Fw3: Reject access to subnet with ICMP reason

CSG · August 2, 2017, 9:29pm

Hi,

I am trying to reject access to a subnet with the ICMP reason icmp-net-prohibited. In iptables, I would use this command:

iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j REJECT --reject-with icmp-net-prohibited

In my network, I would like to be more specific why accessing the subnet does not work. I am aware that servers exposed to the internet should not give any information and use DROP instead.

In fw3, I tried to use the extra-Parameter, which is described as

Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like –dport should not be used here - in this case the extra_src and extra_dest options should be used instead.

With fw3 i tried this:

config rule
        option enabled '1'
        option src 'lan'
        option dest 'wan'
        option name 'reject-test'
        option src_ip '192.168.0.0/24'
        option dest_ip '192.168.1.0/24'
        option target 'REJECT'
        option extra '--reject-with icmp-net-prohibited'
        option proto 'all'

When reloading the firewall config, this error is printed:

Warning: parse_option(): unknown option '--reject-with'
Warning: fw3_ipt_rule_append(): Bad argument 'icmp-net-prohibited'
Warning: parse_option(): unknown option '--reject-with'
Warning: fw3_ipt_rule_append(): Bad argument 'icmp-net-prohibited'

Obviously, the extra, extra_src and extra_dest parameters are not suitable for adding parameters to the end of an iptables command, although the first sentence in the documentation "Extra arguments passed directly to iptables." sounded promising.

Is there another elegant way of rejecting access to a subnet with an ICMP reason or do I end up in writing a shell script which inserts the iptables rule in the correct position?

Thanks for your answers!

hnyman · August 3, 2017, 5:54am

Check first that you have installed the needed iptables extra modules (possibly e.g. iptables-mod-extra). Netfilter/iptables is rather modularized in LEDE for size reasons. If you have all necessary mods installed, that iptables command works directly from console. If you miss some netfilter/iptables functionality, you will get errors.

You can pass direct iptables commands in /etc/firewall.user that is executed by the firewall init process. That could be an easy solution for you.

hnyman · August 3, 2017, 5:58am

@jow knows probably best, if the fw3 supports tailoring the ICMP answer about the reason for rejecting traffic.

jow · August 3, 2017, 9:59am

This does not work because the abstract option target REJECT is translated not into a terminal action but into a chain jump target (-j zone_wan_dest_REJECT) while --reject-with is specific to the REJECT terminal.

To fix the problem, include -j REJECT into option extra as well:

config rule                                                       
    option enabled '1'                                        
    option src 'lan'                                          
    option dest 'wan'                                         
    option name 'reject-test'                                 
    option src_ip '192.168.0.0/24'                            
    option dest_ip '192.168.1.0/24'                           
    option target 'REJECT'                                    
    option extra '-j REJECT --reject-with icmp-net-prohibited'
    option proto 'all'

This results in:

# fw3 print | grep reject-test
iptables -t filter -A zone_lan_forward -s 192.168.0.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -m comment --comment "!fw3: reject-test" -j REJECT --reject-with icmp-net-prohibited