M4 Iptables Chains

From Kolmisoft Wiki
Revision as of 09:11, 25 August 2025 by Gilbertas (talk | contribs)
Jump to navigationJump to search

Description

During the switch installation or update, M4 automatically creates iptables chains to manage the switch's security.



Whitelist Chains

There are two types of whitelist chains:

Chains that only have ACCEPT statements, to make sure that IPs are always whitelisted. These chains are added at the very top of the INPUT chain, to make sure that IPs are whitelisted:

  • M2-CONNECT-POINTS-WHITELIST - this chain contains all IP authenticated connection points from the M4 system
  • M2-WHITELIST-GUI - this chain contains all IPs whitelisted in M4 GUI SECURITY -> Whitelisted IPs

Chains that whitelist M4 system's IPs for specific service port(s) (for example, Elasticsearch, MySQL, Redis, SEMS, etc.), and block access to that service for all other IPs.

Such chains are added into the M2-SERVICES-WHITELIST chain, which itself, in turn, is referenced in the INPUT chain [root@localhost ~]# iptables -LM2-SERVICES-WHITELIST -n 

Chain M2-SERVICES-WHITELIST (0 references)
target     prot opt source               destination         
M2-REDIS-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
M2-ES-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9200,9300
M2-SEMS-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8090
M2-MYSQL-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306


Here, for example, M2-SERVICES-WHITELIST contains four chains:

  • M2-ES-WHITELIST - whitelist access to Elasticsearch (TCP ports 9200,9300) for the M4 system IPs.
  • M2-MYSQL-WHITELIST - whitelist access to MySQL (TCP port 3306 )for the M4 system IPs.
  • M2-REDIS-WHITELIST - whitelist access to Redis (TCP ports 6379) for the M4 system IPs.
  • M2-SEMS-WHITELIST - whitelist access to SEMS (TCP port 8090 )for the M4 system IPs.

Each chain in turn contains whitelisted IPs and a DROP statement at the end: 

[root@node01 ~]# iptables -LM2-ES-WHITELIST -n
Chain M2-ES-WHITELIST (1 references)
target     prot opt source               destination         
ACCEPT     6    --  YY.YY.YY.YY          0.0.0.0/0            multiport dports 9200,9300 /* VIRTUAL_IP from system.conf */
ACCEPT     6    --  XX.XX.XX.XX          0.0.0.0/0            multiport dports 9200,9300 /* External IP */
ACCEPT     6    --  127.0.0.1            0.0.0.0/0            multiport dports 9200,9300 /* localhost access */
DROP       6    --  0.0.0.0/0            0.0.0.0/0            multiport dports 9200,9300



M2-CONNECT-POINTS-WHITELIST and M2-PRE-WHITELIST

M2-CONNECT-POINTS-WHITELIST chain contains all IP authenticated connection points from the M4 system and is the first whitelist chain in the INPUT chain. This means that all IP authenticated connection points are whitelisted by default. However, some M4 services contain internal data, and access is limited only by iptables and intended only for internal usage of M4, IP authenticated connection points should NOT be able to access the data of these services. To achieve this, a special M2-PRE-WHITELIST chain is created and included as the first rule in the M2-CONNECT-POINTS-WHITELIST chain.

M2-PRE-WHITELIST chain contains chains for services that are limited only by iptables and is used only internally by M4. Currently, the following chains are included in M2-PRE-WHITELIST:

  • M2-ES-WHITELIST (only in servers where Elasticsearch is installed)
  • M2-REDIS-WHITELIST (only in servers where Redis is installed)
  • M2-SEMS-WHITELIST (only in servers where SEMS is installed)

The combination of M2-CONNECT-POINTS-WHITELIST and M2-PRE-WHITELIST ensures that IP authenticated connection points are whitelisted, but they do not have access to the internal M4 services, where access is controlled only by iptables.

In iptables, it looks like this: 

[root@localhost ~]# iptables -L M2-CONNECT-POINTS-WHITELIST  -n
Chain M2-CONNECT-POINTS-WHITELIST (1 references)
target     prot opt source               destination         
M2-PRE-WHITELIST  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  a.a.a.a      0.0.0.0/0            /* Domain abc.com */
ACCEPT     all  --  b.b.b.b       0.0.0.0/0            
ACCEPT     all  --  c.c.c.c        0.0.0.0/0                     
RETURN     all  --  0.0.0.0/0            0.0.0.0/0 

[root@localhost ~]# iptables -L M2-PRE-WHITELIST -n
Chain M2-PRE-WHITELIST (1 references)
target     prot opt source               destination         
M2-SEMS-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8090
M2-REDIS-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6379
M2-ES-WHITELIST  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9200,9300
RETURN     all  --  0.0.0.0/0            0.0.0.0/0



M2-FAIL2BAN-JUMP

This chain is empty for now.

M2-FAIL2BAN-JUMP chain contains all chains added by fail2ban. The chain itself is referenced in the INPUT chain. This allows us to ensure proper order in the INPUT chain, as fail2ban adds chains dynamically on the first blocked IP for the jail.

Blacklist chains

M4 can contain 3 blaklist chains:

  • M2-BLOCKED-IP-FROM-GUI - this chain contains all IPs whitelisted in M4 GUI SECURITY -> Blocked IPs
  • M2-BLOCK-SCANNERS - block SIP traffic for known scanners
  • M2-BLOCKED-COUNTRIES - chain is used when countries are blocked in M4 GUI SECURITY -> Blocked Countries
Retrieved from "https://wiki.kolmisoft.com/index.php?title=M4_Iptables_Chains&oldid=30419"