1. Forum
  2. Usenet
  3. LINUX.GENTOO.USER

  • Re: [gentoo-user] MAC whitelisting and UDP traffic.

    From Adam Carter@21:1/5 to All on Wed Jul 13 08:20:01 2022
    On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins <lperkins@openeye.net>
    wrote:

    Ok, I asked a while ago about whitelisting MAC ranges for firewall rules,
    and just so you know, adding 16 million potential MAC addresses to the firewall… Doesn’t work well… No matter how you do it. So I had to write
    a daemon to monitor which ones were local and add just those. Whatever.



    That brings me to the next problem. The routing and NAT work just fine if I’m letting everything through. But if I’m dropping connections that don’t
    come from authorized devices then UDP only works in the outbound
    direction… TCP is fine.



    For reference, the rules consist of:



    iptables -t nat -I POSTROUTING -o <OUTSIDE> -j MASQUERADE

    iptables -A FORWARD -i <OUTSIDE> -o <INSIDE> -m state --state RELATED,ESTABLISHED -j ACCEPT



    And then the daemon adds a:

    iptables -A FORWARD -i <INSIDE> -o <OUTSIDE> -m mac --mac-source <MAC ADDRESS> -j ACCEPT



    for each authorized device.



    TCP works perfectly.

    UDP based protocols send out just fine, but any replies get blocked if the FORWARD chain’s default policy is DROP.



    Now… Everything I’m reading says that it’s supposed to be able to associate UDP replies based on port number, which indeed it must be doing
    in order for them to get translated correctly and directed to the correct device inside the NAT when the default policy is ACCEPT.



    So why is that rule to accept related packets not triggering for them?


    I also would have expected the UDP replies to be permitted via -state RELATED,ESTABLISHED.

    Do they at least get into the state table;
    grep udp /proc/net/nf_conntrack

    <div dir="ltr"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins &lt;<a href="mailto:lperkins@openeye.net">lperkins@openeye.net</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="
    margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





    <div style="overflow-wrap: break-word;" lang="EN-US">
    <div class="gmail-m_4756560265700822095WordSection1">
    <p class="MsoNormal">Ok, I asked a while ago about whitelisting MAC ranges for firewall rules, and just so you know, adding 16 million potential MAC addresses to the firewall…  Doesn’t work well…  No matter how you do it.  So I had to write a
    daemon to monitor
    which ones were local and add just those.  Whatever.<u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">That brings me to the next problem.  The routing and NAT work just fine if I’m letting everything through.  But if I’m dropping connections that don’t come from authorized devices then UDP only works in the outbound directionâ
    €¦Â  TCP is fine.<u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">For reference, the rules consist of:<u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">iptables -t nat -I POSTROUTING -o &lt;OUTSIDE&gt; -j MASQUERADE<u></u><u></u></p>
    <p class="MsoNormal">iptables -A FORWARD -i  &lt;OUTSIDE&gt; -o &lt;INSIDE&gt; -m state --state RELATED,ESTABLISHED -j ACCEPT<u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">And then the daemon adds a:<u></u><u></u></p>
    <p class="MsoNormal">iptables -A FORWARD -i &lt;INSIDE&gt; -o &lt;OUTSIDE&gt; -m mac --mac-source &lt;MAC ADDRESS&gt; -j ACCEPT
    <u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">for each authorized device.  <u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">TCP works perfectly.<u></u><u></u></p>
    <p class="MsoNormal">UDP based protocols send out just fine, but any replies get blocked if the FORWARD chain’s default policy is  DROP.<u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">Now…  Everything I’m reading says that it’s supposed to be able to associate UDP replies based on port number, which indeed it must be doing in order for them to get translated correctly and directed to the correct device
    inside the NAT
    when the default policy is ACCEPT.<u></u><u></u></p>
    <p class="MsoNormal"><u></u> <u></u></p>
    <p class="MsoNormal">So why is that rule to accept related packets not triggering for them?  <br></p></div></div></blockquote><div><br></div><div>I also would have expected the UDP replies to be permitted via -state RELATED,ESTABLISHED.</div><div><br></
    <div>Do they at least get into the state table; <br></div><div>grep udp /proc/net/nf_conntrack</div><div><br></div><div><br></div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam Carter@21:1/5 to adamcarter3@gmail.com on Wed Jul 13 08:30:01 2022
    On Wed, Jul 13, 2022 at 4:13 PM Adam Carter <adamcarter3@gmail.com> wrote:


    On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins <lperkins@openeye.net> wrote:

    Ok, I asked a while ago about whitelisting MAC ranges for firewall rules,
    and just so you know, adding 16 million potential MAC addresses



    Is your INSIDE interface on a 8 bit subnet (255.0.0.0) network?

    20 years ago I heard of a /16 network and the arp traffic alone was
    ~200kps...

    <div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 13, 2022 at 4:13 PM Adam Carter &lt;<a href="mailto:adamcarter3@gmail.com">adamcarter3@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:
    0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 12, 2022 at 7:35 AM Laurence Perkins &lt;<a href="mailto:lperkins@openeye.net" target="_
    blank">lperkins@openeye.net</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





    <div lang="EN-US">
    <div>
    <p class="MsoNormal">Ok, I asked a while ago about whitelisting MAC ranges for firewall rules, and just so you know, adding 16 million potential MAC addresses <br></p></div></div></blockquote><br></div></div></blockquote><div><br></div><div>Is your
    INSIDE interface on a 8 bit subnet (255.0.0.0) network?</div><div><br></div><div>20 years ago I heard of a /16 network and the arp traffic alone was ~200kps...<br></div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)