Problems with multicasts in "iptables"

linux centos iptables firewall multicast

10,021

You added your rules AFTER the rules which LOG and DROP your traffic. Those rules should be the last rules in the table. Just rearrange the lines so that they appear last.

10,021

lgsit

Updated on September 18, 2022

Comments

lgsit over 1 year

My question is related to multicasts and iptables.

I want to allow ICMP and IGMP multicasts from the local VLAN 192.168.1.0/24 as well as from 0.0.0.0 on my CentOS machine, so I added the following rules to my inbound chain:

# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0
# -- ICMP
iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol icmp -j ACCEPT
iptables -A IP-INPUT -s 0.0.0.0        -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol icmp -j ACCEPT
# -- IGMP
iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol igmp -j ACCEPT
iptables -A IP-INPUT -s 0.0.0.0        -d 224.0.0.1 -m pkttype --pkt-type multicast --protocol igmp -j ACCEPT

I also ensured that the xt_pkttype kernel module is loaded.

But that does not seem to work ... I'm getting denies:

Oct 12 09:06:22 192.168.1.102 IPTABLES: :: IN::DENY    2          0.0.0.0       ==>        224.0.0.1

I noticed that the deny line shows the protocol number (2) instead of its name (IGMP), but that does not seem to matter. If I replace --protocol igmp in the rules with --protocol 2 it's the same.

After some googling I also noticed some people do it this way, but it also does not work for me:

# ACCEPT - Multicast 224.0.0.1 from current VLAN as well as 0.0.0.0
iptables -A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1 -j ACCEPT
iptables -A IP-INPUT -s 0.0.0.0        -d 224.0.0.1 -j ACCEPT

If relevant, I use iptables version 1.4.7 on CentOS 6.3 with kernel version 2.6.32-279.19.1.el6.x86_64.

Can anybody help me? Thanks in advance!

Edit:

The requested content of /etc/sysconfig/iptables (see below)
Changes to the rules suggested by Michael Hampton

# Generated by iptables-save v1.4.7 on Wed Jan 16 14:33:55 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:IP-FORWARD - [0:0]
:IP-INPUT - [0:0]
:IP-OUTPUT - [0:0]
-A INPUT -j IP-INPUT 
-A FORWARD -j IP-FORWARD 
-A OUTPUT -j IP-OUTPUT 
-A IP-FORWARD -j LOG --log-prefix "server-FORWARD: " 
-A IP-FORWARD -j DROP 
-A IP-INPUT -i lo -m comment --comment "ACCEPT all packets ON LOOPBACK" -j ACCEPT 
-A IP-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1/32 -p icmp -m pkttype --pkt-type multicast -j ACCEPT 
-A IP-INPUT -d 224.0.0.1/32 -p icmp -m pkttype --pkt-type multicast -j ACCEPT 
-A IP-INPUT -s 192.168.1.0/24 -d 224.0.0.1/32 -p igmp -m pkttype --pkt-type multicast -j ACCEPT 
-A IP-INPUT -d 224.0.0.1/32 -p igmp -m pkttype --pkt-type multicast -j ACCEPT
-A IP-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A IP-INPUT -p icmp -f -m comment --comment "DROP fragmented icmp" -j DROP 
-A IP-INPUT -p icmp -m comment --comment "ACCEPT incoming icmp" -j ACCEPT 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "DROP packets with illegal flags" -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A IP-INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A IP-INPUT -m state --state INVALID -j LOG 
-A IP-INPUT -m state --state INVALID -j DROP 
-A IP-INPUT -j LOG --log-prefix "server-INPUT: " 
-A IP-OUTPUT -m state --state INVALID -j LOG --log-prefix "server-OUTPUT: " 
-A IP-OUTPUT -m state --state INVALID -j DROP 
-A IP-OUTPUT -o lo -m comment --comment "ACCEPT all packets ON LOOPBACK" -j ACCEPT 
-A IP-OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A IP-OUTPUT -p icmp -f -m comment --comment "DROP fragmented icmp" -j DROP 
-A IP-OUTPUT -p icmp -m comment --comment "ACCEPT outgoing icmp" -j ACCEPT 
-A IP-OUTPUT -j LOG --log-prefix "server-OUTPUT: " 
COMMIT
# Completed on Wed Jan 16 14:33:55 2013

lgsit about 11 years

Just added the requested output, see above.
Dave Johnson about 11 years

What programs are you using to send/receive the multicast packets?
lgsit about 11 years

@Dave Johnson: Actually, I don't use any tools to send or receive those packages, these multicasts are sent by certain devices inside our network.
lgsit about 11 years

@Dave Johnson: I can see these packages using Wireshark. Some of them are from routers and are described as a 60 V2 Membership Query, general. So, it seems like they are being sent.
lgsit about 11 years

Yes, IGMP (sorry, that I did not mention that within my last post). I just want iptables to accept these packages instead of denying them.
Dave Johnson about 11 years

I don't know why you would want to see IGMP packets unless you're running a router daemon.

lgsit about 11 years

Thanks for the tip! So, I just rearranged the rules and reloaded the ruleset. The multicasts are still being denied.
Dave Johnson about 11 years

IGMP is mostly to tell routers about joining multicast groups, so unless you're actually routing packets with this server, you don't need it. You can still send/receive multicast traffic without being able to receive IGMP.
lgsit about 11 years

I'm just wondering why iptables denies the packets, even though there are rules to accept it.