'iptables -A OUTPUT -j REJECT' filters ARP reply
'iptables -A OUTPUT -j REJECT' filters ARP reply
Hello,
I'm using iptables on CentOS 8 and am trying to block all outgoing traffic with the exception of a few open ports.
My iptables configuration basically looks as follows on the output side:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j REJECT
iptables -A OUTPUT -p tcp --dport 5000:5001 -j ACCEPT
iptables -A OUTPUT -j REJECT
The problem though is that the last line (iptables -A OUTPUT -j REJECT) also seem to filter 'ARP reply' packets.
How can I block all outgoing traffic but still have ARP working?
Thanks
I'm using iptables on CentOS 8 and am trying to block all outgoing traffic with the exception of a few open ports.
My iptables configuration basically looks as follows on the output side:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j REJECT
iptables -A OUTPUT -p tcp --dport 5000:5001 -j ACCEPT
iptables -A OUTPUT -j REJECT
The problem though is that the last line (iptables -A OUTPUT -j REJECT) also seem to filter 'ARP reply' packets.
How can I block all outgoing traffic but still have ARP working?
Thanks
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
You don't have any protocol specified on your catch-all rule so it rejects all protocols that have not been matched. Try adding a previous rule with -p arp to allow them.
Edit: hmm, iptables doesn't know -p arp though I figured it would since I could do a tcpdump -p arp and that works. But the answer is much the same, you need to not block them and your current rule blocks all packets regardless of protocol. Perhaps adding two block rules, one for -p udp, one for -p tcp would have the same effect.
Edit: hmm, iptables doesn't know -p arp though I figured it would since I could do a tcpdump -p arp and that works. But the answer is much the same, you need to not block them and your current rule blocks all packets regardless of protocol. Perhaps adding two block rules, one for -p udp, one for -p tcp would have the same effect.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
I tried that with : iptables -A OUTPUT -p arp -j ACCEPT
but this give me following error : iptables v1.8.4 (nf_tables): unknown protocol "arp" specified
but this give me following error : iptables v1.8.4 (nf_tables): unknown protocol "arp" specified
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
It seems that you cannot use iptables
https://security.stackexchange.com/ques ... p-requests
https://security.stackexchange.com/ques ... p-requests
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
No, you are not. You are using nftables wrapper that translates your iptables-syntax rules into nftables rules.
If you want to see the actual rules in your kernel, do say:
Code: Select all
sudo nft list ruleset
Netfilter -- the legacy iptables -- did not filter L2 traffic. Nftables does. I'm actually curious to know how the REJECT all translates to nftables.
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
My complete iptables configuration is as follows:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 61234 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000:5015 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000:6015 -j ACCEPT
iptables -A INPUT -j REJECT
# Output filter
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j REJECT
iptables -A OUTPUT -p arp -j ACCEPT
iptables -A OUTPUT -j REJECT
With this configuration, sudo nft list ruleset gives:
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct state related,established counter packets 9 bytes 570 accept
pkttype broadcast counter packets 1 bytes 291 accept
iifname "lo" counter packets 1 bytes 60 accept
meta l4proto icmp counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 61234 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 5000-5015 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 6000-6015 counter packets 0 bytes 0 accept
counter packets 5 bytes 861 reject
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
ct state related,established counter packets 14 bytes 1571 accept
oifname "lo" counter packets 1 bytes 60 accept
meta l4proto icmp counter packets 0 bytes 0 reject
counter packets 29 bytes 4330 reject
}
}
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 61234 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000:5015 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000:6015 -j ACCEPT
iptables -A INPUT -j REJECT
# Output filter
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j REJECT
iptables -A OUTPUT -p arp -j ACCEPT
iptables -A OUTPUT -j REJECT
With this configuration, sudo nft list ruleset gives:
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct state related,established counter packets 9 bytes 570 accept
pkttype broadcast counter packets 1 bytes 291 accept
iifname "lo" counter packets 1 bytes 60 accept
meta l4proto icmp counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 61234 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 5000-5015 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 6000-6015 counter packets 0 bytes 0 accept
counter packets 5 bytes 861 reject
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
ct state related,established counter packets 14 bytes 1571 accept
oifname "lo" counter packets 1 bytes 60 accept
meta l4proto icmp counter packets 0 bytes 0 reject
counter packets 29 bytes 4330 reject
}
}
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
Oups, forgot to remove 'iptables -A OUTPUT -p arp -j ACCEPT' from my configuration...
But I assume this doesn't change the output of the nft command.
But I assume this doesn't change the output of the nft command.
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
Alas, that does not really explain the block. The table 'filter' has family 'ip' which should handle only L3 IPv4 packets:
https://wiki.nftables.org/wiki-nftables ... s_families
[edit] Unless ARP replies are L3 packets?
https://wiki.nftables.org/wiki-nftables ... s_families
[edit] Unless ARP replies are L3 packets?
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
This is the ARP reply captured by Wireshark:
Frame 28: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface \Device\NPF_{3CA41E5C-EEA1-4043-892D-7C12C9741416}, id 0
Interface id: 0 (\Device\NPF_{3CA41E5C-EEA1-4043-892D-7C12C9741416})
Encapsulation type: Ethernet (1)
Arrival Time: Jan 24, 2022 15:25:59.360313000 Romance Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1643034359.360313000 seconds
[Time delta from previous captured frame: 0.028497000 seconds]
[Time delta from previous displayed frame: 0.028497000 seconds]
[Time since reference or first frame: 48.551826000 seconds]
Frame Number: 28
Frame Length: 42 bytes (336 bits)
Capture Length: 42 bytes (336 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:arp]
[Coloring Rule Name: ARP]
[Coloring Rule String: arp]
Ethernet II, Src: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81), Dst: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Destination: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Source: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81)
Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81)
Sender IP address: 172.30.194.249
Target MAC address: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Target IP address: 172.30.176.210
This does look like L2 right?
Frame 28: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface \Device\NPF_{3CA41E5C-EEA1-4043-892D-7C12C9741416}, id 0
Interface id: 0 (\Device\NPF_{3CA41E5C-EEA1-4043-892D-7C12C9741416})
Encapsulation type: Ethernet (1)
Arrival Time: Jan 24, 2022 15:25:59.360313000 Romance Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1643034359.360313000 seconds
[Time delta from previous captured frame: 0.028497000 seconds]
[Time delta from previous displayed frame: 0.028497000 seconds]
[Time since reference or first frame: 48.551826000 seconds]
Frame Number: 28
Frame Length: 42 bytes (336 bits)
Capture Length: 42 bytes (336 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:arp]
[Coloring Rule Name: ARP]
[Coloring Rule String: arp]
Ethernet II, Src: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81), Dst: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Destination: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Source: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81)
Type: ARP (0x0806)
Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: 9e:c0:c3:7f:3a:81 (9e:c0:c3:7f:3a:81)
Sender IP address: 172.30.194.249
Target MAC address: 9e:f2:db:c1:e6:f1 (9e:f2:db:c1:e6:f1)
Target IP address: 172.30.176.210
This does look like L2 right?
Re: 'iptables -A OUTPUT -j REJECT' filters ARP reply
you can also try my workaround: viewtopic.php?f=57&t=78674