ipcop support

community support forum
It is currently Fri Aug 22, 2014 10:48 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
Unread postPosted: Thu Apr 17, 2008 9:38 pm 
New User

Joined: Mon Apr 14, 2008 5:51 pm
Posts: 5
Hello,

I have recently installed IPCop to replace an old firewall, and have the need to log firewall activity. Specifically, I need to see packets that are port forwarded from the internet to my local LAN. Currently, I have port forwarding setup and verified that it is working with my IPCop installation, however when I go and look at the firewall logs, I see nothing to indicate that anything is getting forwarded. This seems like a basic piece of firewall logging functionality that IPCop should be doing.
I'm pretty green when it comes to IPTables, but I have done some research on this topic and haven't found anything that gives me a clear indication of what is going on.

The ports that I'm forwarding are TCP1723(with GRE), UPD53, TCP25, and TCP80. I have been able to verify that all these ports are working externally; however nothing is showing up in the firewall log that shows port forwarding. All I see in the firewall logs are blocked requests.

Has anyone come across this? Is there extra configuration that I need to do?

Thanks,
Mark


Top
 Profile  
 
Unread postPosted: Fri Apr 18, 2008 3:21 am 
Site Moderator

Joined: Wed Apr 28, 2004 1:27 am
Posts: 6967
Location: Beaumont, TX, USA
mschnitter wrote:
I have been able to verify that all these ports are working externally; however nothing is showing up in the firewall log that shows port forwarding. All I see in the firewall logs are blocked requests.
That is all the firewall logs are designed to do. Logging ALL packets that are forwarded would generate LARGES amount of data which is not useful.


Top
 Profile  
 
Unread postPosted: Fri Apr 18, 2008 3:30 am 
Site Moderator
User avatar

Joined: Sun Jun 06, 2004 3:38 am
Posts: 3852
Location: Colorado, USA
Why would a Firewall LOG traffic that is ALLOWED?

Look at your Application servers - they should be logging that traffic.

FYI: You know that PPTP is a weak (some would say broken) security protocol right?

_________________
For the 2.5^15th time :: Better Details = Better Answers


Top
 Profile  
 
Unread postPosted: Sun Apr 20, 2008 5:12 pm 
New User

Joined: Mon Apr 14, 2008 5:51 pm
Posts: 5
Thanks for the feedback!

The reason I need to log the port forwarding is for audit purposes. Unscheduled intrusion tests are performed and I'm required to produce logs that can show all the activity on the firewall. If I can't show both wanted and unwanted port forwards, then we will fail the audit.

We will only be using PPTP for a short time until we get IPCop VPN up and working. Because of the port forwarding logging issue, I've been forced to delay putting IPCop into our production environment. So as soon as IPCop using PPTP is in production, IPCop VPN is next on my list.

On the topic of logging port forwards, I've come across a few posts stating to use something like:

/sbin/iptables -I PORTFWACCESS -m limit --limit 10/minute -j Log --log-prefix "PORTFWACCESS"

However I have not been able to get this to work. I've entered this at the command line, put it in the /etc/rc.d/rc.firewall script, and rc.firewall.local script, with no luck. I've also tried tracing how IPCop creates new port forward rules from the GUI, and found that it does not use the iptables command directly, but used an executable called setportfw.

I've managed to generate more questions than answers. So my list now looks like this:
1. How do I log port forwards? What is the specific syntax to use?
2. Where do I put this syntax? What file, and where?
3. What other inbound firewall events are not being logged?

Thanks,
Mark


Top
 Profile  
 
Unread postPosted: Mon Apr 21, 2008 12:36 am 
Site Moderator

Joined: Wed Apr 28, 2004 1:27 am
Posts: 6967
Location: Beaumont, TX, USA
mschnitter wrote:
The reason I need to log the port forwarding is for audit purposes.
You are asking for a list of IPs that have been authorized via port forwarding.

mschnitter wrote:
/sbin/iptables -I PORTFWACCESS -m limit --limit 10/minute -j Log --log-prefix "PORTFWACCESS"
The commands you are using will log more than just the first packet (as I explained in my first post).

mschnitter wrote:
However I have not been able to get this to work. I've entered this at the command line, put it in the /etc/rc.d/rc.firewall script, and rc.firewall.local script, with no luck.
From the command line, you should be using just
Code:
iptables -I ...
Add the command via the commandline FIRST and make sure it is working before adding it to any scripts.

mschnitter wrote:
I've also tried tracing how IPCop creates new port forward rules from the GUI, and found that it does not use the iptables command directly, but used an executable called setportfw.
This script is used to reset the port fowarding based on the port forwarding config file.

mschnitter wrote:
I've managed to generate more questions than answers. So my list now looks like this:
1. How do I log port forwards? What is the specific syntax to use?
2. Where do I put this syntax? What file, and where?
3. What other inbound firewall events are not being logged?
1. The syntax you were using should work (test from commandline without the /sbin/ part at the beginning.
2. If you are going to be using the web interface, the port forwarding script will reset all forwarding access each time you make a change (i.e. removing old ports not being used, adding new ports, etc). Once it is working via the commandline, add it to rc.firewall.local.
3. IPCOP works similar to any other consumer router. Inbound traffic that is allowed (i.e. port forwarding, external access, VPNs on IPCOP) is not logged. Attempts to access a closed port is logged. What other access is there for inbound traffic?


Top
 Profile  
 
Unread postPosted: Mon Apr 21, 2008 7:17 am 
Pro User

Joined: Thu May 08, 2003 4:24 am
Posts: 3808
Location: London, UK
Hmmm - I think this has been covered here before...

Each port forward applied in the GUI creates two iptables rules, roughly as shown below:

Code:
/sbin/iptables -t nat -A CUSTOMPREROUTING -p tcp --dport <portnum> -j DNAT --to-destination <internalIP>
/sbin/iptables -A PORTFWACCESS -i <red i/f> -d <internalIP> -p tcp --dport <portnum> -j ACCEPT

But you don't want to log at this level as that would give you every PACKET that traverses your firewall. Not only would that take up all your disk very quickly, it will also slow your firewall.

You probably only need to log connections as they are established from RED. There is a specific syntax to capture the first packets on a just established connection, but I'll need to go look it up.


Top
 Profile  
 
Unread postPosted: Thu Apr 24, 2008 1:20 pm 
New User

Joined: Mon Apr 14, 2008 5:51 pm
Posts: 5
Hello,
Thanks for all the replies and help!

Here is an update:

I now can see the port forwards in my logs for connects only by using on the command line:

iptables -I PORTFWACCESS -m state --state NEW -j LOG --log-prefix "PORTFWACCESS"

However, as stated in a previous posts, when I use the GUI this info gets reset. Adding this to the rc.firewall.local script seems to have no effect when I do a reboot or when I change firewall rules. In fact, when I traced the execution of rc.firewall and rc.firewall.local, I saw a weird order of execution that makes no sense. When doing a reboot here is the order and number of times the scripts got called (specifically the start section):

rc.firewall.local
rc.firewall
rc.firewall.local
rc.firewall.local
rc.firewall.local

up4fun,
You listed two examples of code that gets executed when port forward rules are created. Where are these rules created? Would it be safe to add the -m state --state NEW -j LOG --log-prefix "PORTFWACCESS" somewhere to get the connects logged?
I've searched this and other resources and haven't found a working example of logging port forwards that I could replicate.

My ideal solution would be to find a way to get this logging to work so that it stay persistent after IPCop reboots or there is a change to the firewall rules from the GUI.

Thanks,
Mark


Top
 Profile  
 
Unread postPosted: Thu Apr 24, 2008 6:06 pm 
Expert

Joined: Sat Sep 23, 2006 11:23 am
Posts: 2470
Location: LDK | Hessen | Germany
Both ds531 and up4fun told to use /sbin/iptables for pretty good reason.

_________________
Image

-=[ If you want answers: provide lots of information, including tiny details! ]=-


Top
 Profile  
 
Unread postPosted: Fri Apr 25, 2008 3:28 am 
New User

Joined: Mon Apr 14, 2008 5:51 pm
Posts: 5
Sorry for the typo... I am using /sbin/iptables in the script. I've actually tried it both ways with no success.

Mark


Top
 Profile  
 
Unread postPosted: Tue May 06, 2008 2:32 am 
New User

Joined: Mon Apr 14, 2008 5:51 pm
Posts: 5
Hello,

I thought I would share my progress as well as my setbacks. I was hoping this issue with logging would have been a simple one, but as most things, it is not.

First the good news, I was able to finally get the port forwards to log with this statement:

/sbin/iptables -I PORTFWACCESS -m state --state NEW -j LOG --log-prefix "PORTFWACCESS " --log-level info

However, getting the logging to persist has been another issue. I first tried to put this into the /etc/rc.d/rc.firewall.local. This won’t work because the port forwarding is handled by a c program called setportfw. As some of the previous posts indicated, setportfw is called by the CGI scripts for the web interface. It is also called at startup AFTER rc.firewall.local. The first thing setportfw does is purge the PORTFWACCESS table and rebuild them from the port forwarding config file.

To get the logging statement injected when the setportfw program is called, without modifying the setportfw program, I renamed setportfw to setportfw.bin and created a shell script named setportfw. This shell script calls setportfw.bin then adds the logging statement. Here is what it looks like:

#!/bin/sh

/usr/local/bin/setportfw.bin
/sbin/iptables -I PORTFWACCESS -m state --state NEW -j LOG --log-prefix “PORTFWACCESS " --log-level info

I also set the file permissions on the new setportfw to match the c program (group and sticky bit)

-rwsr-x--- 1 root nobody 419 2008-04-30 14:07 setportfw
-rwsr-x--- 1 root nobody 14076 2008-04-26 13:23 setportfw.bin

If I run the setportfw script from the command line, it works great. If the setportfw script gets called by the CGI script or at startup only setportfw.bin gets executed, the iptables command is not successful. I’ve tried to echo output and trap any kind of error code, nothing. I’m going on the assumption that the issue is with permissions somewhere. The sudo command isn’t on IPCop, so that isn’t an option. I don’t know if the combination of the command being executed by a shell script with a group of nobody, owner of root, and having the sticky bit set is an issue. Any insight here would be great.

I would also like any feedback on limiting the logging to only the first packet of an IP connection with a timeout of 1 minute. I’ve played with the limit and limit-burst options, but don’t seem to get consistent results. Here is what I’ve been playing with:

/sbin/iptables -I PORTFWACCESS -m state --state NEW -m limit --limit 1/m --limit-burst 1 -j LOG --log-prefix "PORTFWACCESS " --log-level info


While troubleshooting the port forward issue, I also discovered that ports that are given external access to IPCop are not logged either, so I have the same problem here. I’m using squid as a reverse proxy, so I have port 80 and 443 open for external access. In this case, the logging statement I’m using is:

/sbin/iptables -I XTACCESS -m limit --limit 1/m --limit-burst 1 -j LOG --log-prefix “PORTFWACCESS " --log-level info

This statement works however there are cases where it seems that multiple requests from the same IP are logged. Same issue with port forwards. Is XTACCESS the correct table to put the logging on? I’m going to have the same issues with persistence here as with setportfw, except the c program is setxtaccess. I would like to use the same approach as above, assuming I can get it to trigger correctly.

From the previous responses I received, I know that several people suggested to put my logging on the red interface. The only problem with that is I would have to create logging statements for each port forward. I need to have this logging solution setup where ports can be added and deleted without manually touching files or maintaining a list of logged ports. The iptables PORTFWACCESS and XTACCESS seem to be the best place to add the logging since the logging will be contained to those tables only.

In summary, here is what I’m looking for advice on:
- How to get the iptables command to execute within a shell script called by the system at startup and the CGI web interface.
- What is the best way to limit logging to the first connect from a single IP address, with a timeout of about 1 minute.

PS – When I get this finally implemented I will post the completed solution and any scripts.

Thanks,
Mark


Top
 Profile  
 
Unread postPosted: Tue May 06, 2008 5:41 am 
Expert

Joined: Sat Sep 23, 2006 11:23 am
Posts: 2470
Location: LDK | Hessen | Germany
You should really try to figure out why IPCop comes with CUSTOM* chains.

_________________
Image

-=[ If you want answers: provide lots of information, including tiny details! ]=-


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group