On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins <
lperkins@openeye.net>
wrote:
Ok, I asked a while ago about whitelisting MAC ranges for firewall rules,
and just so you know, adding 16 million potential MAC addresses to the firewall… Doesn’t work well… No matter how you do it. So I had to write
a daemon to monitor which ones were local and add just those. Whatever.
That brings me to the next problem. The routing and NAT work just fine if I’m letting everything through. But if I’m dropping connections that don’t
come from authorized devices then UDP only works in the outbound
direction… TCP is fine.
For reference, the rules consist of:
iptables -t nat -I POSTROUTING -o <OUTSIDE> -j MASQUERADE
iptables -A FORWARD -i <OUTSIDE> -o <INSIDE> -m state --state RELATED,ESTABLISHED -j ACCEPT
And then the daemon adds a:
iptables -A FORWARD -i <INSIDE> -o <OUTSIDE> -m mac --mac-source <MAC ADDRESS> -j ACCEPT
for each authorized device.
TCP works perfectly.
UDP based protocols send out just fine, but any replies get blocked if the FORWARD chain’s default policy is DROP.
Now… Everything I’m reading says that it’s supposed to be able to associate UDP replies based on port number, which indeed it must be doing
in order for them to get translated correctly and directed to the correct device inside the NAT when the default policy is ACCEPT.
So why is that rule to accept related packets not triggering for them?
I also would have expected the UDP replies to be permitted via -state RELATED,ESTABLISHED.
Do they at least get into the state table;
grep udp /proc/net/nf_conntrack
<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins <<a href="mailto:
lperkins@openeye.net">
lperkins@openeye.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="gmail-m_4756560265700822095WordSection1">
<p class="MsoNormal">Ok, I asked a while ago about whitelisting MAC ranges for firewall rules, and just so you know, adding 16 million potential MAC addresses to the firewall… Doesn’t work well… No matter how you do it. So I had to write a
daemon to monitor
which ones were local and add just those. Whatever.<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">That brings me to the next problem. The routing and NAT work just fine if I’m letting everything through. But if I’m dropping connections that don’t come from authorized devices then UDP only works in the outbound directionâ
€¦Â TCP is fine.<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">For reference, the rules consist of:<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">iptables -t nat -I POSTROUTING -o <OUTSIDE> -j MASQUERADE<u></u><u></u></p>
<p class="MsoNormal">iptables -A FORWARD -i  <OUTSIDE> -o <INSIDE> -m state --state RELATED,ESTABLISHED -j ACCEPT<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">And then the daemon adds a:<u></u><u></u></p>
<p class="MsoNormal">iptables -A FORWARD -i <INSIDE> -o <OUTSIDE> -m mac --mac-source <MAC ADDRESS> -j ACCEPT
<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">for each authorized device. <u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">TCP works perfectly.<u></u><u></u></p>
<p class="MsoNormal">UDP based protocols send out just fine, but any replies get blocked if the FORWARD chain’s default policy is  DROP.<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">Now… Everything I’m reading says that it’s supposed to be able to associate UDP replies based on port number, which indeed it must be doing in order for them to get translated correctly and directed to the correct device
inside the NAT
when the default policy is ACCEPT.<u></u><u></u></p>
<p class="MsoNormal"><u></u>Â <u></u></p>
<p class="MsoNormal">So why is that rule to accept related packets not triggering for them? <br></p></div></div></blockquote><div><br></div><div>I also would have expected the UDP replies to be permitted via -state RELATED,ESTABLISHED.</div><div><br></
<div>Do they at least get into the state table; <br></div><div>grep udp /proc/net/nf_conntrack</div><div><br></div><div><br></div></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)