MOR iptables Chains

From Kolmisoft Wiki
Jump to navigationJump to search

Description

During the switch install/update, MOR X18 automatically creates iptables chains to manage the security of the switch



Whitelist Chains

There are two types of whitelist chains: Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted:

  • MOR-IPAUTH-WHITELIST - this chain contains all IP authenticated devices/providers from the MOR system
  • MOR-WHITELIST-GUI - this chain contains all IPs whitelisted in MOR GUI SETTINGS -> Security -> Whitelisted IPs

Chains that whitelist MOR system's IPs for specific service port(s) (for example, Elasticsearch, MySQL, Redis, etc.), and block access to that service for all other IPs.

Such chains are added into the MOR-SERVICES-WHITELIST chain, which itself, in turn, is referenced in the INPUT chain 

[root@node01 ~]# iptables -LMOR-SERVICES-WHITELIST -n
Chain MOR-SERVICES-WHITELIST (1 references)
target     prot opt source               destination         
MOR-ES-WHITELIST  6    --  0.0.0.0/0            0.0.0.0/0            multiport dports 9200,9300
MOR-MYSQL-WHITELIST  6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Here, for example, MOR-SERVICES-WHITELIST contains two chains:

  • MOR-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the MOR system IPs
  • MOR-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 ) for the MOR system IPs

Each chain in turn contains whitelisted IPs and a DROP statement at the end: 

[root@node01 ~]# iptables -LMOR-ES-WHITELIST -n
Chain MOR-ES-WHITELIST (1 references)
target     prot opt source               destination         
ACCEPT     6    --  YY.YY.YY.YY          0.0.0.0/0            multiport dports 9200,9300 /* VIRTUAL_IP from system.conf */
ACCEPT     6    --  XX.XX.XX.XX          0.0.0.0/0            multiport dports 9200,9300 /* External IP */
ACCEPT     6    --  127.0.0.1            0.0.0.0/0            multiport dports 9200,9300 /* localhost access */
DROP       6    --  0.0.0.0/0            0.0.0.0/0            multiport dports 9200,9300



MOR-IPAUTH-WHITELIST and MOR-PRE-WHITELIST

The MOR-IPAUTH-WHITELIST chain contains all IP-authenticated devices/providers from the MOR system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated devices/providers are whitelisted by default. However, some MOR services contain internal data, and access is limited only by iptables and intended only for internal usage of MOR, so IP authenticated devices/providers should NOT be able to access the data of these services. To achieve this, a special MOR-PRE-WHITELIST chain is created and included as the first rule in the MOR-IPAUTH-WHITELIST chain.

MOR-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by MOR. Currently, the following chains are included in MOR-PRE-WHITELIST:

  • MOR-ES-WHITELIST (only in servers where Elasticsearch is installed)
  • MOR-REDIS-WHITELIST (only in servers where Redis is installed)


The combination of MOR-IPAUTH-WHITELIST and MOR-PRE-WHITELIST ensures that IP authenticated devices/providers are whitelisted, but they do not have access to the internal MOR services, where access is controlled only by iptables.

In iptables, it looks like this: 

[root@localhost ~]# iptables -L MOR-IPAUTH-WHITELIST  -n
Chain M2-CONNECT-POINTS-WHITELIST (1 references)
target     prot opt source               destination         
MOR-PRE-WHITELIST  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  a.a.a.a      0.0.0.0/0            /* Domain abc.com */
ACCEPT     all  --  b.b.b.b       0.0.0.0/0            
ACCEPT     all  --  c.c.c.c        0.0.0.0/0                     
RETURN     all  --  0.0.0.0/0            0.0.0.0/0 

[root@localhost ~]# iptables -L MOR-PRE-WHITELIST -n
Chain MOR-PRE-WHITELIST (1 references)
target     prot opt source               destination         
MOR-REDIS-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
MOR-ES-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9200,9300
RETURN     all  --  0.0.0.0/0            0.0.0.0/0



MOR-FAIL2BAN-JUMP

MOR-FAIL2BAN-JUMP chain contains all chains added by fail2ban. The chain itself is referenced in the INPUT chain. This allows us to ensure proper order in the INPUT chain, as fail2ban adds chains dynamically on the first blocked IP for the jail.

Blacklist chains

MOR can contain 3 blaklist chains:

  • MOR-BLOCKED-IP-FROM-GUI - this chain contains all IPs whitelisted in MOR GUI SETTINGS -> Security -> Whitelisted IPs
  • MOR-BLOCK-SCANNERS - block SIP traffic for known scanners
  • MOR-BLOCKED-COUNTRIES - chain is used when countries are blocked in MOR GUI SETTINGS -> Security -> Blocked Countries
Retrieved from "https://wiki.kolmisoft.com/index.php?title=MOR_iptables_Chains&oldid=30468"