On Tue, Mar 10, 2020 at 10:59:34PM +0100, Hans-Peter Jansen wrote:
Hi,
after some intensive hours of dealing with switching an important system to
firewalld (v0.7.3) running on openSUSE 15.1, may I gently ask for some
clarification.
I have to pass VoIP to an Asterisk PBX through the firewall:
# empty and completely unrelated values removed
$ firewall-cmd --info-zone external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth1
services: dns http https ssh
masquerade: yes
forward-ports: port=15060:proto=udp:toport=15060:toaddr=192.168.2.2
port=10000-10099:proto=udp:toport=10000-10099:toaddr=192.168.2.2
icmp-blocks: *almost all*
rich rules:
rule family="ipv4" source address="213.167.161.0/26"
destination
address="192.168.2.2/32" port port="15060" protocol="udp"
accept
rule family="ipv4" source address="213.167.162.0/26"
destination
address="192.168.2.2/32" port port="15060" protocol="udp"
accept
Due to continuous attacks on the VoIP infrastructure, I'm using a non standard
SIP port here and try to block all accesses, that didn't derive from my
provider. If forward ports and rich rules are combined, is the rich rule
effective before forwarding (using the iptables backend)? Given it is, would
this hold true with the nftables backend as well?
Rules to perform forward-port (DNAT) occur in the NAT table,
nat_PRE_external_allow, before filtering. After NAT occurs, the packet hits the
filter_INPUT table and is accepted by the following rule:
chain filter_INPUT {
[..]
ct status dnat accept
[..]
jump filter_INPUT_ZONES
}
Note that "ct status dnat accept" causes the packet to be accepted _before_
regular zone filtering.
The solution case is to remove the forward-port at the zone level and use a
rich rule. However your situation is a bit more difficult since you're omitting
multiple subnets so you need to use an ipset.
e.g.
firewall-cmd --permanent --new-ipset do_not_dnat --type=hash:net
firewall-cmd --permanent --ipset do_not_dnat --add-entry=213.167.161.0/26
firewall-cmd --permanent --ipset do_not_dnat --add-entry=213.167.162.0/26
firewall-cmd --permanent --zone external --add-rich-rule='rule family=ipv4 source
not ipset="do_not_dnat" forward-port port=15060 protocol=udp to-port=15060
to-addr=192.168.2.2'
Hope that helps.
Eric.