1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

About Me

Basic Information

Whereabouts

Country
United States

Web Links

Peter Finch
Peter Finch
  • Karma
  • Member since
  • Sunday, 16 September 2012 18:36
  • Last online
  • yesterday
  • Profile views
  • 2831 views
2 days ago
Peter Finch replied to the topic Re:DHCP Static Reservation in the forums.
Just got bit by this again but can reproduce now. Scenario is I connected a new device and DHCP handed it .201. Through GUI DHCP module I changed this to static and .3 IP. I reboot offending device and it comes back on .201 again. I shut device down, stop dnsmasq, make sure MAC and IP are correct in ethers, delete any mention of IP .201 or the device MAC in dnsmasq.leases, and restart dnsmasq. When I boot the device it STILL comes up on .201!

What is happening is the device is including it's last known IP on the DHCP Discover message and ClearOS is honoring it:

Code:


Jan 26 18:45:50 gateway dnsmasq-dhcp[19584]: DHCPACK(eth2) 192.168.10.201 b8:27:eb:9b:8a:a2 TimeCapsule
Jan 26 18:45:50 gateway dnsmasq-dhcp[19584]: DHCPREQUEST(eth2) 192.168.10.201 b8:27:eb:9b:8a:a2
Jan 26 18:45:50 gateway dnsmasq-dhcp[19584]: DHCPOFFER(eth2) 192.168.10.201 b8:27:eb:9b:8a:a2
Jan 26 18:45:50 gateway dnsmasq-dhcp[19584]: DHCPDISCOVER(eth2) 192.168.10.201 b8:27:eb:9b:8a:a2



This is a bug given ethers already has a static assignment entry. I finally got it all sorted by again doing the dynamic to static and IP change in Clearos GUI DHCP and then doing an "ifdown eth0; ifup eth0" on the device. Oddly, "dhclient -r eth0" did not work.

BTW, the device in this case is a Raspberry Pi B+ running Raspbian and netatalk to masquerade as an Apple Time Capsule.

Peter
02:29 PM
2 weeks ago
Peter Finch replied to the topic Re:Problems Encountered Isolating LANs with Custom Firewall Rules in the forums.
That may be but, in my case at least, those rules are not stopping communications between my LANs on multiple protocols/ports.

Peter
Jan 13
Peter Finch created a new topic Problems Encountered Isolating LANs with Custom Firewall Rules in the forums.
System is configured as a gateway with Community 6.5.0 Final.

I have two internal LANs configured:
Code:


Private: eth2 192.168.10.*
Guest: eth1 192.168.20.*



Replicating what I have seen in several other posts in this forum I tried to isolate the two LANs using the Custom Firewall Module with rules:
Code:


Custom Firewall Rules Enabled
Block traffic between LANs: iptables -I FORWARD -i eth2 -o eth1 -j DROP 
Block traffic between LANs: iptables -I FORWARD -i eth1 -o eth2 -j DROP



This did not have the desired affect as devices could continue to see and communicate between the LANs.

But it gets curiouser...

I had previously listed my iptables and it took 5 minutes to do so (why so long?). After making the rule changes above the iptables list did not have the expected changes. Here you can see the time for listing the iptables, the changes with the rules enabled, and the number of rules in the iptables list.

Code:


[root@gateway ~]# date; iptables --list > iptables.list; date
Tue Jan 13 10:09:32 EST 2015
Tue Jan 13 10:14:01 EST 2015
[root@gateway ~]# date; iptables --list > iptables2.list; date
Tue Jan 13 10:16:27 EST 2015
Tue Jan 13 10:17:30 EST 2015
[root@gateway ~]# diff iptables.list iptables2.list
605a606,607
> DROP       all  --  anywhere             anywhere
> DROP       all  --  anywhere             anywhere
[root@gateway ~]# wc -l iptables.list
821 iptables.list
[root@gateway ~]#



During the first iptables list here is a top showing the system loafing so not sure why it took so long. Second run was faster.

Code:


top - 10:12:39 up 10 min,  3 users,  load average: 0.13, 0.16, 0.12
Tasks: 195 total,   1 running, 194 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.5%us,  0.4%sy,  0.0%ni, 98.7%id,  0.4%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   8030500k total,  1779100k used,  6251400k free,    32772k buffers
Swap: 32767984k total,        0k used, 32767984k free,   650164k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3563 webconfi  20   0  317m  20m 4296 S  1.3  0.3   0:01.32 webconfig
   78 root      39  19     0    0    0 S  0.3  0.0   0:00.61 kipmi0
  401 root      20   0     0    0    0 S  0.3  0.0   0:00.12 md3_raid1
 3461 root      20   0  269m  36m 7964 S  0.3  0.5   0:01.17 mongod
 3775 root      20   0  133m 5592 1736 S  0.3  0.1   0:00.13 syswatch
    1 root      20   0 21448 1560 1260 S  0.0  0.0   0:00.57 init
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd
    3 root      RT   0     0    0    0 S  0.0  0.0   0:00.02 migration/0
    4 root      20   0     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
. . .



The iptables rules look like intrusion prevention rules. I had been running intrusion prevention/detection but during this test session they were both stopped, along with content filter, the system rebooted, and all verified as stopped in GUI. Here are some sample rules from the iptables list:

Code:


[root@gateway ~]# head -20 iptables.list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp state RELATED,ESTABLISHED
DROP       all  --  114-26-25-202.dynamic.hinet.net  anywhere
DROP       all  --  c-174-48-209-143.hsd1.fl.comcast.net  anywhere
DROP       all  --  117.221.252.28       anywhere
DROP       all  --  9.248.183.60.broad.sx.zj.dynamic.163data.com.cn  anywhere
DROP       all  --  113.205.189.113      anywhere
DROP       all  --  61.240.144.64        anywhere
DROP       all  --  103.228.78.35        anywhere
DROP       all  --  120.3.227.234        anywhere
DROP       all  --  212-83-137-97.rev.poneytelecom.eu  anywhere
DROP       all  --  scanner2.labs.rapid7.com  anywhere
DROP       all  --  61.240.144.67        anywhere
DROP       all  --  122.95.2.184         anywhere
DROP       all  --  014199240052.ctinets.com  anywhere
DROP       all  --  106.125.220.176      anywhere
DROP       all  --  scanner2.labs.rapid7.com  anywhere
DROP       all  --  61.160.224.130       anywhere
DROP       all  --  212-129-61-193.rev.poneytelecom.eu  anywhere
[root@gateway ~]#



So many questions...

1. Where are all these (800+) iptable rules coming from? I suspect maybe once intrusion prevention has been added and started, the rules continue to load in iptables even after stopping intrusion detection/prevention, rebooting, and verifying they shows as stopped.

2. Why does an iptables list take so long to complete and should this be concerning or not? The first list took five minutes on a system that is clearly loafing (99% idle and no wait I/O)?

3. Why did enabling the rules shown above in the Custom Firewall module not have the desired affect of isolating my LANs?

I am NOT an iptables guru and may be misunderstanding much of what I am seeing. Bottom line is I need my guest and private LANs isolated from each other. The system otherwise performs adequately without performance issues of any kind.

Thanks!

Peter
Jan 13

Wall

No wall post to show

Groups

No group joined by the user yet.