conntrack: generic helper won't handle protocol 47
by poma
Hello there,
"... Please consider loading the specific helper module."
$ grep 47 /etc/protocols
gre 47 GRE # Generic Routing Encapsulation
https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
"In conjunction with PPTP to create VPNs."
= Brief analysis and diagnosis:
- Point-to-Point Tunneling Protocol (PPTP) Client:
$ firewall-cmd --version
0.4.4.3
$ pptp --version
pptp version 1.9.0
$ nmcli --version
nmcli tool, version 1.7.1-0.9.20170224git9138967.fc24
$ firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
success
$ firewall-cmd --reload
success
$ nmcli connection up pptp ifname enp2s5
Error: Connection activation failed: the VPN service stopped unexpectedly.
$ journalctl -b -u NetworkManager.service -o cat
[...]
LCP: timeout sending Config-Requests
LCP: timeout sending Config-Requests
** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
Connection terminated.
- PoPToP Point to Point Tunneling Server:
$ firewall-cmd --version
0.4.4.3
$ pptpd --version
pptpd v1.4.0
$ systemctl is-active firewalld pptpd
active
active
$ firewall-cmd --get-automatic-helpers
yes
$ firewall-cmd --list-ports
[...] 1723/tcp
$ grep -a pptp /var/log/firewalld
2017-02-27 19:58:41 DEBUG1: nf_conntrack_pptp: pptp
2017-02-27 19:58:41 DEBUG1: Loading helper file '/usr/lib/firewalld/helpers/pptp.xml'
2017-02-27 19:58:41 DEBUG1: config.HelperAdded('pptp')
$ dmesg -T | grep conntrack
[Mon Feb 27 19:58:40 2017] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[Mon Feb 27 19:59:05 2017] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
= Conclusion:
As already concluded, what is needed:
# modprobe nf_conntrack_pptp
# modinfo nf_conntrack_pptp | grep 'description\|depends'
description: Netfilter connection tracking helper module for PPTP
depends: nf_conntrack,nf_conntrack_proto_gre
OR perhaps,
how proto GRE is set on PPTP Client,
to do the same on PTPP Server:
$ firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p gre -j ACCEPT
OR leave as is - for security's sake;
"PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead."
http://poptop.sourceforge.net/dox/protocol-security.phtml
Ref.
"netfilter: conntrack: disable generic tracking for known protocols"
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ne...
"netfilter: conntrack: warn the user if there is a better helper to use"
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ne...
"LCP: timeout sending Config-Requests"
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_timeout
7 years, 1 month
How can I firewall Docker containers' open ports?
by Ken Dreyer
Hello,
I'm running a standalone Atomic Registry system and I'm wondering how
to secure this with firewalld.
By default, the Docker containers that support this app listen on
ports 5000, 8443, and 9090.
Even though firewalld is running on my system, when I start the Atomic
Registry containers, I can reach those TCP ports directly. It seems
that Docker is inserting additional firewall rules to allow inbound
traffic apart from firewalld.
The Atomic Registry containers need to be able to contact each other
on the local host system, and send outbound traffic, but that is all.
I don't want anyone on the network to reach tcp/5000 directly, for
example.
How can I use firewalld to close off those ports from the internet?
The best option I've found so far is to add "--iptables=false" to
/etc/sysconfig/docker, and then use the following iptables commands:
# iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
# iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16
-j MASQUERADE
I'm not sure if those are the best ones, or what the firewall-cmd
equivalents would be?
7 years, 2 months
source nat'ing as a virtual ip with firewalld, conntrackd and
keepalived
by Les Stott
Hi All,
I have the following setup:
2 * redhat 7 servers, each has two nics. En016780032 is for the "local lan". eno33559296 is for conntrackd synchronization. I am not worried about the conntrackd nic's.
Server1 = 192.168.7.21 local lan
Server2 = 192.168.7.22 local lan
Keepalived vip = 192.168.7.20
This server is used to proxy connections from an internal network, to a remote vendor network. i.e.
Internal network = 192.168.1.xx
Remote vendor gateway = 192.168.7.160, and it links to various addresses.
Internal network will use the keepalived vip for failover connectivity.
A connection could be like below:
192.168.1.30 -> 192.168.7.20:16076 -> which is forwarded by firewalld to the remote vendor ip 155.1.1.2:9525 using a rule such as...
rich rules:
rule family="ipv4" forward-port port="16076" protocol="tcp" to-port="9525" to-addr="155.1.1.2"
this is working fine.
But I have a problem. The vendor nat's our source ip as a single ip as per there policy. So, they will only accept connections from a single source ip. I have asked if they can do a "many to one nat" but they will not do this.
The problem is that, either server, will show the source ip as the actual ip address of the local lan. So connections going out from Server1 will look like they come from 192.168.7.21, and connections from Server2 will look like they come from 192.168.7.22. This will be a problem if a failover occurs.
To get around this, I'd like to be able to source nat in firewalld any outbound connections so they appear as if they come from the keepalived vip (.20). I am not sure if this is possible in a "single interface" setup, like I have, or whether masquerading could help here (although I think masquerading may just use the ip of the interface which still wouldn't help me).
I am new to firewalld, so am reaching out for help on whether it's possible to source nat or masquerade in firewalld as the keepalived vip address?
Appreciate any help on this.
Thanks,
Les
7 years, 2 months