IP spoofing not working, hijacking possible

#1

Hello,

I am trying to limit users from hijacking other ip’s other than assigned by Opennebula.

Testcase:

  • Automatically assign a ip to a VM. Let’s say ip 10.0.0.1
  • User want to abuse the system and manually sets the ip in the VM to ip 10.0.0.2 once booted and online
  • This new ip 10.0.0.2 is working and reachable(!)

I am using Centos 7 on my Hypervisors and Firewalld for port control/security.

For Virtual Network I use the following config (Bridge + security), see image. Settings network

I am NOT using ‘FILTER = “clean-traffic”’ in my template in this scenario. The problem with this setting is that this prevents hijacking BUT I can’t make a secondary ip reachable…?

Maybe there is a setting that I am not aware of that needs to be set to make FILTER_IP_SPOOFING working?

We really want to use Opennebula, but the ability to hijack ip’s prevents us from using it in production.

Thanks in advance!!

ipspoof1|690x448

0 Likes

(Alejandro Huertas) #2

Hello @boomstammetje

Could you please send me the output of:

  • onevnet show 0 -x.
  • onevm show <VM_ID> -x.
  • iptables-save Note: execute the command in the hypervisor where the VM is running.
0 Likes

#3

Thanks for getting back to me @ahuertas

onevnet show 0 -x
  <VNET>
  <ID>0</ID>
  <UID>0</UID>
  <GID>0</GID>
  <UNAME>oneadmin</UNAME>
  <GNAME>oneadmin</GNAME>
  <NAME>public1</NAME>
  <PERMISSIONS>
    <OWNER_U>1</OWNER_U>
    <OWNER_M>1</OWNER_M>
    <OWNER_A>0</OWNER_A>
    <GROUP_U>0</GROUP_U>
    <GROUP_M>0</GROUP_M>
    <GROUP_A>0</GROUP_A>
    <OTHER_U>0</OTHER_U>
    <OTHER_M>0</OTHER_M>
    <OTHER_A>0</OTHER_A>
  </PERMISSIONS>
  <CLUSTERS>
    <ID>0</ID>
  </CLUSTERS>
  <BRIDGE><![CDATA[br0]]></BRIDGE>
  <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
  <PARENT_NETWORK_ID/>
  <VN_MAD><![CDATA[fw]]></VN_MAD>
  <PHYDEV/>
  <VLAN_ID/>
  <OUTER_VLAN_ID/>
  <VLAN_ID_AUTOMATIC>0</VLAN_ID_AUTOMATIC>
  <OUTER_VLAN_ID_AUTOMATIC>0</OUTER_VLAN_ID_AUTOMATIC>
  <USED_LEASES>1</USED_LEASES>
  <VROUTERS/>
  <TEMPLATE>
    <BRIDGE><![CDATA[br0]]></BRIDGE>
    <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
    <DESCRIPTION><![CDATA[serverius]]></DESCRIPTION>
    <DNS><![CDATA[8.8.8.8 8.8.4.4]]></DNS>
    <FILTER_IP_SPOOFING><![CDATA[YES]]></FILTER_IP_SPOOFING>
    <FILTER_MAC_SPOOFING><![CDATA[YES]]></FILTER_MAC_SPOOFING>
    <GATEWAY><![CDATA[5.18.165.161]]></GATEWAY>
    <NETWORK_ADDRESS><![CDATA[5.18.165.160]]></NETWORK_ADDRESS>
    <NETWORK_MASK><![CDATA[255.255.255.240]]></NETWORK_MASK>
    <PHYDEV><![CDATA[]]></PHYDEV>
    <SECURITY_GROUPS><![CDATA[0]]></SECURITY_GROUPS>
    <VN_MAD><![CDATA[fw]]></VN_MAD>
  </TEMPLATE>
  <AR_POOL>
    <AR>
      <AR_ID><![CDATA[0]]></AR_ID>
      <IP><![CDATA[5.18.165.169]]></IP>
      <MAC><![CDATA[02:00:05:b2:41:a9]]></MAC>
      <SIZE><![CDATA[3]]></SIZE>
      <TYPE><![CDATA[IP4]]></TYPE>
      <MAC_END><![CDATA[02:00:05:b2:41:ab]]></MAC_END>
      <IP_END><![CDATA[5.18.165.171]]></IP_END>
      <USED_LEASES>1</USED_LEASES>
      <LEASES>
        <LEASE>
          <IP><![CDATA[5.18.165.169]]></IP>
          <MAC><![CDATA[02:00:05:b2:41:a9]]></MAC>
          <VM><![CDATA[1]]></VM>
        </LEASE>
      </LEASES>
    </AR>
  </AR_POOL>
</VNET>

onevm show 1 -x
<VM>
  <ID>1</ID>
  <UID>2</UID>
  <GID>1</GID>
  <UNAME>martin</UNAME>
  <GNAME>users</GNAME>
  <NAME>CentOS 7 - KVM-1</NAME>
  <PERMISSIONS>
    <OWNER_U>1</OWNER_U>
    <OWNER_M>1</OWNER_M>
    <OWNER_A>0</OWNER_A>
    <GROUP_U>0</GROUP_U>
    <GROUP_M>0</GROUP_M>
    <GROUP_A>0</GROUP_A>
    <OTHER_U>0</OTHER_U>
    <OTHER_M>0</OTHER_M>
    <OTHER_A>0</OTHER_A>
  </PERMISSIONS>
  <LAST_POLL>1555326307</LAST_POLL>
  <STATE>8</STATE>
  <LCM_STATE>0</LCM_STATE>
  <PREV_STATE>8</PREV_STATE>
  <PREV_LCM_STATE>0</PREV_LCM_STATE>
  <RESCHED>0</RESCHED>
  <STIME>1555321516</STIME>
  <ETIME>0</ETIME>
  <DEPLOY_ID>one-1</DEPLOY_ID>
  <MONITORING>
    <CPU><![CDATA[0.0]]></CPU>
    <DISKRDBYTES><![CDATA[155862270]]></DISKRDBYTES>
    <DISKRDIOPS><![CDATA[8857]]></DISKRDIOPS>
    <DISKWRBYTES><![CDATA[28488192]]></DISKWRBYTES>
    <DISKWRIOPS><![CDATA[1402]]></DISKWRIOPS>
    <DISK_SIZE>
      <ID><![CDATA[0]]></ID>
      <SIZE><![CDATA[535]]></SIZE>
    </DISK_SIZE>
    <DISK_SIZE>
      <ID><![CDATA[1]]></ID>
      <SIZE><![CDATA[1]]></SIZE>
    </DISK_SIZE>
    <MEMORY><![CDATA[0]]></MEMORY>
    <NETRX><![CDATA[845169]]></NETRX>
    <NETTX><![CDATA[863575]]></NETTX>
    <STATE><![CDATA[a]]></STATE>
  </MONITORING>
  <TEMPLATE>
    <AUTOMATIC_DS_REQUIREMENTS><![CDATA[("CLUSTERS/ID" @> 0)]]></AUTOMATIC_DS_REQUIREMENTS>
    <AUTOMATIC_NIC_REQUIREMENTS><![CDATA[("CLUSTERS/ID" @> 0)]]></AUTOMATIC_NIC_REQUIREMENTS>
    <AUTOMATIC_REQUIREMENTS><![CDATA[(CLUSTER_ID = 0) & !(PUBLIC_CLOUD = YES)]]></AUTOMATIC_REQUIREMENTS>
    <CONTEXT>
      <DISK_ID><![CDATA[1]]></DISK_ID>
      <ETH0_CONTEXT_FORCE_IPV4><![CDATA[]]></ETH0_CONTEXT_FORCE_IPV4>
      <ETH0_DNS><![CDATA[8.8.8.8 8.8.4.4]]></ETH0_DNS>
      <ETH0_EXTERNAL><![CDATA[]]></ETH0_EXTERNAL>
      <ETH0_GATEWAY><![CDATA[5.18.165.161]]></ETH0_GATEWAY>
      <ETH0_GATEWAY6><![CDATA[]]></ETH0_GATEWAY6>
      <ETH0_IP><![CDATA[5.18.165.169]]></ETH0_IP>
      <ETH0_IP6><![CDATA[]]></ETH0_IP6>
      <ETH0_IP6_PREFIX_LENGTH><![CDATA[]]></ETH0_IP6_PREFIX_LENGTH>
      <ETH0_IP6_ULA><![CDATA[]]></ETH0_IP6_ULA>
      <ETH0_MAC><![CDATA[02:00:05:b2:41:a9]]></ETH0_MAC>
      <ETH0_MASK><![CDATA[255.255.255.240]]></ETH0_MASK>
      <ETH0_MTU><![CDATA[]]></ETH0_MTU>
      <ETH0_NETWORK><![CDATA[5.18.165.160]]></ETH0_NETWORK>
      <ETH0_SEARCH_DOMAIN><![CDATA[]]></ETH0_SEARCH_DOMAIN>
      <ETH0_VLAN_ID><![CDATA[]]></ETH0_VLAN_ID>
      <ETH0_VROUTER_IP><![CDATA[]]></ETH0_VROUTER_IP>
      <ETH0_VROUTER_IP6><![CDATA[]]></ETH0_VROUTER_IP6>
      <ETH0_VROUTER_MANAGEMENT><![CDATA[]]></ETH0_VROUTER_MANAGEMENT>
      <NETWORK><![CDATA[YES]]></NETWORK>
      <SSH_PUBLIC_KEY></SSH_PUBLIC_KEY>
      <TARGET><![CDATA[hda]]></TARGET>
    </CONTEXT>
    <CPU><![CDATA[1]]></CPU>
    <DISK>
      <ALLOW_ORPHANS><![CDATA[NO]]></ALLOW_ORPHANS>
      <CLONE><![CDATA[YES]]></CLONE>
      <CLONE_TARGET><![CDATA[SYSTEM]]></CLONE_TARGET>
      <CLUSTER_ID><![CDATA[0]]></CLUSTER_ID>
      <DATASTORE><![CDATA[default]]></DATASTORE>
      <DATASTORE_ID><![CDATA[1]]></DATASTORE_ID>
      <DEV_PREFIX><![CDATA[vd]]></DEV_PREFIX>
      <DISK_ID><![CDATA[0]]></DISK_ID>
      <DISK_SNAPSHOT_TOTAL_SIZE><![CDATA[0]]></DISK_SNAPSHOT_TOTAL_SIZE>
      <DISK_TYPE><![CDATA[FILE]]></DISK_TYPE>
      <DRIVER><![CDATA[qcow2]]></DRIVER>
      <IMAGE><![CDATA[CentOS 7 - KVM]]></IMAGE>
      <IMAGE_ID><![CDATA[0]]></IMAGE_ID>
      <IMAGE_STATE><![CDATA[2]]></IMAGE_STATE>
      <LN_TARGET><![CDATA[SYSTEM]]></LN_TARGET>
      <ORIGINAL_SIZE><![CDATA[8192]]></ORIGINAL_SIZE>
      <READONLY><![CDATA[NO]]></READONLY>
      <SAVE><![CDATA[NO]]></SAVE>
      <SIZE><![CDATA[8192]]></SIZE>
      <SOURCE><![CDATA[/var/lib/one//datastores/1/ec272b699d89ee4cfd7e519e54a1100a]]></SOURCE>
      <TARGET><![CDATA[vda]]></TARGET>
      <TM_MAD><![CDATA[ssh]]></TM_MAD>
      <TYPE><![CDATA[FILE]]></TYPE>
    </DISK>
    <GRAPHICS>
      <LISTEN><![CDATA[0.0.0.0]]></LISTEN>
      <PORT><![CDATA[5901]]></PORT>
      <TYPE><![CDATA[VNC]]></TYPE>
    </GRAPHICS>
    <MEMORY><![CDATA[1024]]></MEMORY>
    <NIC>
      <AR_ID><![CDATA[0]]></AR_ID>
      <BRIDGE><![CDATA[br0]]></BRIDGE>
      <BRIDGE_TYPE><![CDATA[linux]]></BRIDGE_TYPE>
      <CLUSTER_ID><![CDATA[0]]></CLUSTER_ID>
      <FILTER_IP_SPOOFING><![CDATA[YES]]></FILTER_IP_SPOOFING>
      <FILTER_MAC_SPOOFING><![CDATA[YES]]></FILTER_MAC_SPOOFING>
      <IP><![CDATA[5.18.165.169]]></IP>
      <MAC><![CDATA[02:00:05:b2:41:a9]]></MAC>
      <NAME><![CDATA[NIC0]]></NAME>
      <NETWORK><![CDATA[public1]]></NETWORK>
      <NETWORK_ID><![CDATA[0]]></NETWORK_ID>
      <NIC_ID><![CDATA[0]]></NIC_ID>
      <SECURITY_GROUPS><![CDATA[0]]></SECURITY_GROUPS>
      <TARGET><![CDATA[one-1-0]]></TARGET>
      <VN_MAD><![CDATA[fw]]></VN_MAD>
    </NIC>
    <OS>
      <ARCH><![CDATA[x86_64]]></ARCH>
      <BOOT><![CDATA[]]></BOOT>
    </OS>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[ALL]]></PROTOCOL>
      <RULE_TYPE><![CDATA[OUTBOUND]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[0]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[default]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <SECURITY_GROUP_RULE>
      <PROTOCOL><![CDATA[ALL]]></PROTOCOL>
      <RULE_TYPE><![CDATA[INBOUND]]></RULE_TYPE>
      <SECURITY_GROUP_ID><![CDATA[0]]></SECURITY_GROUP_ID>
      <SECURITY_GROUP_NAME><![CDATA[default]]></SECURITY_GROUP_NAME>
    </SECURITY_GROUP_RULE>
    <TEMPLATE_ID><![CDATA[0]]></TEMPLATE_ID>
    <TM_MAD_SYSTEM><![CDATA[ssh]]></TM_MAD_SYSTEM>
    <VMID><![CDATA[1]]></VMID>
  </TEMPLATE>
  <USER_TEMPLATE>
    <INPUTS_ORDER><![CDATA[]]></INPUTS_ORDER>
    <LOGO><![CDATA[images/logos/centos.png]]></LOGO>
    <MEMORY_UNIT_COST><![CDATA[MB]]></MEMORY_UNIT_COST>
  </USER_TEMPLATE>
  <HISTORY_RECORDS>
    <HISTORY>
      <OID>1</OID>
      <SEQ>0</SEQ>
      <HOSTNAME>5.18.165.166</HOSTNAME>
      <HID>1</HID>
      <CID>0</CID>
      <STIME>1555321540</STIME>
      <ETIME>1555326307</ETIME>
      <VM_MAD><![CDATA[kvm]]></VM_MAD>
      <TM_MAD><![CDATA[ssh]]></TM_MAD>
      <DS_ID>0</DS_ID>
      <PSTIME>1555321540</PSTIME>
      <PETIME>1555321547</PETIME>
      <RSTIME>1555321547</RSTIME>
      <RETIME>1555326307</RETIME>
      <ESTIME>0</ESTIME>
      <EETIME>0</EETIME>
      <ACTION>19</ACTION>
      <UID>2</UID>
      <GID>1</GID>
      <REQUEST_ID>5664</REQUEST_ID>
    </HISTORY>
  </HISTORY_RECORDS>
</VM>

iptables-save
# Generated by iptables-save v1.4.21 on Mon Apr 15 13:25:31 2019
*nat
:PREROUTING ACCEPT [1730:93212]
:INPUT ACCEPT [69:3844]
:OUTPUT ACCEPT [510:152984]
:POSTROUTING ACCEPT [1484:207177]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o em1 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Apr 15 13:25:31 2019
# Generated by iptables-save v1.4.21 on Mon Apr 15 13:25:31 2019
*mangle
:PREROUTING ACCEPT [136616:1170008099]
:INPUT ACCEPT [127226:1168466462]
:FORWARD ACCEPT [9131:1526352]
:OUTPUT ACCEPT [128375:973535769]
:POSTROUTING ACCEPT [137506:975062121]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Apr 15 13:25:31 2019
# Generated by iptables-save v1.4.21 on Mon Apr 15 13:25:31 2019
*security
:INPUT ACCEPT [127239:1168501134]
:FORWARD ACCEPT [9131:1526352]
:OUTPUT ACCEPT [128959:973604557]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Apr 15 13:25:31 2019
# Generated by iptables-save v1.4.21 on Mon Apr 15 13:25:31 2019
*raw
:PREROUTING ACCEPT [137104:1170067025]
:OUTPUT ACCEPT [128959:973604557]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Apr 15 13:25:31 2019
# Generated by iptables-save v1.4.21 on Mon Apr 15 13:25:31 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10442:7250172]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
:one-1-0-i - [0:0]
:one-1-0-o - [0:0]
:opennebula - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev --physdev-is-bridged -j opennebula
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i em1 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o em1 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i em1 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_direct -s 5.18.165.162/32 -p tcp -m tcp -j ACCEPT
-A INPUT_direct -s 5.18.165.160/28 -p tcp -m tcp --dport 49152 -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A one-1-0-i -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-1-0-i -j RETURN
-A one-1-0-i -j DROP
-A one-1-0-o -m mac ! --mac-source 02:00:05:B2:41:A9 -j DROP
-A one-1-0-o -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A one-1-0-o -m set ! --match-set one-1-0-ip-spoofing src -j DROP
-A one-1-0-o -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-1-0-o -j RETURN
-A one-1-0-o -j DROP
-A opennebula -m physdev --physdev-in one-1-0 --physdev-is-bridged -j one-1-0-o
-A opennebula -m physdev --physdev-out one-1-0 --physdev-is-bridged -j one-1-0-i
-A opennebula -j ACCEPT
COMMIT
# Completed on Mon Apr 15 13:25:31 2019

0 Likes

(Alejandro Huertas) #4

It seems that everything is ok.

Could you please stop the firewalld (systemctl stop firewalld) and disable it (systemctl disable firewalld)

0 Likes

#5

@ahuertas

Ok the spoofing protection works now. Only when I assign a second ip, it isn’t reachable. The main/first ip remains reachable.

Do you also know the answer to that?

Thanks for helping out!

0 Likes

(Alejandro Huertas) #6

That is working correctly, the first IP will be always reachable.

0 Likes

#7

Is it possible to assign more than one IP that is protected by IP spoofing?

It doesn’t make sense why the first IP is reachable and the second (alias or not) IP isn’t reachable.

0 Likes

(Alejandro Huertas) #8

If you want to have no IP reachable, you need to launch the VM without IP.

OpenNebula will allow traffic on the IPs you assign when creating the VM, that’s the reason why your first IP is reachable.

0 Likes

#9

Hi @ahuertas,

I want to have all my assigned IP’s to be reachable and protected with IP spoofing. That is the problem, the second IP is not reachable and I want to have it reachable… Only the first assigned IP is reachable, no matter if I select Alias or just a second NIC/adapter.

0 Likes

(Alejandro Huertas) #10

Could you please send me again the iptables-save, I need to check it without firewalld now.

0 Likes

#11
iptables-save
# Generated by iptables-save v1.4.21 on Tue Apr 16 13:08:05 2019
*filter
:INPUT ACCEPT [8234:99496761]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12141:20595253]
:one-15-0-i - [0:0]
:one-15-0-o - [0:0]
:one-15-1-i - [0:0]
:one-15-1-o - [0:0]
:opennebula - [0:0]
-A FORWARD -m physdev --physdev-is-bridged -j opennebula
-A one-15-0-i -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-15-0-i -j RETURN
-A one-15-0-i -j DROP
-A one-15-0-o -m mac ! --mac-source 02:00:05:B2:41:A9 -j DROP
-A one-15-0-o -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A one-15-0-o -m set ! --match-set one-15-0-ip-spoofing src -j DROP
-A one-15-0-o -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-15-0-o -j RETURN
-A one-15-0-o -j DROP
-A one-15-1-i -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-15-1-i -j RETURN
-A one-15-1-i -j DROP
-A one-15-1-o -m mac ! --mac-source 02:00:05:B2:41:AA -j DROP
-A one-15-1-o -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A one-15-1-o -m set ! --match-set one-15-1-ip-spoofing src -j DROP
-A one-15-1-o -m state --state RELATED,ESTABLISHED -j ACCEPT
-A one-15-1-o -j RETURN
-A one-15-1-o -j DROP
-A opennebula -m physdev --physdev-in one-15-1 --physdev-is-bridged -j one-15-1-o
-A opennebula -m physdev --physdev-out one-15-1 --physdev-is-bridged -j one-15-1-i
-A opennebula -m physdev --physdev-in one-15-0 --physdev-is-bridged -j one-15-0-o
-A opennebula -m physdev --physdev-out one-15-0 --physdev-is-bridged -j one-15-0-i
-A opennebula -j ACCEPT
COMMIT
# Completed on Tue Apr 16 13:08:05 2019
0 Likes

(Alejandro Huertas) #12

Hello @boomstammetje

I can see this:

-A one-15-0-o -m set ! --match-set one-15-0-ip-spoofing src -j DROP
-A one-15-1-o -m set ! --match-set one-15-1-ip-spoofing src -j DROP

It should work, so please:

  • Check the guest configuration.
  • You can use the command ipset list to check it.
  • Check that you didn’t change any MAC, because you have MAC spoofing protection enabled.
  • Check the routes in the guest.
0 Likes

#13

I assume firewalld and iptables should not be running?

ipset list
Name: one-25-0-ip-spoofing
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 168
References: 1
Number of entries: 1
Members:
.171

Name: one-25-1-ip-spoofing
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 168
References: 1
Number of entries: 1
Members:
.169

Name: one-25-2-ip-spoofing
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 168
References: 1
Number of entries: 1
Members:
.170

Only the first ip is reachable. I am really clueless where this goes wrong.

0 Likes

#14

Even with IP-spoofing and MAC-spoofing set to OFF, a secondary or third IP isn’t reachable :frowning:

0 Likes

(Alejandro Huertas) #15

Hello @boomstammetje

It seems that there is a configuration problem in the guest or in the switch. OpenNebula created the rules correctly.

You can use tcpdump to debug and see where the traffic is being filtered out.

0 Likes