Difference between revisions of "MOR iptables Chains"
| (One intermediate revision by the same user not shown) | |||
| Line 21: | Line 21: | ||
Here, for example, MOR-SERVICES-WHITELIST contains two chains: | Here, for example, MOR-SERVICES-WHITELIST contains two chains: | ||
* MOR-ES-WHITELIST - whitelist access to Elasticsearch for the MOR system IPs | * MOR-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the MOR system IPs | ||
* MOR-MYSQL-WHITELIST - whitelist access to MySQL for the MOR system IPs | * MOR-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 ) for the MOR system IPs | ||
Each chain in turn contains whitelisted IPs and DROP statement at the end: | Each chain in turn contains whitelisted IPs and a DROP statement at the end: | ||
[root@node01 ~]# iptables -LMOR-ES-WHITELIST -n | [root@node01 ~]# iptables -LMOR-ES-WHITELIST -n | ||
Chain MOR-ES-WHITELIST (1 references) | Chain MOR-ES-WHITELIST (1 references) | ||
| Line 33: | Line 33: | ||
DROP 6 -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 | DROP 6 -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 | ||
<br><br> | <br><br> | ||
=== MOR-IPAUTH-WHITELIST and MOR-PRE-WHITELIST === | |||
The MOR-IPAUTH-WHITELIST chain contains all IP-authenticated devices/providers from the MOR system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated devices/providers are whitelisted by default. However, some MOR services contain internal data, and access is limited only by iptables and intended only for internal usage of MOR, so IP authenticated devices/providers should NOT be able to access the data of these services. To achieve this, a special MOR-PRE-WHITELIST chain is created and included as the first rule in the MOR-IPAUTH-WHITELIST chain. | |||
MOR-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by MOR. Currently, the following chains are included in MOR-PRE-WHITELIST: | |||
* MOR-ES-WHITELIST (only in servers where Elasticsearch is installed) | |||
* MOR-REDIS-WHITELIST (only in servers where Redis is installed) | |||
The combination of MOR-IPAUTH-WHITELIST and MOR-PRE-WHITELIST ensures that IP authenticated devices/providers are whitelisted, but they do not have access to the internal MOR services, where access is controlled only by iptables. | |||
In iptables, it looks like this: | |||
[root@localhost ~]# iptables -L MOR-IPAUTH-WHITELIST -n | |||
Chain M2-CONNECT-POINTS-WHITELIST (1 references) | |||
target prot opt source destination | |||
MOR-PRE-WHITELIST all -- 0.0.0.0/0 0.0.0.0/0 | |||
ACCEPT all -- a.a.a.a 0.0.0.0/0 /* Domain abc.com */ | |||
ACCEPT all -- b.b.b.b 0.0.0.0/0 | |||
ACCEPT all -- c.c.c.c 0.0.0.0/0 | |||
RETURN all -- 0.0.0.0/0 0.0.0.0/0 | |||
[root@localhost ~]# iptables -L MOR-PRE-WHITELIST -n | |||
Chain MOR-PRE-WHITELIST (1 references) | |||
target prot opt source destination | |||
MOR-REDIS-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6379 | |||
MOR-ES-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 | |||
RETURN all -- 0.0.0.0/0 0.0.0.0/0 | |||
<br><br> | |||
== MOR-FAIL2BAN-JUMP == | == MOR-FAIL2BAN-JUMP == | ||
MOR-FAIL2BAN-JUMP chain contains all chains added by fail2ban. The chain itself is referenced in the INPUT chain. This allows us to ensure proper order in the INPUT chain, as fail2ban adds chains dynamically on the first blocked IP for the jail. | |||
MOR-FAIL2BAN-JUMP chain | |||
<br><br> | <br><br> | ||
Latest revision as of 06:53, 5 September 2025
Description
During the switch install/update, MOR X18 automatically creates iptables chains to manage the security of the switch
Whitelist Chains
There are two types of whitelist chains: Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted:
- MOR-IPAUTH-WHITELIST - this chain contains all IP authenticated devices/providers from the MOR system
- MOR-WHITELIST-GUI - this chain contains all IPs whitelisted in MOR GUI SETTINGS -> Security -> Whitelisted IPs
Chains that whitelist MOR system's IPs for specific service port(s) (for example, Elasticsearch, MySQL, Redis, etc.), and block access to that service for all other IPs.
Such chains are added into the MOR-SERVICES-WHITELIST chain, which itself, in turn, is referenced in the INPUT chain
[root@node01 ~]# iptables -LMOR-SERVICES-WHITELIST -n Chain MOR-SERVICES-WHITELIST (1 references) target prot opt source destination MOR-ES-WHITELIST 6 -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 MOR-MYSQL-WHITELIST 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 RETURN 0 -- 0.0.0.0/0 0.0.0.0/0
Here, for example, MOR-SERVICES-WHITELIST contains two chains:
- MOR-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the MOR system IPs
- MOR-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 ) for the MOR system IPs
Each chain in turn contains whitelisted IPs and a DROP statement at the end:
[root@node01 ~]# iptables -LMOR-ES-WHITELIST -n Chain MOR-ES-WHITELIST (1 references) target prot opt source destination ACCEPT 6 -- YY.YY.YY.YY 0.0.0.0/0 multiport dports 9200,9300 /* VIRTUAL_IP from system.conf */ ACCEPT 6 -- XX.XX.XX.XX 0.0.0.0/0 multiport dports 9200,9300 /* External IP */ ACCEPT 6 -- 127.0.0.1 0.0.0.0/0 multiport dports 9200,9300 /* localhost access */ DROP 6 -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300
MOR-IPAUTH-WHITELIST and MOR-PRE-WHITELIST
The MOR-IPAUTH-WHITELIST chain contains all IP-authenticated devices/providers from the MOR system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated devices/providers are whitelisted by default. However, some MOR services contain internal data, and access is limited only by iptables and intended only for internal usage of MOR, so IP authenticated devices/providers should NOT be able to access the data of these services. To achieve this, a special MOR-PRE-WHITELIST chain is created and included as the first rule in the MOR-IPAUTH-WHITELIST chain.
MOR-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by MOR. Currently, the following chains are included in MOR-PRE-WHITELIST:
- MOR-ES-WHITELIST (only in servers where Elasticsearch is installed)
- MOR-REDIS-WHITELIST (only in servers where Redis is installed)
The combination of MOR-IPAUTH-WHITELIST and MOR-PRE-WHITELIST ensures that IP authenticated devices/providers are whitelisted, but they do not have access to the internal MOR services, where access is controlled only by iptables.
In iptables, it looks like this:
[root@localhost ~]# iptables -L MOR-IPAUTH-WHITELIST -n Chain M2-CONNECT-POINTS-WHITELIST (1 references) target prot opt source destination MOR-PRE-WHITELIST all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- a.a.a.a 0.0.0.0/0 /* Domain abc.com */ ACCEPT all -- b.b.b.b 0.0.0.0/0 ACCEPT all -- c.c.c.c 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -L MOR-PRE-WHITELIST -n Chain MOR-PRE-WHITELIST (1 references) target prot opt source destination MOR-REDIS-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6379 MOR-ES-WHITELIST tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9200,9300 RETURN all -- 0.0.0.0/0 0.0.0.0/0
MOR-FAIL2BAN-JUMP
MOR-FAIL2BAN-JUMP chain contains all chains added by fail2ban. The chain itself is referenced in the INPUT chain. This allows us to ensure proper order in the INPUT chain, as fail2ban adds chains dynamically on the first blocked IP for the jail.
Blacklist chains
MOR can contain 3 blaklist chains:
- MOR-BLOCKED-IP-FROM-GUI - this chain contains all IPs whitelisted in MOR GUI SETTINGS -> Security -> Whitelisted IPs
- MOR-BLOCK-SCANNERS - block SIP traffic for known scanners
- MOR-BLOCKED-COUNTRIES - chain is used when countries are blocked in MOR GUI SETTINGS -> Security -> Blocked Countries
