[Firehol-support] Broken HTTP traffic with Masquerade

Jonny jonnyt886 at gmail.com
Sun Dec 27 23:03:49 GMT 2015 

Hi there,

I have been using an iptables firewall for some time. In the past I've
hand-written scripts to configure the firewall, and this has worked well.
Having come across FireHOL, I am keen to give it a go and benefit from its
simpler configuration and greater security.

My setup is simple: a single Ubuntu machine with two interfaces, eth0
(pointing inwards to the LAN) and ppp0 (pointing outward to the internet).
10.10.0.0/26 is the LAN subnet.

My configuration is pasted at the bottom of this email. When running
FireHOL I am seeing two problems:

1. Spurious rules
If I run `iptables-save|less` to look at the rules that firehol has
generated, I see rules there which I didn't include in my config file:

-A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper irc -j ACCEPT
-A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper pptp -j ACCEPT
-A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper ftp -j ACCEPT
<snip>
-A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper irc -j ACCEPT
-A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper pptp -j ACCEPT
-A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper ftp -j ACCEPT
<snip>
-A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper irc -j ACCEPT
-A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper pptp -j ACCEPT
-A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper ftp -j ACCEPT
<snip>
-A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper irc -j ACCEPT
-A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper pptp -j ACCEPT
-A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
--helper ftp -j ACCEPT

I do run PPTP, IRC or FTP services, yet FireHOL has added ACCEPT rules to
my firewall without my configuring these! I'm rather concerned that this is
happening without the user being informed.

I managed to track this down to line 1882 in the firehol.in script (as of
firehol 3.0), where the "helper_all" variable is defined, containing 5
services. If I clear this variable out then these spurious rules don't get
generated.

2. HTTP broken
This is more serious as I've not come up with a workaround.

When running FireHOL, I can ping machines out on the internet, my DNS
lookups work. But machines behind the NAT cannot consistently access
HTTP[s] pages; going to Google and typing search terms in renders results
as expected, but more complex sites (e.g. http://www.bbc.co.uk/news or even
http://firehol.org/) fail to work - the connection hangs. In syslog FireHOL
gives me no useful information to begin to diagnose.

I've tried commenting out both the 'protection' lines below and re-testing,
to no effect.

Restoring my old hand-cranked iptables script immediately fixes the
problem, so FireHOL's rules are clearly the problem.

I'd be very grateful for your help - I am keen to use FireHOL but this is
clearly a showstopper for me. I'm using Firehol 3.0.0, downloaded from the
website today.

My configuration is below.

--
Jonny

--

version 6

ipv4 masquerade ppp0

ipv4 interface eth0 lan
        policy accept # everything

ipv4 interface ppp0 internet
        protection bad-packets
        client all accept

# rule of thumb: define router blocks as *going towards
#  the hosts you want to protect*
ipv4 router internet2lan inface ppp0 outface eth0
        protection bad-packets
        client all accept

        server ssh accept dst 10.10.0.3
        server openvpn accept dst 10.10.0.1

#ipv4 router lan2internet inface eth0 outface ppp0
#       #route all accept
#       client all accept
#       policy reject

More information about the Firehol-support mailing list