Drop package rule don't work

tuanama00 · November 19, 2024, 3:36pm

Hi,

I create this rule to deny ESP package from this 179.49.229.XX, this traffic comes from internet (eth0)
set firewall ipv4 input filter rule 19 action ‘drop’
set firewall ipv4 input filter rule 19 destination port ‘500’
set firewall ipv4 input filter rule 19 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 19 protocol ‘udp’
set firewall ipv4 input filter rule 19 source address ‘179.49.229.xx’
commit
didn’t work

Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface

10 0 0 drop any any eth0 any
11 1 40 drop any any eth0 any
12 0 0 accept any any eth1 any
13 0 0 accept any any any any
14 0 0 accept any any any any
15 0 0 accept any any any any
16 0 0 accept any any vti0 any
17 0 0 accept any any eth0 any
18 0 0 accept any any any any
19 0 0 drop 179.49.229.XX any eth0 any
1010 0 0 accept any any lo any
default 601 31945 accept any any any any

I tested with these changes
set firewall ipv4 input filter rule 19 protocol ‘esp’ or deleting this
#set firewall ipv4 input filter rule 19 inbound-interface name ‘eth0’

but the same issue.

But I configure this rule and work:
iptables -A INPUT -s 179.49.229.XX -p udp --dport 500 -j DROP

sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 1455 DROP 17 – * * 179.49.229.XX 0.0.0.0/0 udp dpt:500

This is my rules:
set firewall ipv4 input filter rule 10 action ‘drop’
set firewall ipv4 input filter rule 10 description ‘Limit SSH attempts on eth0’
set firewall ipv4 input filter rule 10 destination port ‘22’
set firewall ipv4 input filter rule 10 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 10 protocol ‘tcp’
set firewall ipv4 input filter rule 10 recent count ‘4’
set firewall ipv4 input filter rule 10 recent time ‘minute’
set firewall ipv4 input filter rule 11 action ‘drop’
set firewall ipv4 input filter rule 11 destination port ‘22’
set firewall ipv4 input filter rule 11 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 11 protocol ‘tcp’
set firewall ipv4 input filter rule 11 state ‘new’
set firewall ipv4 input filter rule 12 action ‘accept’
set firewall ipv4 input filter rule 12 description ‘Allow new SSH connections on eth1’
set firewall ipv4 input filter rule 12 destination port ‘22’
set firewall ipv4 input filter rule 12 inbound-interface name ‘eth1’
set firewall ipv4 input filter rule 12 protocol ‘tcp’
set firewall ipv4 input filter rule 12 state ‘new’
set firewall ipv4 input filter rule 13 action ‘accept’
set firewall ipv4 input filter rule 13 description ‘Allow IKE traffic (UDP 500)’
set firewall ipv4 input filter rule 13 destination port ‘500’
set firewall ipv4 input filter rule 13 protocol ‘udp’
set firewall ipv4 input filter rule 14 action ‘accept’
set firewall ipv4 input filter rule 14 description ‘Allow NAT-T traffic (UDP 4500)’
set firewall ipv4 input filter rule 14 destination port ‘4500’
set firewall ipv4 input filter rule 14 protocol ‘udp’
set firewall ipv4 input filter rule 15 action ‘accept’
set firewall ipv4 input filter rule 15 description ‘Allow ESP traffic’
set firewall ipv4 input filter rule 15 protocol ‘esp’
set firewall ipv4 input filter rule 16 action ‘accept’
set firewall ipv4 input filter rule 16 description ‘Allow new SSH connections on vti0’
set firewall ipv4 input filter rule 16 destination port ‘22’
set firewall ipv4 input filter rule 16 inbound-interface name ‘vti0’
set firewall ipv4 input filter rule 16 protocol ‘tcp’
set firewall ipv4 input filter rule 16 state ‘new’
set firewall ipv4 input filter rule 17 action ‘accept’
set firewall ipv4 input filter rule 17 description ‘Allow wireguard port’
set firewall ipv4 input filter rule 17 destination port ‘51820’
set firewall ipv4 input filter rule 17 inbound-interface name ‘eth0’
set firewall ipv4 input filter rule 17 protocol ‘udp’
set firewall ipv4 input filter rule 17 state ‘new’
set firewall ipv4 input filter rule 18 action ‘accept’
set firewall ipv4 input filter rule 18 description ‘Allow return traffic for established/related connections’
set firewall ipv4 input filter rule 18 state ‘established’
set firewall ipv4 input filter rule 18 state ‘related’
set firewall ipv4 input filter rule 19 action ‘drop’

Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface

10 0 0 drop any any eth0 any
11 8 376 drop any any eth0 any
12 0 0 accept any any eth1 any
13 0 0 accept any any any any
14 0 0 accept any any any any
15 0 0 accept any any any any
16 0 0 accept any any vti0 any
17 0 0 accept any any eth0 any
18 0 0 accept any any any any
19 0 0 drop 179.49.229.76 any eth0 any
1010 0 0 accept any any lo any
default 9862 517628 accept any any any any

Thanks

n.fort · November 19, 2024, 3:41pm

Check what is written in nftables.

sudo nft list table ip vyos_filter
# Or more specific
sudo nft list chain ip vyos_filter VYOS_INPUT_filter

tuanama00 · November 19, 2024, 3:52pm

Hi Nicolas

Appear in filter, with 0 bytes

table ip vyos_filter {
        chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                jump VYOS_STATE_POLICY
                tcp dport 22 iifname "eth0" add @RECENT_INP_filter_10 { ip saddr limit rate over 4/minute burst 4 packets } counter packets 0 bytes 0 drop comment "ipv4-INP-filter-10"
                ct state new tcp dport 22 iifname "eth0" counter packets 8 bytes 376 drop comment "ipv4-INP-filter-11"
                ct state new tcp dport 22 iifname "eth1" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-12"
                udp dport 500 counter packets 0 bytes 0 accept comment "ipv4-INP-filter-13"
                udp dport 4500 counter packets 0 bytes 0 accept comment "ipv4-INP-filter-14"
                meta l4proto esp counter packets 0 bytes 0 accept comment "ipv4-INP-filter-15"
                ct state new tcp dport 22 iifname "vti0" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-16"
                ct state new udp dport 51820 iifname "eth0" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-17"
                ct state { established, related } counter packets 0 bytes 0 accept comment "ipv4-INP-filter-18"
                udp dport 500 ip saddr 179.49.229.XX iifname "eth0" counter packets 0 bytes 0 drop comment "ipv4-INP-filter-19"
                iifname "lo" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-1010"
                counter packets 11283 bytes 592347 accept comment "INP-filter default-action accept"
        }
}

for some reason no math the rule
udp dport 500 ip saddr 179.49.229.XX iifname “eth0” counter packets 0 bytes 0 drop comment “ipv4-INP-filter-19”

sudo tcpdump -i eth0 -nn host 179.49.229.xx

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

10:49:40.226562 IP 179.49.229.xx.500 > 172.31.13.xx.500: isakmp: parent_sa ikev2_init[I]

10:49:40.228660 IP 172.31.13.xx.500 > 179.49.229.76.xx: isakmp: parent_sa ikev2_init[R]

tjh · November 19, 2024, 4:08pm

Are you sure this isn’t an established session, and you have a FW rule to allow established traffic before your deny rule?

I’ve seen this more than once - say for example an SSH session and I try to deny it, but it doesn’t work. This is because there’s a rule that allows traffic that’s Established in:

set firewall ipv4 forward filter rule 10 action 'offload'           
set firewall ipv4 forward filter rule 10 offload-target 'FlowTable'
set firewall ipv4 forward filter rule 10 protocol 'tcp_udp'                   
set firewall ipv4 forward filter rule 10 state 'established'                   
set firewall ipv4 forward filter rule 10 state 'related'

As soon as I clear the conntrack session, the flow isn’t established anymore so skips past rule 10 to my “rule 20” which denies it.

tuanama00 · November 19, 2024, 4:31pm

Hi,

I am not responding to the ESP packets that are being received. I have tested the rules after restarting VyOS. I want to block all traffic coming from that IP and I am only receiving ESP (UDP).

sarthurdev · November 19, 2024, 5:10pm

Rule 13 accepts all traffic for port 500, rule 19 will never be reached for traffic on port 500.

tuanama00 · November 19, 2024, 5:28pm

Hi

chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                jump VYOS_STATE_POLICY
                tcp dport 22 iifname "eth0" add @RECENT_INP_filter_10 { ip saddr limit rate over 4/minute burst 4 packets } counter packets 0 bytes 0 drop comment "ipv4-INP-filter-10"
                ct state new tcp dport 22 iifname "eth0" counter packets 8 bytes 376 drop comment "ipv4-INP-filter-11"
                ct state new tcp dport 22 iifname "eth1" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-12"
                udp dport 500 counter packets 0 bytes 0 accept comment "ipv4-INP-filter-13"
                udp dport 4500 counter packets 0 bytes 0 accept comment "ipv4-INP-filter-14"
                meta l4proto esp counter packets 0 bytes 0 accept comment "ipv4-INP-filter-15"
                ct state new tcp dport 22 iifname "vti0" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-16"
                ct state new udp dport 51820 iifname "eth0" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-17"
                ct state { established, related } counter packets 0 bytes 0 accept comment "ipv4-INP-filter-18"
                udp dport 500 ip saddr 179.49.229.xx iifname "eth0" counter packets 0 bytes 0 drop comment "ipv4-INP-filter-19"
                iifname "lo" counter packets 0 bytes 0 accept comment "ipv4-INP-filter-1010"
                counter packets 11217 bytes 589376 accept comment "INP-filter default-action accept"
        }

This rule

udp dport 500 counter packets 0 bytes 0 accept comment "ipv4-INP-filter-13"

have 0 packets

this rule isn’t working, but i get ESP traffic from others peers

tjh · November 21, 2024, 4:50am

You are trying to drop on input. That’s only for packets destined for the router itself.

You want to also be dropping on forward I think, based on the IPs in the TCPDUMP. Forward is traffic that the router would “route”, Input is for packets destined to an IP assigned to the router.

16again · November 23, 2024, 12:50pm

ESP traffic is protocol 50, not UDP.
ESP can be encapsulated in UDP, but then port 4500 is used, not 500

tuanama00 · November 23, 2024, 3:44pm

Hi 16again,

I know ESP is protocol, but why this rule work?
iptables -A INPUT -s 179.49.229.XX -p udp --dport 500 -j DROP

is a filter UDP port 500

Work with iptables but didn’t work in vyos rules.

Thanks