iptables STILL incorrectly using TCP packet contents without checking header!

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Kirby <sim@netnation.com>
To: netfilter-devel@lists.netfilter.org
Subject: iptables STILL incorrectly using TCP packet contents without checking header!
Date: Thu, 31 Mar 2005 10:57:32 -0800	[thread overview]
Message-ID: <20050331185732.GA20249@netnation.com> (raw)

Hi,

Since my post in December, iptables is STILL incorrectly using TCP packet
contents without checking the header.  I bet this is resulting in dropped
connections and other issues all over the place but people aren't easily
able to see why.

Example:

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

These two lines will set up a typical stateful TCP firewall that blocks
anything incoming that isn't related to outgoing traffic.  Unfortunately,
it also immediately disconnects any TCP sessions as soon as a corrupted
packet is received.  Why?  Because:

The "state" module checks the TCP checksum.  Good.
The REJECT module uses TCP data without checking the checksum.  Bad.

In fact, a simple "-p tcp --dport 80" also matches without checking the
TCP checksum.  This is bad -- the port could be corrupted!

IMHO:

1: -p tcp needs to verify that the IP header is valid (it probably does
   this already), since the protocol is specified there.

2: -p tcp --dport 80 needs to verify that the IP _AND_ TCP header is
   valid, since the port is in the TCP header.  It does not do this now.

3: REJECT needs to verify that the data it is using in --tcp-reset is
   actually valid, because it can be used with just "-p tcp".  ICMP
   REJECT might also need checking.

Right?  Does this make sense?  Anyone?

(Yes, I'll fix the corrupted packets next..)

Simon-

next             reply	other threads:[~2005-03-31 18:57 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-31 18:57 Simon Kirby [this message]
2005-03-31 20:04 ` iptables STILL incorrectly using TCP packet contents without checking header! Jonas Berlin
2005-03-31 23:27   ` Henrik Nordstrom
2005-04-03 18:34     ` Patrick McHardy
2005-04-01  0:03   ` Simon Kirby
2005-04-05 14:24     ` Amin Azez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050331185732.GA20249@netnation.com \
    --to=sim@netnation.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.