Avoid the firewall for outbound traffic on locally-defined virtual IP address?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian, SuSE, Red Hat, Kubuntu, Ubuntu
Posts: 9
Rep:
Avoid the firewall for outbound traffic on locally-defined virtual IP address?
The situation: We are building a cluster that implements an iptables firewall on every node. The firewall blocks all but a small number of specified ports in the well-known ports range (1-1023) on the INPUT chain of the real IP address.
To handle failover for a vendor's daemon, we allocate a virtual IP address, and correspond through that. That daemon opens a random output port in the range from 512 to 1023.
When the firewall is down, or when we assign the daemon to use the ethernet port's "real" IP address, the vendor's daemon works fine.
However, when the firewall is up and the daemon is using the virtual IP address, the connection is prevented. It appears that traffic outbound on the virtual IP address is winding up on the INPUT chain for the real IP address?
In the following except from tcpdump,
the daemon is running on .46
the daemon is using virtual IP .20
the client is running on .48
"tcpdump -ln -i eth1" (in promiscuous mode) is running on .48
----- snip ---------
11:16:58.703317 172.20.0.48.1023 > 172.20.0.20.6879: udp 16 (DF)
11:16:58.703489 172.20.0.46.6879 > 172.20.0.48.1023: udp 28 (DF)
11:16:58.703523 172.20.0.48 > 172.20.0.46: icmp: host 172.20.0.48 unreachable - admin prohibited [tos 0xc0]
11:17:03.703086 arp who-has 172.20.0.20 tell 172.20.0.48
11:17:03.703152 arp reply 172.20.0.20 is-at 0:30:6e:4a:82:b8
11:17:05.812507 172.20.0.48.35484 > 172.20.0.47.5666: S 1603799250:1603799250(0) win 5840 <mss 1460,sackOK,timestamp 8204997 0,nop,wscale 0> (DF)
11:17:05.812605 172.20.0.47.5666 > 172.20.0.48.35484: S 1615423288:1615423288(0) ack 1603799251 win 5792 <mss 1460,sackOK,timestamp 8191574 8204997,nop,wscale 0> (DF)
----- snip ---------
In any case, how can we allow unfettered outbound access on the virtual IP address while blocking unwanted inputs on the real IP address?
[This hadoriginally been erroneously posted in "Linux networking"]
Does the config work with the firewall down and the daemon using the vitual IP? One would think that it would be problematic that the reply is coming from an entirely different machine than the request was made to. That actually might be the problem with the firewall config. If your basing access on any kind of connection state relationships, then this likely would not match either the RELATED or ESTABLISHED states. Could you post your firewall config? (remove any routable public IPs from it beforehand)
Distribution: Debian, SuSE, Red Hat, Kubuntu, Ubuntu
Posts: 9
Original Poster
Rep:
It turns out that, in addition to the ports we knew about, the vendor's daemon was *also* opening random *outbound* ports in the range 1-1023. Our firewall was configured to disallow all outbound traffic, so the communication failed.
The solution was to persuade the vendor to provide an option to prevent the daemon from opening inappropriate outbound ports.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.