'iptables -A OUTPUT -j REJECT' filters ARP reply

Support for security such as Firewalls and securing linux
Post Reply
dmartiny
Posts: 5
Joined: 2022/01/24 11:38:29

'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by dmartiny » 2022/01/24 12:00:41

Hello,

I'm using iptables on CentOS 8 and am trying to block all outgoing traffic with the exception of a few open ports.
My iptables configuration basically looks as follows on the output side:

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j REJECT
iptables -A OUTPUT -p tcp --dport 5000:5001 -j ACCEPT
iptables -A OUTPUT -j REJECT

The problem though is that the last line (iptables -A OUTPUT -j REJECT) also seem to filter 'ARP reply' packets.

How can I block all outgoing traffic but still have ARP working?

Thanks

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by TrevorH » 2022/01/24 12:08:51

You don't have any protocol specified on your catch-all rule so it rejects all protocols that have not been matched. Try adding a previous rule with -p arp to allow them.

Edit: hmm, iptables doesn't know -p arp though I figured it would since I could do a tcpdump -p arp and that works. But the answer is much the same, you need to not block them and your current rule blocks all packets regardless of protocol. Perhaps adding two block rules, one for -p udp, one for -p tcp would have the same effect.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dmartiny
Posts: 5
Joined: 2022/01/24 11:38:29

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by dmartiny » 2022/01/24 12:20:01

I tried that with : iptables -A OUTPUT -p arp -j ACCEPT
but this give me following error : iptables v1.8.4 (nf_tables): unknown protocol "arp" specified

AlBundy
Posts: 6
Joined: 2022/01/24 10:56:55

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by AlBundy » 2022/01/24 12:49:33

It seems that you cannot use iptables
https://security.stackexchange.com/ques ... p-requests

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by jlehtone » 2022/01/24 13:49:28

dmartiny wrote:
2022/01/24 12:00:41
I'm using iptables on CentOS 8 ...
No, you are not. You are using nftables wrapper that translates your iptables-syntax rules into nftables rules.

If you want to see the actual rules in your kernel, do say:

Code: Select all

sudo nft list ruleset

Netfilter -- the legacy iptables -- did not filter L2 traffic. Nftables does. I'm actually curious to know how the REJECT all translates to nftables.

dmartiny
Posts: 5
Joined: 2022/01/24 11:38:29

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by dmartiny » 2022/01/24 13:58:19

My complete iptables configuration is as follows:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 61234 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000:5015 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000:6015 -j ACCEPT
iptables -A INPUT -j REJECT

# Output filter
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j REJECT
iptables -A OUTPUT -p arp -j ACCEPT
iptables -A OUTPUT -j REJECT

With this configuration, sudo nft list ruleset gives:

table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct state related,established counter packets 9 bytes 570 accept
pkttype broadcast counter packets 1 bytes 291 accept
iifname "lo" counter packets 1 bytes 60 accept
meta l4proto icmp counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 61234 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 5000-5015 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 6000-6015 counter packets 0 bytes 0 accept
counter packets 5 bytes 861 reject
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
}

chain OUTPUT {
type filter hook output priority filter; policy accept;
ct state related,established counter packets 14 bytes 1571 accept
oifname "lo" counter packets 1 bytes 60 accept
meta l4proto icmp counter packets 0 bytes 0 reject
counter packets 29 bytes 4330 reject
}
}

dmartiny
Posts: 5
Joined: 2022/01/24 11:38:29

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by dmartiny » 2022/01/24 14:01:43

Oups, forgot to remove 'iptables -A OUTPUT -p arp -j ACCEPT' from my configuration...
But I assume this doesn't change the output of the nft command.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by jlehtone » 2022/01/24 14:06:08

Alas, that does not really explain the block. The table 'filter' has family 'ip' which should handle only L3 IPv4 packets:
https://wiki.nftables.org/wiki-nftables ... s_families

[edit] Unless ARP replies are L3 packets?

dmartiny
Posts: 5
Joined: 2022/01/24 11:38:29

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by dmartiny » 2022/01/24 14:27:47

This is the ARP reply captured by Wireshark:

Frame 28: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface \Device\NPF_{3CA41E5C-EEA1-4043-892D-7C12C9741416}, id 0
Interface id: 0 (\Device\NPF_{3CA41E5C-EEA1-4043-892D-7C12C9741416})
Encapsulation type: Ethernet (1)
Arrival Time: Jan 24, 2022 15:25:59.360313000 Romance Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1643034359.360313000 seconds
[Time delta from previous captured frame: 0.028497000 seconds]
[Time delta from previous displayed frame: 0.028497000 seconds]
[Time since reference or first frame: 48.551826000 seconds]
Frame Number: 28
Frame Length: 42 bytes (336 bits)
Capture Length: 42 bytes (336 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:arp]
[Coloring Rule Name: ARP]
[Coloring Rule String: arp]
Ethernet II, Src: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81), Dst: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Destination: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Source: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81)
Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81)
Sender IP address: 172.30.194.249
Target MAC address: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Target IP address: 172.30.176.210

This does look like L2 right?

AlBundy
Posts: 6
Joined: 2022/01/24 10:56:55

Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply

Post by AlBundy » 2022/01/24 15:34:52

you can also try my workaround: viewtopic.php?f=57&t=78674

Post Reply