ipt_recent 0.2.3/0.2.7 --rttl doesn't work

All of lore.kernel.org
 help / color / mirror / Atom feed

* ipt_recent 0.2.3/0.2.7 --rttl doesn't work
@ 2003-02-04 17:35 per j
  0 siblings, 0 replies; 6+ messages in thread
From: per j @ 2003-02-04 17:35 UTC (permalink / raw)
  To: netfilter

--rttl function in ipt_recent doesn't work.  It's supposed to match every 
single packet with the same ip address and ttl value.  Wierd thing is it 
produces a match maybe once every 1000 packets with the same ip address and 
ttl.

I get the same ip address with the same TTL value in the logs.  I've also 
tested this by using another computer with a stable connection (ie. same ip 
address and same ttl).  -m recent with --rttl doesn't match any of the 
packets from that computer, but -m recent without --rttl matches.

I upgraded to ipt_recent 0.2.7 from 0.2.3 and the problem is not solved.  
Can you post a fix?

I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS 
(Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7 
(ipt_recent-0.2.6.tar.gz).  And netfilter stuff all built as modules.

Already applied: submitted/01_2.4.19
                 submitted/02_2.4.20
                 base/iplimit
                 base/mport
                 base/nth
                 base/quota
                 base/random
                 base/time
                 base/TTL
                 extra/h323-conntrack-nat
                 extra/ipt_TARPIT
                 extra/mms-conntrack-nat
                 extra/recent

I've also removed ipt_TTL from all chains in my iptables and it had no 
effect.

Here are the rules in my iptables 1.2.7a:
INPUT chain (default DROP):
-j ACCEPT -i ppp0 --state ESTABLISHED,RELATED
-j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
-j LOG -i ppp0 --log-prefix recentDropBox -m limit
-j DROP -i ppp0 -m recent --set --name recentDropBox


I attempt to telnet to port 137 on this box from a computer on the internet 
(ppp0) and I see in /var/log/messages:
Feb  4 12:16:11 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.10
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=10436 DF PROTO=TCP 
SPT=3
936 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0
Feb  4 12:16:14 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.10
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=10443 DF PROTO=TCP 
SPT=3
936 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail



^ permalink raw reply	[flat|nested] 6+ messages in thread

* ipt_recent 0.2.3/0.2.7 --rttl doesn't work
@ 2003-02-04 23:39 per j
  2003-02-05  2:53 ` Stephen Frost
  0 siblings, 1 reply; 6+ messages in thread
From: per j @ 2003-02-04 23:39 UTC (permalink / raw)
  To: netfilter

--rttl function in ipt_recent doesn't work.  It's supposed to match every 
single packet with the same ip address and ttl value.  Wierd thing is it 
produces a match maybe once every 1000 packets with the same ip address and 
ttl.

I get the same ip address with the same TTL value in the logs.  I've also 
tested this by using another computer with a stable connection (ie. same ip 
address and same ttl).  -m recent with --rttl doesn't match any of the 
packets from that computer, but -m recent without --rttl matches.

I upgraded to ipt_recent 0.2.7 from 0.2.3 and the problem is not solved.  
Can you post a fix?

I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS 
(Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7 
(ipt_recent-0.2.6.tar.gz).  And netfilter stuff all built as modules.

Already applied: submitted/01_2.4.19
                 submitted/02_2.4.20
                 base/iplimit
                 base/mport
                 base/nth
                 base/quota
                 base/random
                 base/time
                 base/TTL
                 extra/h323-conntrack-nat
                 extra/ipt_TARPIT
                 extra/mms-conntrack-nat
                 extra/recent

I've also removed ipt_TTL from all chains in my iptables and it had no 
effect.

Here are the rules in my iptables 1.2.7a:
INPUT chain (default DROP):
-j ACCEPT -i ppp0 --state ESTABLISHED,RELATED
-j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
-j LOG -i ppp0 --log-prefix recentDropBox -m limit
-j DROP -i ppp0 -m recent --set --name recentDropBox


I attempt to telnet to port 137 on this box from a computer on the internet 
(ppp0) and I see in /var/log/messages:
Feb  4 12:16:11 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.10
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=10436 DF PROTO=TCP 
SPT=3
936 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0
Feb  4 12:16:14 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.10
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=10443 DF PROTO=TCP 
SPT=3
936 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0

As you can see in the log entries above it's the same source ip address and 
same TTL value within 3 seconds.  Obviously the DROP rule with -m recent 
--update --rttl did not match which produces duplicate log entries.

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipt_recent 0.2.3/0.2.7 --rttl doesn't work
  2003-02-04 23:39 ipt_recent 0.2.3/0.2.7 --rttl doesn't work per j
@ 2003-02-05  2:53 ` Stephen Frost
  2003-02-05  3:20   ` Arnt Karlsen
  0 siblings, 1 reply; 6+ messages in thread
From: Stephen Frost @ 2003-02-05  2:53 UTC (permalink / raw)
  To: per j; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 933 bytes --]

* per j (perj8@hotmail.com) wrote:
> I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS 
> (Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7 
> (ipt_recent-0.2.6.tar.gz).  And netfilter stuff all built as modules.

  You're using 2.0.43?  iptables was introduced in 2.4... 

> Here are the rules in my iptables 1.2.7a:
> INPUT chain (default DROP):
> -j ACCEPT -i ppp0 --state ESTABLISHED,RELATED
> -j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
> -j LOG -i ppp0 --log-prefix recentDropBox -m limit
> -j DROP -i ppp0 -m recent --set --name recentDropBox

  First you might try adding --rttl to the --set line.  I'll also go
  back and check my code in that area...  Using the latest ipt_recent,
  can you paste what you see in /proc/net/ipt_recent/recentDropBox?

  There could certainly be a problem in that area as the TTL match has
  been tested less...

  	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipt_recent 0.2.3/0.2.7 --rttl doesn't work
  2003-02-05  2:53 ` Stephen Frost
@ 2003-02-05  3:20   ` Arnt Karlsen
  0 siblings, 0 replies; 6+ messages in thread
From: Arnt Karlsen @ 2003-02-05  3:20 UTC (permalink / raw)
  To: netfilter

On Tue, 4 Feb 2003 21:53:46 -0500, 
Stephen Frost <sfrost@snowman.net> wrote in message 
<20030205025346.GC484@ns.snowman.net>:

> * per j (perj8@hotmail.com) wrote:
> > I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS 
> > (Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7 
> > (ipt_recent-0.2.6.tar.gz).  And netfilter stuff all built as
> > modules.
> 
>   You're using 2.0.43?  iptables was introduced in 2.4... 

...and, the bleeding edges: "finger @finger.kernel.org", 
honed to size:  ;-)

The latest stable version of the Linux kernel:    2.4.20
ditto prepatch for the stable Linux kernel tree:  2.4.21-pre4
ditto beta version of the Linux kernel:           2.5.59
ditto 2.2 version of the Linux kernel:            2.2.23
ditto prepatch for the 2.2 Linux kernel tree:     2.2.24-rc2
ditto 2.0 version of the Linux kernel:            2.0.39
ditto prepatch for the 2.0 Linux kernel tree:     2.0.40-rc6
ditto -ac patch to the stable Linux kernels:      2.4.21-pre4-ac2
ditto -ac patch to the beta Linux kernels:        2.5.50-ac1 
ditto -dj patch to the beta Linux kernels:        2.5.48-dj1

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipt_recent 0.2.3/0.2.7 --rttl doesn't work
@ 2003-02-05 13:19 Paul E R J
  0 siblings, 0 replies; 6+ messages in thread
From: Paul E R J @ 2003-02-05 13:19 UTC (permalink / raw)
  To: netfilter

Sorry I meant I'm using kernel 2.4.20


>From: Arnt Karlsen <arnt@c2i.net>
>To: netfilter@lists.netfilter.org
>Subject: Re: ipt_recent 0.2.3/0.2.7 --rttl doesn't work
>Date: Wed, 5 Feb 2003 04:20:59 +0100
>
>On Tue, 4 Feb 2003 21:53:46 -0500,
>Stephen Frost <sfrost@snowman.net> wrote in message
><20030205025346.GC484@ns.snowman.net>:
>
> > * per j (perj8@hotmail.com) wrote:
> > > I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS
> > > (Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7
> > > (ipt_recent-0.2.6.tar.gz).  And netfilter stuff all built as
> > > modules.
> >
> >   You're using 2.0.43?  iptables was introduced in 2.4...
>
>...and, the bleeding edges: "finger @finger.kernel.org",
>honed to size:  ;-)
>
>The latest stable version of the Linux kernel:    2.4.20
>ditto prepatch for the stable Linux kernel tree:  2.4.21-pre4
>ditto beta version of the Linux kernel:           2.5.59
>ditto 2.2 version of the Linux kernel:            2.2.23
>ditto prepatch for the 2.2 Linux kernel tree:     2.2.24-rc2
>ditto 2.0 version of the Linux kernel:            2.0.39
>ditto prepatch for the 2.0 Linux kernel tree:     2.0.40-rc6
>ditto -ac patch to the stable Linux kernels:      2.4.21-pre4-ac2
>ditto -ac patch to the beta Linux kernels:        2.5.50-ac1
>ditto -dj patch to the beta Linux kernels:        2.5.48-dj1
>
>--
>..med vennlig hilsen = with Kind Regards from Arnt... ;-)
>...with a number of polar bear hunters in his ancestry...
>   Scenarios always come in sets of three:
>   best case, worst case, and just in case.


_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipt_recent 0.2.3/0.2.7 --rttl doesn't work
@ 2003-02-05 15:01 Paul E R J
  0 siblings, 0 replies; 6+ messages in thread
From: Paul E R J @ 2003-02-05 15:01 UTC (permalink / raw)
  To: netfilter

I'm using kernel 2.4.20.

Also my iptables is more complicated.  Notice that the name of the 
recentDropBox chain in iptables is the same name as --name recentDropBox for 
-m recent.  It goes like this (to be more exact):

Pkt Rule (recentDropBox chain, filter table)
3 iptables -j LOG --log-prefix recentDropBox -m limit
3 iptables -j DROP -m recent --set --name recentDropBox

Pkt Rule (dropBox chain, filter table)
3 iptables -j recentDropBox -p tcp -m multiport --dports ...,137,...

Pkt Rule (INPUT chain, filter table)
0 iptables -j ACCEPT -m state --state ESTABLISHED,RELATED
0 iptables -j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
3 iptables -j dropBox -i ppp0
0 iptables -j recentDropBox -i ppp0

I simplified my iptables in my first post.

####################
IMPORTANT!  I found out --update --rttl in the setup above does NOT behave 
the same as the following setup...

Pkt Rule (INPUT chain)
0 iptables -j ACCEPT -m state --state ESTABLISHED,RELATED
2 iptables -j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
1 iptables -j LOG -i ppp0 --log-prefix recentDropBox -m limit
1 iptables -j DROP -i ppp0 -m recent --set --name recentDropBox

--update --rttl works here, but doesn't work in the more complicated setup I 
have.  Why?
#####################

I tried --set and --rttl and it matches ALL packets that hit the rule even 
when it is not in the recentDropBox list.

# grep 24.238 /proc/net/ipt_recent/recentDropBox
src=24.238.110.135 ttl: 122 last_seen: 7623667 oldest_pkt: 3 last_pkts: 
7622677, 7622972, 7623667
src=24.238.110.103 ttl: 122 last_seen: 7685346 oldest_pkt: 3 last_pkts: 
7684441, 7684736, 7685346

Pkt Rule (recentDropBox chain, filter table)
0 iptables -j LOG --log-prefix recentDropBox -m limit
0 iptables -j DROP -m recent --set --name recentDropBox

Pkt Rule (dropBox chain, filter table)
0 iptables -j recentDropBox -p tcp -m multiport --dports ...,137,...

Pkt Rule (INPUT chain, filter table)
0 iptables -j ACCEPT -m state --state ESTABLISHED,RELATED
-->6 iptables -j DROP -i ppp0 -m recent --set --rttl --name recentDropBox
0 iptables -j dropBox -i ppp0
0 iptables -j recentDropBox -i ppp0


You mean use --set --rttl in the last rule?

I got DUPLICATE entries!!!
# grep 24.238 /proc/net/ipt_recent/recentDropBox
src=24.238.110.36 ttl: 122 last_seen: 7760513 oldest_pkt: 1 last_pkts: 
7760513
src=24.238.110.36 ttl: 122 last_seen: 7760804 oldest_pkt: 1 last_pkts: 
7760804
src=24.238.110.36 ttl: 122 last_seen: 7761405 oldest_pkt: 1 last_pkts: 
7761405

/var/log/messages
Feb  5 09:03:09 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.36
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=320 DF PROTO=TCP 
SPT=306
9 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0
Feb  5 09:03:12 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.36
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=321 DF PROTO=TCP 
SPT=306
9 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0
Feb  5 09:03:18 router kernel: recentDropBoxIN=ppp0 OUT= MAC= 
SRC=24.238.110.36
DST=24.239.135.221 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=322 DF PROTO=TCP 
SPT=306
9 DPT=137 WINDOW=8760 RES=0x00 SYN URGP=0

Pkt Rule (recentDropBox chain, filter table)
3 iptables -j LOG --log-prefix recentDropBox -m limit
-->3 iptables -j DROP -m recent --set --rttl --name recentDropBox

Pkt Rule (dropBox chain, filter table)
3 iptables -j recentDropBox -p tcp -m multiport --dports ...,137,...

Pkt Rule (INPUT chain, filter table)
0 iptables -j ACCEPT -m state --state ESTABLISHED,RELATED
0 iptables -j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
3 iptables -j dropBox -i ppp0
0 iptables -j recentDropBox -i ppp0


-----------------------------------------------------------------
> > I'm using vanilla kernel 2.0.43 with patches from patch-o-matic CVS
> > (Jan24,2003), openmosix, super-freeS/WAN, ipt_recent 0.2.7
> > (ipt_recent-0.2.6.tar.gz).  And netfilter stuff all built as modules.
>
>   You're using 2.0.43?  iptables was introduced in 2.4...
>
> > Here are the rules in my iptables 1.2.7a:
> > INPUT chain (default DROP):
> > -j ACCEPT -i ppp0 --state ESTABLISHED,RELATED
> > -j DROP -i ppp0 -m recent --update --rttl --name recentDropBox
> > -j LOG -i ppp0 --log-prefix recentDropBox -m limit
> > -j DROP -i ppp0 -m recent --set --name recentDropBox
>
>   First you might try adding --rttl to the --set line.  I'll also go
>   back and check my code in that area...  Using the latest ipt_recent,
>   can you paste what you see in /proc/net/ipt_recent/recentDropBox?
>
>   There could certainly be a problem in that area as the TTL match has
>   been tested less...
>
>   	Stephen


_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2003-02-05 15:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-04 23:39 ipt_recent 0.2.3/0.2.7 --rttl doesn't work per j
2003-02-05  2:53 ` Stephen Frost
2003-02-05  3:20   ` Arnt Karlsen
  -- strict thread matches above, loose matches on Subject: below --
2003-02-05 15:01 Paul E R J
2003-02-05 13:19 Paul E R J
2003-02-04 17:35 per j

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.