Author Topic: Limit to IP option in firewall settings  (Read 4692 times)

stiev3

  • Newbie
  • *
  • Posts: 8
    • View Profile
Limit to IP option in firewall settings
« on: January 21, 2008, 01:53:09 am »
I'm on beta2 right now (going to 3 in short order).  But I was curious as to what this option does.  The wiki says : You can limit rules to specific ip addresses.

My goal is to forward one port as securely as possible - I'd like to limit access to one specific IP address if possible.  I figured that the "Limit to IP" was the way to do that, so I specified it as the target ip.  With it set I was still able to see the port as open from IPs that weren't specified. ( www.grc.com ). 

Am I misunderstanding that option's purpose or do I have something misconfigured?
« Last Edit: January 21, 2008, 04:38:26 am by stiev3 »

rwilson131

  • Veteran
  • ***
  • Posts: 118
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #1 on: January 21, 2008, 02:18:36 am »
I have also been experiencing Firewall issues.  I asked the forum at this post. http://forum.linuxmce.org/index.php?topic=3890.0  but I have not gotten a response.  I had not tried Beta2, so  I do not know if my problem exists in Beta2, but I am not able to get any Firewall changes loaded via Admin in Beta3

try iptables -L and see what rules are loaded

Thanks,
Rob

stiev3

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #2 on: January 21, 2008, 04:23:06 am »
So I'm on beta3 32bit now, and it still seems to not "limit to ip" on the ip i specify.  I think I'm going to opt to stop forwarding ports for now.  For the record, it should be possible to block all traffic on an open port except for an ip I specify correct?  I'd rather not leave threat filtering up to my novice ability at administering a private svn server with apache if I have a choice to do it through the firewall menu.

iptables -L output (with ports forwarded):
Code: [Select]
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere           
ACCEPT     0    --  anywhere             anywhere   
ACCEPT     0    --  anywhere             anywhere   
ACCEPT     udp  --  anywhere             anywhere   
ACCEPT     0    --  192.168.80.0/24      anywhere           
ACCEPT     udp  --  anywhere             anywhere   
ACCEPT     udp  --  anywhere             anywhere   
ACCEPT     udp  --  anywhere             anywhere   
ACCEPT     tcp  --  anywhere             anywhere   

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

rwilson131

  • Veteran
  • ***
  • Posts: 118
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #3 on: January 21, 2008, 05:33:54 am »
that is exactly what my iptables -L looks like and I have three additional rules.  This worked in 704 but does not appear to be working in 710Beta3.

If someone else can confirm this I will file a Mantis report.

Thanks,
Rob

stiev3

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #4 on: January 21, 2008, 07:53:49 am »
to clarify my few posts just in case they needed it.

My problem:
Opening ports with an ip specified in Limit to IP failed on beta2 and beta3.  The port would be opened, but it would not be limited to the ip.

My temporary solution:
Keep the port open through the web admin, and limit IP in the ip tables of the pc that receives the forwarding.

uplink

  • Administrator
  • Guru
  • *****
  • Posts: 192
  • Linux and LinuxMCE witchdoctor
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #5 on: January 21, 2008, 05:15:34 pm »
First of all, please use this:
Code: [Select]
iptables -xvnLI find it to be easier to read and with more useful information.
Second, also check the "nat" table, by adding the "-t nat" parameter to the previous command, like this:
Code: [Select]
iptables -t nat -xvnLThird, I'm looked over the code and this couldn't have worked :) If I'm looking in the right place, this bug is _ancient_. The line I'm referring to is in /usr/pluto/bin/Network_Firewall.sh, the script responsible for applying the firewall rules, at line 136. Now, that line was last modified at revision 545. What I noticed there was this:
Code: [Select]
ForwardPort "$Protocol" "$ExtIP" "$SrcPort" "$DestIP" "$DestPort"and I changed it to this:
Code: [Select]
ForwardPort "$Protocol" "$ExtIP" "$SrcPort" "$DestIP" "$DestPort" "$SrcIP".

Now, my iptables -t nat -xvnL shows that a filter for the source IP is applied, as it should. I also checked the other calls to ForwardPort and OpenPort to make sure this parameter is correct, and this is the only place without it.

Please try out my change and let me know if it fixes your issues. It has already been committed to SVN.

stiev3

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #6 on: January 21, 2008, 07:42:22 pm »
Changed the script as instructed, seems to have solved my issue.  Using "iptables -t nat -xvnL" without the change, I reading the source as 0.0.0.0/0 when I applied the firewall rule in web admin.  After the change, the source correctly shows the ip I specified under "Limit to IP" when I reapplied the rule.

Thanks for the help!

jondecker76

  • Alumni
  • wants to work for LinuxMCE
  • *
  • Posts: 763
    • View Profile
Re: Limit to IP option in firewall settings
« Reply #7 on: February 05, 2008, 01:31:45 am »
A couple of things...

1) Is this going to be/has it been fixed yet?

2) There is still no answer to what "Limit to IP" does - i want to know this too, as I will have to be opening ports for xbox live use.

So, what is the difference between the destination IP address, and the "Limit to:" IP address in the firewall settings?
Also, can you specify a range of IP address to forward ports on? (I.e. open UDP port 88 on all IP address, or from 192.168.80.140-192.168.80.145?)