ICMP and state/conntrack

ICMP and state/conntrack

[netfilter]

Hello

I'm wondering if state doesn't apply to ICMP packets.

iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -j REJECT

if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I
thought that the echo-reply should be marked RELATED and therefore not
blocked?


====
Tomas Edwardsson
HP Technical Support      \  HP Certified System Administrator
Red Hat Technical Support  \  Red Hat Certified Engineer.
Opin Kerfi

Re: ICMP and state/conntrack

[Cedric Blancher]

Le ven 28/02/2003 à 11:37, netfilter@tommi.org a écrit :
> I'm wondering if state doesn't apply to ICMP packets.

It applies.

> iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT
> iptables -A FORWARD -m state --state NEW,INVALID -j REJECT
> if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I
> thought that the echo-reply should be marked RELATED and therefore not
> blocked?

Nope.
In fact, you can separate ICMP messages in two categories :

	. ICMP errors
	. standelone ICMP

ICMP errors are related to an existing IP flow. As such, conntrack
engine flags them as RELATED.

Standelone ICMP (ping, netmask, timestamp and info, cf.
ip_conntrack_proto_icmp.c) are not related to IP flow, and are flagged
using NEW/ESTABLISHED states.
If you ping someone, echo-request is NEW, echo-reply is ESTABLISHED.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: ICMP and state/conntrack

[surf3r]

Hellow :)


> iptables -A FORWARD -m state --state NEW,INVALID -j REJECT

You must be especify the protocol on this rule: 

iptables -A FORWARD -p icmp -m state --state NEW,INVALID -j REJECT

You has that to understand tables with independent rules 


Brazil rules : carnaval 2003 :)


-- 


surf3r  -o)
        /\\
       _\_V
--   --------



On Fri, 2003-02-28 at 07:37, netfilter@tommi.org wrote:
> Hello
> 
> I'm wondering if state doesn't apply to ICMP packets.
> 
> iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT
> iptables -A FORWARD -m state --state NEW,INVALID -j REJECT
> 
> if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I
> thought that the echo-reply should be marked RELATED and therefore not
> blocked?
> 
> 
> ====
> Tomas Edwardsson
> HP Technical Support      \  HP Certified System Administrator
> Red Hat Technical Support  \  Red Hat Certified Engineer.
> Opin Kerfi
> 
> 
> 

Re: ICMP and state/conntrack

[Jozsef Kadlecsik]

On Fri, 28 Feb 2003 netfilter@tommi.org wrote:

> I'm wondering if state doesn't apply to ICMP packets.
>
> iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT
> iptables -A FORWARD -m state --state NEW,INVALID -j REJECT
>
> if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I
> thought that the echo-reply should be marked RELATED and therefore not
> blocked?

ICMP echo-reply is not an ICMP error message, it is not RELATED to
another connection. You can match is as ESTABLISHED.

Regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ICMP and state/conntrack

[netfilter]

Great and thanks for your swift replies.

The problem was actually a routing problem.

- Tomas

On Fri, Feb 28, 2003 at 12:17:14PM +0100, Cedric Blancher wrote:
> 
> Le ven 28/02/2003 à 11:37, netfilter@tommi.org a écrit :
> > I'm wondering if state doesn't apply to ICMP packets.
> 
> It applies.
> 
> > iptables -A FORWARD -p icmp -m state -d 1.2.3.4 --state NEW -j ACCEPT
> > iptables -A FORWARD -m state --state NEW,INVALID -j REJECT
> > if I ping 1.2.3.4 the echo-reply is blocked from 1.2.3.4. Is this normal, I
> > thought that the echo-reply should be marked RELATED and therefore not
> > blocked?
> 
> Nope.
> In fact, you can separate ICMP messages in two categories :
> 
> 	. ICMP errors
> 	. standelone ICMP
> 
> ICMP errors are related to an existing IP flow. As such, conntrack
> engine flags them as RELATED.
> 
> Standelone ICMP (ping, netmask, timestamp and info, cf.
> ip_conntrack_proto_icmp.c) are not related to IP flow, and are flagged
> using NEW/ESTABLISHED states.
> If you ping someone, echo-request is NEW, echo-reply is ESTABLISHED.
> 
> -- 
> Cédric Blancher  <blancher@cartel-securite.fr>
> IT systems and networks security expert  - Cartel Sécurité
> Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
> 
>