Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TCP_OPEN restrict to certain interfaces #100

Open
soundart opened this issue Feb 28, 2024 · 4 comments
Open

TCP_OPEN restrict to certain interfaces #100

soundart opened this issue Feb 28, 2024 · 4 comments

Comments

@soundart
Copy link

soundart commented Feb 28, 2024
edited
Loading

Hi,

I would like to have several internal nets wg0 10.0.0.0/24 ,wg1 10.0.1.0/24 which are isolated from each other and have different configuration wrt to NAT.

I am using the debian package arno-iptables-firewall 2.1.1-2

Both wg0/wg1 nets are created by wireguard

6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
7: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.1.1/24 scope global wg1
       valid_lft forever preferred_lft forever

My debian managed config is:

cat conf.d/00debconf.conf | grep -v ^#

EXT_IF="ens3"
EXT_IF_DHCP_IP=1
OPEN_TCP="{ens3,wg0}#22 {ens3,wg0}#53 ens3#8443 ens3#8444:8449"
OPEN_UDP="{ens3,wg0}#53 ens3#443 ens3#444 ens3#8443"
INT_IF="wg0 wg1"
NAT=1
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"
NAT_INTERNAL_NET="10.0.0.0/24"
HOST_OPEN_UDP="10.0.0.153"
HOST_OPEN_TCP="10.0.0.153"
OPEN_ICMP=0

This does not seem to work:

a) I do not want port 22 to be open on wg1

But nmap reports:
`

nmap 10.0.1.1

Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-28 10:44 CET
Nmap scan report for 10.0.1.1
Host is up (0.025s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
8443/tcp open https-alt
`

/usr/sbin/arno-iptables-firewall status

shows:

'''
Chain EXT_INPUT_CHAIN (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix "AIF:Port 0 OS
fingerprint: "
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix "AIF:Port 0 OS
fingerprint: "
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0
0 0 POST_INPUT_DROP_CHAIN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix "AIF:TCP source
port 0: "
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix "AIF:UDP source
port 0: "
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0
0 0 POST_INPUT_DROP_CHAIN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 10.0.0.1 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 10.0.0.1 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- {ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- wg0} * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- {ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- wg0} * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
0 0 ACCEPT tcp -- ens3 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:8444:8449
0 0 ACCEPT udp -- {ens3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- wg0} * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- ens3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
0 0 ACCEPT udp -- ens3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:444
0 0 ACCEPT udp -- ens3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8443
0 0 POST_INPUT_DROP_CHAIN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 EXT_BROADCAST_CHAIN all -- * * 0.0.0.0/0 255.255.255.255
0 0 EXT_BROADCAST_CHAIN all -- * * 0.0.0.0/0 46.38.251.255
0 0 EXT_MULTICAST_CHAIN all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 LOG 2 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "AIF:IGMP packet: "
9 464 POST_INPUT_CHAIN all -- * * 0.0.0.0/0 0.0.0.0/0
'''

Which looks quite wrong with the curly brackets. I see no error from the tool reported.
If I change the config to OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449"
then nmap still reports port 22 open on the wg1 network
@abelbeck
Copy link
Contributor

The curly brackets are not correct

OPEN_TCP="{ens3,wg0}#22  ...

I would not use OPEN_TCP / OPEN_UDP for the wireguard interfaces, but rather NAT_FORWARD_TCP / NAT_FORWARD_UDP to reach the NAT_INTERNAL_NET from the external interface.

@soundart
Copy link
Author

soundart commented Mar 13, 2024
edited
Loading

Thank you. I tried NAT_FORWARD_TCP last weekend and yesterday, but somehow I am mentally stuck.

The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1

My problem: What is INTERNAL_NET in this case? I tried 127.0.0.1and I had the impression, that this net is special.
At least manual the tests with the wireguard client of my telephone did not succeed, but I might have messed up.

Is 127.0.0.1 a good choice?

Do I have to set:

# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
# ------------------------------------------------------------------------------
NAT_LOCAL_REDIRECT=0

If I want to allow access from the external interface wg0 to the port 22 of the internal net? What exactly is a local port? I have some services listening to all interfaces like ssh. It is listening on 0.0.0.0:22

@abelbeck
Copy link
Contributor

The machine is a single machine in a data center. It has four interfaces: lo, eth0, wg0, wg1

Given that info, try something like:

EXT_IF="eth0"
EXT_IF_DHCP_IP=1
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

(Optional) Only if Wireguard traffic needs to go outbound, outside of tunnel:

NAT=1
NAT_INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

Then to allow inbound Wireguard to wg0 (ex. port 51820)
Note: Adjust 0/0 to a more restrictive range if desired.

HOST_OPEN_UDP="0/0~51820"

This should allow you to use an external Wireguard peer to connect to your Wireguard instance and SSH over the tunnel.

Try little steps at a time.

@soundart
Copy link
Author

soundart commented Apr 1, 2024

Hi,

I experimented a bit more and did not achieve the level of separation I want.

Basically ports are reachable on the internal_net, where I do not expect them.

If I scan from my laptop the internal address 10.0.1.1 interface wg1 of the server I see:

nmap -p 22-9000 10.0.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 21:42 CEST
Nmap scan report for 10.0.1.1
Host is up (0.029s latency).

PORT   STATE SERVICE
22/tcp open  ssh
8443/tcp open  https-alt
8444/tcp open  pcsync-http              
8446/tcp open  unknown                                                                
8447/tcp open  unknown       
8448/tcp open  unknown      
8449/tcp open  unknown

I have currently this configured wrt to wg1 and ssh:

OPEN_TCP="ens3,wg0#22 ens3,wg0#53 ens3#8443 ens3#8444:8449"
INT_IF="wg0 wg1"
INTERNAL_NET="10.0.0.0/24 10.0.1.0/24"

I did an iptables-save -f /tmp/xx of the iptables config and:

# rg 22 /tmp/xx
126:-A EXT_INPUT_CHAIN -i ens3 -p tcp -m tcp --dport 22 -j ACCEPT
127:-A EXT_INPUT_CHAIN -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
140:-A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN

I thought port 22 would be open on ens3 and wg0, but not on wg1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abelbeck @soundart