Difference between revisions of "M4 Iptables Chains"
(Created page with "=Description= During the switch install/update, M4 automatically creates iptables chains to manage the security of the switch. <br><br> ==Whitelist Chains== There are two types of whitelist chains: Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted: * M2-CONNECT-POINTS-WHITELIST - this chain contains all IP authenticated connection points...") |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Description= | =Description= | ||
During the switch | During the switch installation or update, M4 automatically creates iptables chains to manage the switch's security. | ||
<br><br> | <br><br> | ||
==Whitelist Chains== | ==Whitelist Chains== | ||
There are two types of whitelist chains: | There are two types of whitelist chains: | ||
Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted: | Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted: | ||
| Line 13: | Line 14: | ||
Such chains are added into the M2-SERVICES-WHITELIST chain, which itself, in turn, is referenced in the INPUT chain | Such chains are added into the M2-SERVICES-WHITELIST chain, which itself, in turn, is referenced in the INPUT chain | ||
[root@localhost ~]# iptables -LM2-SERVICES-WHITELIST -n | |||
[root@localhost ~]# iptables -LM2-SERVICES-WHITELIST -n | |||
Chain M2-SERVICES-WHITELIST (0 references) | Chain M2-SERVICES-WHITELIST (0 references) | ||
target prot opt source destination | target prot opt source destination | ||
| Line 24: | Line 26: | ||
Here, for example, M2-SERVICES-WHITELIST contains four chains: | Here, for example, M2-SERVICES-WHITELIST contains four chains: | ||
* M2-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the M4 system IPs. | * M2-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the M4 system IPs. | ||
* M2-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 )for the M4 system IPs. | * M2-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 ) for the M4 system IPs. | ||
* M2-REDIS-WHITELIST - whitelist access to Redis (TCP ports 6379) for the M4 system IPs. | * M2-REDIS-WHITELIST - whitelist access to Redis (TCP ports 6379) for the M4 system IPs. | ||
* M2-SEMS-WHITELIST - whitelist access to SEMS (TCP port 8090 )for the M4 system IPs. | * M2-SEMS-WHITELIST - whitelist access to SEMS (TCP port 8090 ) for the M4 system IPs. | ||
Each chain in turn contains whitelisted IPs and a DROP statement at the end: | Each chain in turn contains whitelisted IPs and a DROP statement at the end: | ||
| Line 38: | Line 40: | ||
<br><br> | <br><br> | ||
=== M2-CONNECT-POINTS-WHITELIST and M2-PRE-WHITELIST === | === M2-CONNECT-POINTS-WHITELIST and M2-PRE-WHITELIST === | ||
M2-CONNECT-POINTS-WHITELIST chain contains all IP authenticated connection points from the M4 system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated connection points are whitelisted by default. However, some M4 services contain internal data, and access is limited only by iptables and intended only for internal usage of M4, IP authenticated connection points should NOT be able to access the data of these services. To achieve this, a special M2-PRE-WHITELIST chain is created and included as the first rule in the M2-CONNECT-POINTS-WHITELIST chain. | The M2-CONNECT-POINTS-WHITELIST chain contains all IP-authenticated connection points from the M4 system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated connection points are whitelisted by default. However, some M4 services contain internal data, and access is limited only by iptables and intended only for internal usage of M4, so IP authenticated connection points should NOT be able to access the data of these services. To achieve this, a special M2-PRE-WHITELIST chain is created and included as the first rule in the M2-CONNECT-POINTS-WHITELIST chain. | ||
M2-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by M4. Currently, the following chains are included in M2-PRE-WHITELIST: | M2-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by M4. Currently, the following chains are included in M2-PRE-WHITELIST: | ||
Latest revision as of 09:15, 25 August 2025
Description
During the switch installation or update, M4 automatically creates iptables chains to manage the switch's security.
Whitelist Chains
There are two types of whitelist chains:
Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted:
- M2-CONNECT-POINTS-WHITELIST - this chain contains all IP authenticated connection points from the M4 system
- M2-WHITELIST-GUI - this chain contains all IPs whitelisted in M4 GUI SECURITY -> Whitelisted IPs
Chains that whitelist M4 system's IPs for specific service port(s) (for example, Elasticsearch, MySQL, Redis, SEMS, etc.), and block access to that service for all other IPs.
Such chains are added into the M2-SERVICES-WHITELIST chain, which itself, in turn, is referenced in the INPUT chain
[root@localhost ~]# iptables -LM2-SERVICES-WHITELIST -n Chain M2-SERVICES-WHITELIST (0 references) target prot opt source destination M2-REDIS-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6379 M2-ES-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 M2-SEMS-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090 M2-MYSQL-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
Here, for example, M2-SERVICES-WHITELIST contains four chains:
- M2-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the M4 system IPs.
- M2-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 ) for the M4 system IPs.
- M2-REDIS-WHITELIST - whitelist access to Redis (TCP ports 6379) for the M4 system IPs.
- M2-SEMS-WHITELIST - whitelist access to SEMS (TCP port 8090 ) for the M4 system IPs.
Each chain in turn contains whitelisted IPs and a DROP statement at the end:
[root@node01 ~]# iptables -LM2-ES-WHITELIST -n Chain M2-ES-WHITELIST (1 references) target prot opt source destination ACCEPT 6 -- YY.YY.YY.YY 0.0.0.0/0 multiport dports 9200,9300 /* VIRTUAL_IP from system.conf */ ACCEPT 6 -- XX.XX.XX.XX 0.0.0.0/0 multiport dports 9200,9300 /* External IP */ ACCEPT 6 -- 127.0.0.1 0.0.0.0/0 multiport dports 9200,9300 /* localhost access */ DROP 6 -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300
M2-CONNECT-POINTS-WHITELIST and M2-PRE-WHITELIST
The M2-CONNECT-POINTS-WHITELIST chain contains all IP-authenticated connection points from the M4 system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated connection points are whitelisted by default. However, some M4 services contain internal data, and access is limited only by iptables and intended only for internal usage of M4, so IP authenticated connection points should NOT be able to access the data of these services. To achieve this, a special M2-PRE-WHITELIST chain is created and included as the first rule in the M2-CONNECT-POINTS-WHITELIST chain.
M2-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by M4. Currently, the following chains are included in M2-PRE-WHITELIST:
- M2-ES-WHITELIST (only in servers where Elasticsearch is installed)
- M2-REDIS-WHITELIST (only in servers where Redis is installed)
- M2-SEMS-WHITELIST (only in servers where SEMS is installed)
The combination of M2-CONNECT-POINTS-WHITELIST and M2-PRE-WHITELIST ensures that IP authenticated connection points are whitelisted, but they do not have access to the internal M4 services, where access is controlled only by iptables.
In iptables, it looks like this:
[root@localhost ~]# iptables -L M2-CONNECT-POINTS-WHITELIST -n Chain M2-CONNECT-POINTS-WHITELIST (1 references) target prot opt source destination M2-PRE-WHITELIST all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- a.a.a.a 0.0.0.0/0 /* Domain abc.com */ ACCEPT all -- b.b.b.b 0.0.0.0/0 ACCEPT all -- c.c.c.c 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -L M2-PRE-WHITELIST -n Chain M2-PRE-WHITELIST (1 references) target prot opt source destination M2-SEMS-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090 M2-REDIS-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6379 M2-ES-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 RETURN all -- 0.0.0.0/0 0.0.0.0/0
M2-FAIL2BAN-JUMP
This chain is empty for now.
M2-FAIL2BAN-JUMP chain contains all chains added by fail2ban. The chain itself is referenced in the INPUT chain. This allows us to ensure proper order in the INPUT chain, as fail2ban adds chains dynamically on the first blocked IP for the jail.
Blacklist chains
M4 can contain 3 blaklist chains:
- M2-BLOCKED-IP-FROM-GUI - this chain contains all IPs whitelisted in M4 GUI SECURITY -> Blocked IPs
- M2-BLOCK-SCANNERS - block SIP traffic for known scanners
- M2-BLOCKED-COUNTRIES - chain is used when countries are blocked in M4 GUI SECURITY -> Blocked Countries
