all Client pc's to Static Ip address, 192.168.0.xx, mask 255.255.255.0, gateway 192.168.0.102 (zentyal), and dns server 192.168.0.102 (zentyal)

My aim is to restrict access to certain sites, with the proxy server,

And it works.

All computers within the network connect and access the internet without any browser config etc.

My aim (as with ebox 2.xx) is to restrict users to certain websites etc. Ebox worked very well and have had it running for a few years now. Once configured, never really touched it unless looking at logs etc.

The packets that are being dropped are when clients try to RDP into their workstation. It won't let them through.
But my main point is, zentyal how do I make zentyal allow all traffic/services, both in and out.

I see the packets drop as I try to connect.

Jun 28 15:57:51 primary kernel: [11187.111546] ebox-firewall drop IN=eth0 OUT=eth0 MAC=08:00:27:26:c8:57:00:14:fd:10:49:b6:08:00 SRC=192.168.0.105 DST=110.174.52.193 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=2354 WINDOW=5840 RES=0x00 ACK SYN URGP=0 MARK=0x1


Even though I have ANY/ANY ALLOW in every section.

I couldn't ssh into my box without adding ALLOW source/any service/SSH into External networks to Zentyal, even with ALLOW any at the top of the ruleset.

My question is, how come if I ALLOW any service, source and destination, in all sections of configure rules for packet filter and they are the top of the list, why does then it still block traffic, even if I delete all other rules and just leave allow any.

I will be migrating to the zentyal email server aswell, and maybe use it as a PDC.

[christian]

And it works.
All computers within the network connect and access the internet without any browser config etc.

sure but it has some side effect if you don't make additional settings:
- configuring workstation with the real default gateway will provide direct internet access therefore bypassing your proxy
- without SNAT, accessing internet for anything else than HTTP will not work as outgoing packets will have different route than incoming packets, unless I misunderstand your design.

Anyway, if it fits your needs, that's perfect.

The packets that are being dropped are when clients try to RDP into their workstation. It won't let them through.

RDP from where ? from LAN controlling external workstation ?

I couldn't ssh into my box without adding ALLOW source/any service/SSH into External networks to Zentyal, even with ALLOW any at the top of the ruleset.

Sure, you have to set up rule for "external to Zentyal" as your interface is seen as external. No need to allow "any" if goal is to SSH. You can just add SSH service.

My question is, how come if I ALLOW any service, source and destination, in all sections of configure rules for packet filter and they are the top of the list, why does then it still block traffic, even if I delete all other rules and just leave allow any.

I suspect this is because of inconsistent routes due to lack of SNAT. You keep sending packets from local client to external workstation via Zentyal but packets returning back will go directly from router to internal workstation.

I will be migrating to the zentyal email server aswell, and maybe use it as a PDC.

I would rather suggest to add one NIC and use it as it is supposed to be used, meaning with at least 2 interfaces 
It will make your life much simpler and safer too. 

[haychis]

Thanks Christian.

My client PC's don't have access to change the gateway on their workstations, so they can't bypass, unless they try to hack. And with my staff, good luck to them

My staff would RDP from their home into the work network, to work from home on their workstations. Worked well, with ver 2.xx and for many years.

My point with SSH was, that even with allow any as the top rule, it would not let me through, I had to add the SSH service to the ruleset aswell. Why wouldn't it let me through if allow any should ALLOW ANY, without adding any extra rules. Regardless of anything else I wish to use it for other than PROXY server to block websites, if I was to allow any in all sections of the firewall, it should not drop packets.

If I clear all rules form IPTABLES and change policy to ACCEPT, it works fine. So how do I get to allow all traffic through Zentyal interface? Still don't understand how ALLOW ANY still blocks packets is my point here.

[christian]

Sorry, I can't help more than this as I don't understand how it can work (and I can't push my limits further as I'm always back, in my mind, thinking about potential root cause of such strange 'one leg' design  ).

Furthermore, I perhaps don't understand enough of RDP protocol but ,to me, some information is missing in order to reach the right internal workstation from outside: either you have different access port per workstation to be controlled so that you implement forwarding at border level or you have RDP server inside. But with what you provided as input, I'm lost and can't help 

Regarding question you focus on that is to have firewall not working as firewall but always allowing any-to-any, I can't help neither. I'm only using 2.2, not 3.0
In addition, even if you successfully allow any-to-any, I don't understand how it can works without addition settings to ensure routes are consistent. Either SNAT or static route at (border) router level. This at least because of SPI isn't it?     

[haychis]

Np Christian, thanks for your time anyway.

In reality, all i'm really after is how to open the firewall completely. In essence, to work in reverse. Allow everything, then block what I don't want. As it is now, it blocks everything, and to allow what I want. If I tell it to allow all, it is still blocking for some reason.

Maybe someone could direct me on how to change the default policy template of zentyal to allow rather than drop.

[jbahillo]

Hi haychis:

I think that if you go for:

iptables -t raw -A OUTPUT -p tcp --destination-port 3389 -j TRACE
 iptables -t raw -A PREROUTING -p tcp --destination-port 3389 -j TRACE

(substitute 3389 per the port on which  RDP is running)

open kern.log with


tail -f /var/log/kern.log

and try access to RDP, you will for sure see a debug of which rules which packet has passed through , so you should be able to identify which rule (or lack of ) is the culprit of this behaviour. Once done, you would just have to identify in which part of port filtering you have to add/delete a rule.


Remember to disable rules on this raw table, as if you don't kern.log will literally eat your disk 

[haychis]

Thanks jbahillo, I will give it a go.

But still, why can't I open the firewall completely? I mean, why doesn't allow all in all sections work ?

Also, still trying to find how to make the deafult policy to ACCEPT for input/output/forward when ever the firewall restarts. Any clues on that one ?

[jbahillo]

In order to change default policy you would have to add a firewall.postservice hook that changed it (or at least that's the only way I can think of doing it):

Code: [Select]

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
That's not something I would normally do (I would advise you to rather find which rule is wrong and configure accordingly rather than leaving a server completely open, but obviously that's your decision

[christian]

Sure but his goal is to not have any firewall, which does make sense when you decide that your server will have only one network interface 
Then the right next question is "is Zentyal really suitable for such purpose?"

I would say "no of course" but prefer to let you, Zentyal guys, reply with your views 

[jbahillo]

Hi christian:

I would not like in terms of "suitability" but in terms of "designed for". Then I would agree with you that Zentyal is not designed for performing as a transparent proxy in a single ethernt server. It is considered that if you want a transparent proxy, you will define zentyal as gw (and fw) for that net.

As well, Zentyal has been designed as secure by default, and that's why it has not been designed to  leave iptables completely opened. Of course this not designed to, does not mean that a user cannot use for that using different workarounds as the one he has applied for the default gw, or the one I have suggested for the firewall

[haychis]

jbahillo, yes I could do that, but the question is why when I allow all in all sections, shouldn't that open the firewall. In essence I'm allowing everything regardless if the default policy is to drop. It still blocks, when I'm telling it to allow all. Also -P doesn't work on it's own, I've got to -F and -X, to completely remove all rules for it to work. If I only use -P accept, it still blocks. Now if I use -F and -X in post service then all the rules defined via GUI will be deleted aswell. So i may aswell write my own rules and not use zentyal GUI at all for firewall.

What I am thinking of doing is working in reverse. Have everything allowed by default, then add rules to allow which services and ip's, then add a rule at the end to block everything else. Otherwise, I will be on the phone with staff all the time, as they can't access this or that.

Christian, this is only the beginning. I may move all my services to zentyal, email, PDC, VPN etc. But I need this to work first.

All I need is to open the firewall completely - no blocks, and how to do that. It's that simple. Allowing all in all sections doesn't work. Question is should it work if I allow all in all sections? Does default policy of DROP stop this etc ?

[jbahillo]

Hi haychis:

Please follow the commands I gave you, attach the result and some screenshots of each section from your firewall conig and for sure we'll find the reason. Without that , it remains a mistery for me (or as christian would say, we would be tempted to say that it is due to your "workaround"


Onece we know the reason, it will be easier tp give you the direction to configure this as you want (but let me say that in industry the normal and secure way of doing this is just the other way round)

Finally, if you plan adding a number of services, I would encourage you to add a second net card, attach it to a switch and do it the normal way.


About your final question policy drop, as you may know means, If it is not mentioned, it will denied. So allowing  (and being allow the first rule, as order matters) should work.

[christian]

Haychis,

My concern, if any, is not that you are at the beginning, middle or end of you design plan.

What is to me very strange, but still this is your own choice and I'm not trying to convince you to change, is to:
- think about firewall starting with "I will authorize everything then reduce access rights later". This approach does not exist, nowhere, at least where firewall is deployed as a real firewall. In such case, you don't need firewall but perhaps some other technology to control services users can access.
- think about "one leg" firewall. Unless you have very tight control on all network flow, such "one leg firewall" is not efficient and can be easily bypassed, which is not the may purpose of any firewall isn't it.