Arch Linux

Gregosky

Member

From: UK

Registered: 2013-07-26

Posts: 174

[Solved] Can iptables help support app that does not provide auth?

Hi all,

Short question: is it possible to make iptables to drop `unauthenticated` traffic?

Long story:

What I have in mind is to make iptables to use i.e. password that would be exchanged before communication can be established.

I know this question does probably make no sense, but I'm trying to add authentication to application that does not support it (that is - application which would otherwise accept any client to connect).

I'm dealing with postgres-xl, very interesting fork of postgresql which makes big data analysis easier.

Though I have this problem - after weeks of research and reading through their mailing lists and code it seems postgres-xl nodes just do not support any kind authentication between each other. SSL is not supported neither.

My private network I'm setting up on ensures MITM attacks are not possible so for the time being I can live without point-to-point encryption.

But I cannot live without some sort of authentication... Somebody could simply pick up one of my IP addresses and attempt to communicate to my database. I don't like that.

I have been thinking how to overcome this and OpenVPN was one of my possible picks. Unfortunately it is not possible to have truly p2p OpenVPN, traffic will always go through single OpenVPN server which pretty much destroys performance foro the cluster.

Please help,
Greg

Last edited by Gregosky (2017-05-13 23:41:04)

sbmomeni

Member

Registered: 2013-07-26

Posts: 29

Re: [Solved] Can iptables help support app that does not provide auth?

A simple workaround:
1. Configure the database to listen on localhost (so no remote computer can connect to it),
2. Use `ssh -fNL 1234:127.0.0.1:1234 user@serverip` command (replacing 1234 with your database port number) to forward your local 1234 port to the server 1234 port,
3. Connect to 127.0.0.1:1234 instead of serverip:1234

Gregosky

Member

From: UK

Registered: 2013-07-26

Posts: 174

Re: [Solved] Can iptables help support app that does not provide auth?

@sbmomeni - I know this workaround (since it's described in postgresql documentation) and this is not solving my problem. The procedure you copied here applies for clients connecting to the postgresql server. I'm trying to secure inter-node communication of postgres-xl, which is much more complex than just to create one tunnel. In my case I have, say, 4 nodes in which case I would have to create a full mesh of ssh tunnels. Although this might resolve my immediate issue I would fall into a problem of managing this full mesh :-) If I add one more node I have to visit each node and create tunnel on each to that new node (and vice versa). This will be a nightmare when I reach, say, 10 nodes (and more)...

Thanks anyways :-)

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: [Solved] Can iptables help support app that does not provide auth?

My private network I'm setting up on ensures MITM attacks are not possible so for the time being I can live without point-to-point encryption.

But I cannot live without some sort of authentication... Somebody could simply pick up one of my IP addresses and attempt to communicate to my database.

Isn't your "private network" *firewalled*? Are your database servers publicly accessible?

stunnel is another app to consider.

Gregosky

Member

From: UK

Registered: 2013-07-26

Posts: 174

Re: [Solved] Can iptables help support app that does not provide auth?

Hi @brebs - yes, the private network is firewalled however each VPS gets two IP addresses - public and private. I do not expose database on public IP.

IP addresses are assigned by hosting provider and even though hosting provider says people cannot assign my IP addresses to their VPSes I am not sure how much trust can I put in it...

Many thanks for pointing to stunnel, from their `about` section - " Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code." - which sounds like very interesting option to investigate. And it is available through pacman!

Last edited by Gregosky (2017-05-08 09:31:48)

R00KIE

Forum Fellow

From: Between a computer and a chair

Registered: 2008-09-14

Posts: 4,734

Re: [Solved] Can iptables help support app that does not provide auth?

From what I've seem about stunnel it is point to point but you'll go through the same trouble of setting up everything as with openvpn if you make it a point to point vpn.

I suppose that if you have many nodes it will be a pain to setup and maintain, specially if you want to do mutual authentication of peers, which means managing your own CA and all the certificates just like with openvpn.

You say you need true p2p so unless I'm seeing it wrong you would have to setup a server on each node and set each node as a client for all other nodes, I can imagine that getting out of hand quite quickly.

All that said, if you don't mind testing something that is claimed not to be production quality yet (and may have security issues) you could take a look at wireguard[1], it might be easier to manage than openvpn/stunnel (or not). It will not be as convenient as stunnel or openvpn since it is not in the official repos.

[1] https://www.wireguard.io/

---

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Lone_Wolf

Member

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,911

Re: [Solved] Can iptables help support app that does not provide auth?

Gregosky,
your description sounds like you need a router / firewall combination  .

example how this could work :

the router will be connected to 3 networks.

internet : the public network
private1 : 192.168.0.0/24  for your normal devices
private2 : 10.0.0.0/24 for the nodes

You setup your router / firewall so that only traffic from specific addresses using specific ports is allowed to enter the private2 network.

It can be done through iptables, setting this up may be tricky and cumbersome though.
Several years ago I occasionally used a frontend called fwbuilder to create iptables rules for similar setups.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Gregosky

Member

From: UK

Registered: 2013-07-26

Posts: 174

Re: [Solved] Can iptables help support app that does not provide auth?

Hi @rookie and @Lone_Wolf,

Many thanks for your great advice. In the end my VPS provider informed me, that they plan rolling out private VLANs so this will solve my problem. I'd love to add authentication to postgres-xl and maybe once I'm done with my work I will contribute :-)

I also managed to harden postgres-xl as much as it seems possible. Namely allowing traffic only from speciffic IP addresses and also binding to speciffic interfaces.

Thank you all for valuable hints!

jasonwryan

Anarchist

From: .nz

Registered: 2009-05-09

Posts: 30,424

Website

Re: [Solved] Can iptables help support app that does not provide auth?

Please do not use [Closed], it denotes a locked post. Use [Solved] or [Resolved] instead.

---

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Gregosky

Member

From: UK

Registered: 2013-07-26

Posts: 174

Re: [Solved] Can iptables help support app that does not provide auth?

My problem cannot be really solved (or at least not easily, it's beyound my capability to craft some viable solution). I mark it as requested however it's not really solved.