openvpn as + firewalld + fail2ban: banned IPs are not banned on specific port

Issues related to configuring your network
Post Reply
cl101
Posts: 2
Joined: 2021/05/27 11:47:24

openvpn as + firewalld + fail2ban: banned IPs are not banned on specific port

Post by cl101 » 2021/05/27 12:15:30

Hello,

firewalld does not block IPs which were banned by fail2ban on port 443 (the VPN port of openVPN), but does block IPs on other ports (e.g. works fine on the port for the webinterface, or SSH). I tried to find the problem via firewall-cmd and nft, but I really don't see it. Can anybody point me in the right direction?

this my output of firewalld:
XXX_OFFENDING_IP_XXX is my own IP from which I can test

IPtables is

Code: Select all

 sudo iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    AS0_ACCEPT  all  --  anywhere             anywhere            
3    AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
4    AS0_ACCEPT  tcp  --  anywhere            XX_FQDN_XX  state NEW tcp dpt:915
5    AS0_ACCEPT  tcp  --  anywhere             XX_FQDN_XX  state NEW tcp dpt:914
6    AS0_ACCEPT  udp  --  anywhere             XX_FQDN_XX  state NEW udp dpt:917
7    AS0_ACCEPT  udp  --  anywhere             XX_FQDN_XX  state NEW udp dpt:916
8    AS0_WEBACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
9    AS0_WEBACCEPT  tcp  --  anywhere             anywhere             state NEW tcp dpt:34254

I have configured firewalld for openVPN with:

Code: Select all

sudo firewall-cmd --zone=public --add-port=34254/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/udp --permanent
sudo firewall-cmd --zone=public --add-service openvpn --permanent
sudo firewall-cmd --zone=public --add-masquerade --permanent
reboot

Code: Select all

firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: openvpn
  ports: 42913/tcp 34254/tcp 443/tcp 443/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="XXX_OFFENDING_IP_XXX" port port="34254" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="XXX_OFFENDING_IP_XXX" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
	rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
	rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
	rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
	rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
	rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
	rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
        
1) port 34254 (port of the webinterface): this works:

Code: Select all

nft list table inet firewalld | grep 34254
                ip saddr XXX_OFFENDING_IP_XXX tcp dport 34254 ct state { new, untracked } reject
                tcp dport 34254 ct state { new, untracked } accept

1) port 443 (port of the VPN server): this does NOT work:

Code: Select all

nft list table inet firewalld | grep 443
                ip saddr XXX_OFFENDING_IP_XXX tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                tcp dport 443 ct state { new, untracked } accept

full output of nft list table inet firewalld

Code: Select all

table inet firewalld {
        chain raw_PREROUTING {
                type filter hook prerouting priority raw + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . iif oif missing drop
                jump raw_PREROUTING_ZONES_SOURCE
                jump raw_PREROUTING_ZONES
        }

        chain raw_PREROUTING_ZONES_SOURCE {
        }

        chain raw_PREROUTING_ZONES {
                iifname "eth0" goto raw_PRE_public
                goto raw_PRE_public
        }

        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES_SOURCE
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_ZONES_SOURCE {
        }

        chain mangle_PREROUTING_ZONES {
                iifname "eth0" goto mangle_PRE_public
                goto mangle_PRE_public
        }

        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES_SOURCE
                jump filter_INPUT_ZONES
                ct state { invalid } drop
                reject with icmpx type admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { IPv6.... } reject with icmpv6 type addr-unreachable
                jump filter_FORWARD_IN_ZONES_SOURCE
                jump filter_FORWARD_IN_ZONES
                jump filter_FORWARD_OUT_ZONES_SOURCE
                jump filter_FORWARD_OUT_ZONES
                ct state { invalid } drop
                reject with icmpx type admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                oifname "lo" accept
                ip6 daddr { IPv6.... } reject with icmpv6 type addr-unreachable
        }

        chain filter_INPUT_ZONES_SOURCE {
        }

        chain filter_INPUT_ZONES {
                iifname "eth0" goto filter_IN_public
                goto filter_IN_public
        }

        chain filter_FORWARD_IN_ZONES_SOURCE {
        }

        chain filter_FORWARD_IN_ZONES {
                iifname "eth0" goto filter_FWDI_public
                goto filter_FWDI_public
        }

        chain filter_FORWARD_OUT_ZONES_SOURCE {
        }

        chain filter_FORWARD_OUT_ZONES {
                oifname "eth0" goto filter_FWDO_public
                goto filter_FWDO_public
        }

        chain raw_PRE_public {
                jump raw_PRE_public_pre
                jump raw_PRE_public_log
                jump raw_PRE_public_deny
                jump raw_PRE_public_allow
                jump raw_PRE_public_post
        }

        chain raw_PRE_public_pre {
        }

        chain raw_PRE_public_log {
        }

        chain raw_PRE_public_deny {
        }

        chain raw_PRE_public_allow {
        }

        chain raw_PRE_public_post {
        }

        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
                ip saddr XXX_OFFENDING_IP_XXX tcp dport 34254 ct state { new, untracked } reject
                ip saddr XXX_OFFENDING_IP_XXX tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
                ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
        }

        chain filter_IN_public_allow {
                udp dport 1194 ct state { new, untracked } accept
                tcp dport 42913 ct state { new, untracked } accept
                tcp dport 34254 ct state { new, untracked } accept
                tcp dport 443 ct state { new, untracked } accept
        }

        chain filter_IN_public_post {
        }

        chain filter_FWDO_public {
                jump filter_FWDO_public_pre
                jump filter_FWDO_public_log
                jump filter_FWDO_public_deny
                jump filter_FWDO_public_allow
                jump filter_FWDO_public_post
        }

        chain filter_FWDO_public_pre {
        }

        chain filter_FWDO_public_log {
        }

        chain filter_FWDO_public_deny {
        }

        chain filter_FWDO_public_allow {
                ct state { new, untracked } accept
        }

        chain filter_FWDO_public_post {
        }

        chain filter_FWDI_public {
                jump filter_FWDI_public_pre
                jump filter_FWDI_public_log
                jump filter_FWDI_public_deny
                jump filter_FWDI_public_allow
                jump filter_FWDI_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_public_pre {
        }

        chain filter_FWDI_public_log {
        }

        chain filter_FWDI_public_deny {
        }

        chain filter_FWDI_public_allow {
        }

        chain filter_FWDI_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }
}

cl101
Posts: 2
Joined: 2021/05/27 11:47:24

Re: openvpn as + firewalld + fail2ban: banned IPs are not banned on specific port

Post by cl101 » 2021/06/04 14:10:56

I think I'm able to answer my own question:

openVPN AS was configured in multi=daemon mode (UDP, and TCP). I couldn't set fail2ban to

Code: Select all

protocoll = all
- I received an " INVALID PORT " error and didn't find a quick solution. After disabling UDP, IPs are really banned.

To my understanding, a request via UDP does not require a response, so it might falsely seem to work. However, if I understand correctly, even after both TCP + UDP were blocked via firewalld (

Code: Select all

rule family="ipv4" source address="XXX_OFFENDING_IP_XXX" reject
), the server was listening for input from this IP:

Code: Select all

telnet XX_IP_VPN-SERVER_XX 443
Trying XX_IP_VPN-SERVER_XX...
Connected to XX_IP_VPN-SERVER_XX.
Escape character is '^]'.
maybe somebody could clarify if my assumption regarding UDP is correct?

Post Reply