Atomicorp

I am setting up ASL 4 on a new system to replace my old ASL3.0, and seem to run against a few firewall related issues. In the ASL config, i have enabled a set of TCP/UDP ports, and i was expecting that any other port would then be denied. However, access to denied (non listed) ports is still possible. I also cannot find the list of ports back in the iptables list:

--iptables -nL output-->
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-WHITELIST all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-BLACKLIST (2 references)
target prot opt source destination

Chain ASL-BLACKLIST-DROP-LOG (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-GEO-BLACKLIST (2 references)
target prot opt source destination

Chain ASL-GEO-BLACKLIST-LOG (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain ASL-WHITELIST (1 references)
target prot opt source destination
ASL-WHITELIST-LOG all -- xxx.xxx.xxx.xxx 0.0.0.0/0
ASL-WHITELIST-LOG all -- 127.0.0.1 0.0.0.0/0
ASL-WHITELIST-LOG all -- xxx.xxx.xxx.xxx 0.0.0.0/0
ASL-WHITELIST-LOG all -- 8.8.8.8 0.0.0.0/0
ASL-WHITELIST-LOG all -- 8.8.4.4 0.0.0.0/0

Chain ASL-WHITELIST-LOG (5 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
<--

When i try to manually reload the firewall using "asl --reload-firewall" i get:

-->
/var/asl/lib/firewall/icmp_echo_ignore: line 11: /proc/sys/net/ipv4/icmp_echo_ignore_all: Operation not permitted
/var/asl/lib/firewall/icmp_echo_ignore_broadcasts: line 11: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not permitted
/var/asl/lib/firewall/icmp_ignore_bogus_error_responses: line 11: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not permitted
/var/asl/lib/firewall/tcp_ecn: line 11: /proc/sys/net/ipv4/tcp_ecn: Operation not permitted
/var/asl/lib/firewall/tcp-timestamps: line 14: /proc/sys/net/ipv4/tcp_timestamps: Operation not permitted
/var/asl/lib/firewall/tcp_window_scaling: line 15: /proc/sys/net/ipv4/tcp_window_scaling: Operation not permitted
iptables-restore: line 10 failed
iptables-restore: line 10 failed
iptables-restore: line 8 failed
iptables-restore: line 5 failed
iptables-restore: line 8 failed
iptables-restore: line 24 failed
iptables-restore: line 6 failed
iptables-restore: line 28 failed
iptables-restore: line 594 failed
iptables-restore: line 29 failed
iptables-restore: line 370 failed
iptables-restore: line 1417 failed
iptables-restore: line 5997 failed
iptables-restore: line 658 failed
<--

The first few lines are probably kernel issues due to the fact that this is an openvz container.

Exporting the firewall rules leaves me with these contents of the firewall:

-->
*mangle
:PREROUTING ACCEPT [5835:1405383]
:INPUT ACCEPT [5835:1405383]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6185:2271640]
:POSTROUTING ACCEPT [6185:2271640]
COMMIT
# Completed on Sun May 4 20:25:39 2014
# Generated by iptables-save v1.4.7 on Sun May 4 20:25:39 2014
*filter
:INPUT ACCEPT [5358:1335376]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6185:2271640]
:ASL-BLACKLIST - [0:0]
:ASL-BLACKLIST-DROP-LOG - [0:0]
:ASL-GEO-BLACKLIST - [0:0]
:ASL-GEO-BLACKLIST-LOG - [0:0]
:ASL-WHITELIST - [0:0]
:ASL-WHITELIST-LOG - [0:0]
-A INPUT -j ASL-GEO-BLACKLIST
-A INPUT -j ASL-BLACKLIST
-A INPUT -j ASL-WHITELIST
-A OUTPUT -j ASL-GEO-BLACKLIST
-A OUTPUT -j ASL-BLACKLIST
-A ASL-BLACKLIST-DROP-LOG -j DROP
-A ASL-GEO-BLACKLIST-LOG -j DROP
-A ASL-WHITELIST -s xx.xx.xx.xx/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s 127.0.0.1/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s xx.xx.xx.xx/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s 8.8.8.8/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s 8.8.4.4/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST-LOG -j ACCEPT
COMMIT
# Completed on Sun May 4 20:25:39 2014
# Generated by iptables-save v1.4.7 on Sun May 4 20:25:39 2014
*nat
:PREROUTING ACCEPT [38:1964]
:POSTROUTING ACCEPT [80:4866]
:OUTPUT ACCEPT [80:4866]
COMMIT
<--

Another issue is that the "quick rule add" using the advanced firewall system, returns error:

"iptables: No chain/target/match by that name."

In /var/log secure i see this at the same time:

"May 4 20:07:59 tyr sudo: tortix : TTY=unknown ; PWD=/var/asl/www ; USER=root ; COMMAND=/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 10000 -j DROP -m comment --comment webmin"

Manually trying to add that rule on the commandline throws the same error.

System details:

OS: CentOS 6.5x64
ASL: 4.0-10
CP: Webmin & Virtualmin

So that looks like whatever kernel you are using doesnt support a lot of those firewall features, or the kernel modules just arent loaded. Is this in a virtual machine or bare iron?

If virtual, what virt tech is being used and if its a VPS what kernel is on the host box?

If bare iron (or non-VPS), what kernel is being used? And what kernel modules are loaded (lsmod).

He mentioned OpenVZ container, so this will apply to Virtuozzo as well, which makes this a topic of interest to me
This is indeed normal for OpenVZ/VZ.

I'm not running ASL4 so I don't know if there's an issue with anything else. ASL3 firewall works fine.

There is a Container parameter "numiptent" which limits the number of iptables entries you can have. It might be worth checking that's not an issue here.

I opened a ticket for this as well, and it indeed turned out to be kernel modules that were not loaded. The ASL FAQ page holds a large list of kernel modules. I couldnt enable nearly all of them, but it seems to work now, though i may not be able to use all the features due to the modules that i couldnt load into the kernel.

My numiptent threshold is very high, so i probably won't be hitting that any time soon.