[Firewall] 2.0.0c (current on Ubuntu 12.04) fix vlan tagged explicit-interface ports [patch]

Mike C. Fletcher mcfletch at vrplumber.com
Sun Feb 9 20:48:57 CET 2014


On 02/09/2014 10:05 AM, Lonnie Abelbeck wrote:
> Hi Mike,
>
> Nice catch !
>
> Of course using the IPv4 address of your eth2.3 VLAN interface would have been a workaround.

True, but not in our case, as the machines often use DHCP to get IP 
addresses on those interfaces from dynamic pools.

> As you eluded to, we just as well also allow IPv6 addresses in any general fix.

Of course. If I'm not mistaken, the simple presence of a ':' would allow 
for differentiating between interface, vlan-interface and ipv6, that is, 
anything with a ':' should always be an IPv6, though that's the kind of 
assumption that produced this little bug-let in the first place :D .

Have fun,
Mike


> On Feb 7, 2014, at 9:13 AM, Mike C. Fletcher wrote:
>
>> Hi there,
>>
>> I'm using the following configuration for arno.  When I use a vlan-tagged port in TCP_OPEN (or UDP_OPEN) I get errors from iptables (this is all on Ubuntu Server 12.04, where DC_OPEN_TCP is mapped to OPEN_TCP):
>>
>> ### Version 1 ###
>> DC_EXT_IF="eth1 eth2.3 "
>> DC_EXT_IF_DHCP_IP=1
>> # 22, 80, 443 and 161 (SNMP) should only be on the management interface, not the external data interface
>> DC_OPEN_TCP="eth2.3#22 eth2.3#80 eth2.3#443 eth2.3#161 "
>> DC_OPEN_UDP="eth1#8000 eth1#161 eth2.3#8000 eth2.3#161 "
>> DC_INT_IF="eth0 "
>> DC_NAT=1
>> DC_INTERNAL_NET="192.168.80.0/24"
>> DC_NAT_INTERNAL_NET="192.168.80.0/24"
>> DC_OPEN_ICMP=1
>>
>> which produces these errors:
>>
>> Starting Arno's Iptables Firewall...
>> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 22 -j ACCEPT
>> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 80 -j ACCEPT
>> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 443 -j ACCEPT
>> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 161 -j ACCEPT
>> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p udp --dport 8000 -j ACCEPT
>> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p udp --dport 161 -j ACCEPT
>> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> Feb 06 14:48:48 WARNING: Not all firewall rules are applied.
>>
>> The problem can be addressed by applying the attached context diff (against the 2.0.0c release in Ubuntu) to the "environment" file; it just makes the test for "is an ip address" use a more involved regex that tests for 4 sets of numbers with '.' characters, rather than a single dot.  Note: the test does *not* handle ipv6-style addresses, but then it doesn't *appear* the original would have done so either.
>>
>> Hope that helps someone,
>> Mike
>>
>> -- 
>> ________________________________________________
>>   Mike C. Fletcher
>>   Designer, VR Plumber, Coder
>>   http://www.vrplumber.com
>>   http://blog.vrplumber.com


-- 
________________________________________________
   Mike C. Fletcher
   Designer, VR Plumber, Coder
   http://www.vrplumber.com
   http://blog.vrplumber.com



More information about the Firewall mailing list