* Iptables Reject with TCP Reset @ 2017-01-06 15:19 Matt Killock 2017-01-06 16:09 ` Noel Kuntze 0 siblings, 1 reply; 16+ messages in thread From: Matt Killock @ 2017-01-06 15:19 UTC (permalink / raw) To: netfilter@vger.kernel.org Hi We are using linux iptables on a firewall device to block all traffic from internal hosts except for a few exceptions with a default FORWARD policy of DROP. So there is no general HTTP/HTTPS access. This all works fine except that various applications like Microsoft Word and Adobe Reader all attempt to connect to various internet hosts and introduce delays that are not there if there is general access. Adobe refuses to display PDF content for 30 seconds whilst it attempts to connect to various cloud services. I can reduce this delay to 5 seconds if I add all the hostnames it attempts to connect to in the hosts file to point to 127.0.0.1. What I'd like to do is make the firewall respond with a TCP Reset packet instead of doing nothing or only sending an ICMP unreachable packet, which I presume is what happens when Adobe attempts to connect to 127.0.0.1 on port 80 The following line does not do this - does this no longer work? iptables -A FORWARD -s 192.168.40.0/24 -d 0/0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset Thanks Matt ________________________________ Plum Software is a fully owned subsidiary of Praemium Limited. This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions. In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details. In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details. Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-06 15:19 Iptables Reject with TCP Reset Matt Killock @ 2017-01-06 16:09 ` Noel Kuntze 2017-01-06 16:28 ` Matt Killock 0 siblings, 1 reply; 16+ messages in thread From: Noel Kuntze @ 2017-01-06 16:09 UTC (permalink / raw) To: Matt Killock, netfilter@vger.kernel.org [-- Attachment #1.1: Type: text/plain, Size: 442 bytes --] On 06.01.2017 16:19, Matt Killock wrote: > The following line does not do this - does this no longer work? > > iptables -A FORWARD -s 192.168.40.0/24 -d 0/0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset Depends on your rule set. Check and fix it. The target usually works. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 866 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-06 16:09 ` Noel Kuntze @ 2017-01-06 16:28 ` Matt Killock 2017-01-06 16:35 ` Noel Kuntze ` (2 more replies) 0 siblings, 3 replies; 16+ messages in thread From: Matt Killock @ 2017-01-06 16:28 UTC (permalink / raw) To: Noel Kuntze, netfilter@vger.kernel.org > Depends on your rule set. Check and fix it. The target usually works. As a test, I made the very first FORWARD rule this: iptables -A FORWARD -i eth1 -p tcp -s 192.168.20.0/24 -d 212.58.244.71 --dport 80 -j REJECT --reject-with tcp-reset 'iptables -n -L' output: Chain FORWARD (policy DROP) target prot opt source destination REJECT tcp -- 192.168.20.0/24 212.58.244.71 tcp dpt:80 reject-with tcp-reset However, no Reset packets can be observed: # tcpdump -ni eth1 host 192.168.20.164 16:23:00.706667 IP 192.168.20.164.50105 > 212.58.244.71.80: Flags [SEW], seq 2763730948, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:23:02.717733 IP 192.168.20.164.50106 > 212.58.244.71.80: Flags [SEW], seq 2464499683, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 If this does usually work then could you give me a clue on what ruleset it does work with? Thanks Matt ________________________________ Plum Software is a fully owned subsidiary of Praemium Limited. This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions. In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details. In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details. Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-06 16:28 ` Matt Killock @ 2017-01-06 16:35 ` Noel Kuntze [not found] ` <HK2PR0201MB212932A38853DB306E300014E8630@HK2PR0201MB2129.apcprd02.prod.outlook.com> 2017-01-06 17:30 ` Ethy H. Brito 2017-01-06 23:26 ` Neal P. Murphy 2 siblings, 1 reply; 16+ messages in thread From: Noel Kuntze @ 2017-01-06 16:35 UTC (permalink / raw) To: Matt Killock, netfilter@vger.kernel.org [-- Attachment #1.1: Type: text/plain, Size: 481 bytes --] On 06.01.2017 17:28, Matt Killock wrote: > 'iptables -n -L' output: Please use and show the output of `iptables-save -c`. > If this does usually work then could you give me a clue on what ruleset it does work with? Generally in any. If it doesn't work and your rule set is not to blame, you've got another problem. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 866 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <HK2PR0201MB212932A38853DB306E300014E8630@HK2PR0201MB2129.apcprd02.prod.outlook.com>]
* Re: Iptables Reject with TCP Reset [not found] ` <HK2PR0201MB212932A38853DB306E300014E8630@HK2PR0201MB2129.apcprd02.prod.outlook.com> @ 2017-01-06 17:52 ` Noel Kuntze 2017-01-09 10:45 ` Matt Killock 0 siblings, 1 reply; 16+ messages in thread From: Noel Kuntze @ 2017-01-06 17:52 UTC (permalink / raw) To: Matt Killock, netfilter@vger.kernel.org [-- Attachment #1.1: Type: text/plain, Size: 1842 bytes --] On 06.01.2017 17:44, Matt Killock wrote: > My server has unusual interface names, so I changed them before. > > root@aspfw2:~# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 enp2s12f0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s12f0 > 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s12f1 > 192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 enp6s7 Use iproute2. Don't use the net-tools. They're unmaintained, less powerful and lie. > [4:208] -A FORWARD -s 192.168.20.0/24 -d 212.58.244.71/32 -i enp2s12f1 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset The rule is hit. Your rule set is absolutely broken, because you don't permit ctstate RELATED and at the same time, it's unnecessarily convoluted unstructered. You need to permit it to allow ICMP errors through and the TCP reset packets. I advise to rewrite the complete rule set. You should start by taking this example rule set for edge-routers, understanding the different components and rewriting your current one based of the example. You are strongly encouraged to filter traffic based on ctstates. Use the conntrack module instead of the state module. It is more powerful. Please use the documents at [2] and [3] to improve your rule set. [1] https://github.com/QueuingKoala/netfilter-samples/tree/master/rules-edge-router [2] http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter [3] http://inai.de/images/nf-packet-flow.png -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 866 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-06 17:52 ` Noel Kuntze @ 2017-01-09 10:45 ` Matt Killock 2017-01-10 7:35 ` André Paulsberg-Csibi (IBM Consultant) 0 siblings, 1 reply; 16+ messages in thread From: Matt Killock @ 2017-01-09 10:45 UTC (permalink / raw) To: Noel Kuntze, netfilter@vger.kernel.org Thanks for your response. > Use iproute2. Don't use the net-tools. They're unmaintained, less powerful and lie. I do use iproute2 - for our multi-homed edge router, where it's needed. In this case, I wanted a list of interfaces, and I can see that the output was not a 'lie', so as a tool for that job, it's fine. >Your rule set is absolutely broken, because you don't permit ctstate RELATED and at the same time, it's unnecessarily convoluted unstructered. I note you dislike our ruleset, and I have no intention of rewriting the whole thing, especially as the examples in links you provide allow all outbound traffic from internal hosts. We want to block all outbound traffic except on a very limited range of host / port combinations. I accept that we may not have gone about that in an entirely modern or simplest manner possible, but it is far from 'absolutely' broken. However, you did manage to tell me what I need to know, which is that I needed a RELATED rule in there. After a bit of experimentation, I discovered that I need a rule like this: iptables -A OUTPUT -o eth1 -p tcp -d 192.168.40.0/24 -m state --state RELATED -j ACCEPT That fixes this problem, thank you. Matt ________________________________ Plum Software is a fully owned subsidiary of Praemium Limited. This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions. In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details. In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details. Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance. ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-09 10:45 ` Matt Killock @ 2017-01-10 7:35 ` André Paulsberg-Csibi (IBM Consultant) 2017-01-10 10:09 ` Matt Killock 0 siblings, 1 reply; 16+ messages in thread From: André Paulsberg-Csibi (IBM Consultant) @ 2017-01-10 7:35 UTC (permalink / raw) To: Matt Killock, Noel Kuntze, netfilter@vger.kernel.org The rule you made here makes little sense , It would be preferable to make a more simple rule at "the top" like this ... iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT or iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT This will allow "all" traffic for rules you have already allowed through other rules in the FW ( no matter the IP or interface ) . Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS -----Original Message----- From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Matt Killock Sent: 9. januar 2017 11:46 To: Noel Kuntze <noel@familie-kuntze.de>; netfilter@vger.kernel.org Subject: RE: Iptables Reject with TCP Reset Thanks for your response. > Use iproute2. Don't use the net-tools. They're unmaintained, less powerful and lie. I do use iproute2 - for our multi-homed edge router, where it's needed. In this case, I wanted a list of interfaces, and I can see that the output was not a 'lie', so as a tool for that job, it's fine. >Your rule set is absolutely broken, because you don't permit ctstate RELATED and at the same time, it's unnecessarily convoluted unstructered. I note you dislike our ruleset, and I have no intention of rewriting the whole thing, especially as the examples in links you provide allow all outbound traffic from internal hosts. We want to block all outbound traffic except on a very limited range of host / port combinations. I accept that we may not have gone about that in an entirely modern or simplest manner possible, but it is far from 'absolutely' broken. However, you did manage to tell me what I need to know, which is that I needed a RELATED rule in there. After a bit of experimentation, I discovered that I need a rule like this: iptables -A OUTPUT -o eth1 -p tcp -d 192.168.40.0/24 -m state --state RELATED -j ACCEPT That fixes this problem, thank you. Matt ________________________________ Plum Software is a fully owned subsidiary of Praemium Limited. This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions. In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details. In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details. Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance. \x13��칻\x1c�&�~�&�\x18��+-��ݶ\x17��w��˛���m�޵������^n�r���z�\x1a��h����&��\x1e�G���h�\x03(�階�ݢj"��\x1a�^[m�����z�ޖ���f���h���~�m� ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-10 7:35 ` André Paulsberg-Csibi (IBM Consultant) @ 2017-01-10 10:09 ` Matt Killock 2017-01-10 11:41 ` André Paulsberg-Csibi (IBM Consultant) 2017-01-10 18:32 ` Neal P. Murphy 0 siblings, 2 replies; 16+ messages in thread From: Matt Killock @ 2017-01-10 10:09 UTC (permalink / raw) To: André Paulsberg-Csibi (IBM Consultant), Noel Kuntze, netfilter@vger.kernel.org > The rule you made here makes little sense , It would be preferable to make a more simple rule at "the top" like this ... > > This will allow "all" traffic for rules you have already allowed through other rules in the FW ( no matter the IP or interface ) . I note that it would be simpler to have one such rule for RELATED,ESTABLISHED but that's not the way we've done things here, much to Noel's disgust. :) We've blocked everything, including OUTPUT, by default. There are no general SNAT rules or MASQUERADE. We've tried to allow only the bare minimum required for two-way traffic between a small set of host/port combinations. This has led to some unnecessary duplication of ESTABLISHED rules, and I didn't appreciate that RELATED traffic is what the 'REJECT with TCP-Reset' traffic is classed as but otherwise it makes (some) sense and does work. Kind regards Matt ________________________________ Plum Software is a fully owned subsidiary of Praemium Limited. This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions. In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details. In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details. Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance. ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-10 10:09 ` Matt Killock @ 2017-01-10 11:41 ` André Paulsberg-Csibi (IBM Consultant) 2017-01-10 18:32 ` Neal P. Murphy 1 sibling, 0 replies; 16+ messages in thread From: André Paulsberg-Csibi (IBM Consultant) @ 2017-01-10 11:41 UTC (permalink / raw) To: Matt Killock, Noel Kuntze, netfilter@vger.kernel.org TCP-RESET would typically be "ESTABLISHED" as that would be a normal part of a TCP session , In IPTABLES it might be that an EARLY TCP-RESET could be "RELATED" but I do not think so . "RELATED" is typically ICMP responses from systems in the path that are response to a TCP session that for some reason no longer is "reachable" , as this is not part of the TCP session directly it would not be in the conntrack table and IPTABLES would need to look at the DATA in the ICMP to see if that is RELATED to any active session . "RELATED" could also be sessions inspected with FTP or other protocols , where a NEW TCP session is created which can be inspected in the uncrypted FTP session on the primary FTP port of 21 and then RELATED as it is created if proper modules are used . Using "RELATED" is mostly safer and preferable instead of opening manually for ICMP TYPE 3 , TYPE 4 and TYPE 11 ( and all other types that may be needed to have correct and stable TCP/IP connectivity ) Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS -----Original Message----- From: Matt Killock [mailto:matt.killock@praemium.com] Sent: 10. januar 2017 11:10 To: André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@evry.com>; Noel Kuntze <noel@familie-kuntze.de>; netfilter@vger.kernel.org Subject: RE: Iptables Reject with TCP Reset > The rule you made here makes little sense , It would be preferable to make a more simple rule at "the top" like this ... > > This will allow "all" traffic for rules you have already allowed through other rules in the FW ( no matter the IP or interface ) . I note that it would be simpler to have one such rule for RELATED,ESTABLISHED but that's not the way we've done things here, much to Noel's disgust. :) We've blocked everything, including OUTPUT, by default. There are no general SNAT rules or MASQUERADE. We've tried to allow only the bare minimum required for two-way traffic between a small set of host/port combinations. This has led to some unnecessary duplication of ESTABLISHED rules, and I didn't appreciate that RELATED traffic is what the 'REJECT with TCP-Reset' traffic is classed as but otherwise it makes (some) sense and does work. Kind regards Matt ________________________________ Plum Software is a fully owned subsidiary of Praemium Limited. This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions. In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details. In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details. Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-10 10:09 ` Matt Killock 2017-01-10 11:41 ` André Paulsberg-Csibi (IBM Consultant) @ 2017-01-10 18:32 ` Neal P. Murphy 2017-01-10 19:29 ` Matt Killock 1 sibling, 1 reply; 16+ messages in thread From: Neal P. Murphy @ 2017-01-10 18:32 UTC (permalink / raw) Cc: netfilter@vger.kernel.org On Tue, 10 Jan 2017 10:09:55 +0000 Matt Killock <matt.killock@praemium.com> wrote: > > The rule you made here makes little sense , It would be preferable to make a more simple rule at "the top" like this ... > > > > This will allow "all" traffic for rules you have already allowed through other rules in the FW ( no matter the IP or interface ) . > > I note that it would be simpler to have one such rule for RELATED,ESTABLISHED but that's not the way we've done things here, much to Noel's disgust. :) > > We've blocked everything, including OUTPUT, by default. There are no general SNAT rules or MASQUERADE. We've tried to allow only the bare minimum required for two-way traffic between a small set of host/port combinations. This has led to some unnecessary duplication of ESTABLISHED rules, and I didn't appreciate that RELATED traffic is what the 'REJECT with TCP-Reset' traffic is classed as but otherwise it makes (some) sense and does work. This doesn't make much sense. A RELATED packet is the first packet of a new conn that a helper has determined is related to an existing conn (e.g., the data conn of an FTP control session). Once a RELATED packet is replied to, the resulting conn is an ordinary, vanilla ESTABLISHED conn; specifically, the RELATED 'tag' is discarded. When a packet matches a "REJECT with TCP-Reset" rule, netfilter immediately sends a TCP RESET to the end that sent the packet. It may be that TCP RESET applies to the first TCP SYN packet of a conn. But RESETting only established TCP conns and using ICMP 'admin prohibited' for all other packets works well and is logical. It almost sounds like you built a nearly stateless firewall. A rule near the top that allows packets for ESTABLISHED,RELATED conns to pass is more efficient, and is probably significantly more-so on a busy router because *most* packets will be associated with established conns and should be handled without needlessly passing them through all the 'new conn' checks. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-10 18:32 ` Neal P. Murphy @ 2017-01-10 19:29 ` Matt Killock 2017-01-11 10:21 ` André Paulsberg-Csibi (IBM Consultant) 0 siblings, 1 reply; 16+ messages in thread From: Matt Killock @ 2017-01-10 19:29 UTC (permalink / raw) To: Neal P. Murphy; +Cc: netfilter, netfilter-owner > This doesn't make much sense. A RELATED packet is the first packet of > a new conn that a helper has determined is related to an existing conn > (e.g., the data conn of an FTP control session). Once a RELATED packet > is replied to, the resulting conn is an ordinary, vanilla ESTABLISHED > conn; specifically, the RELATED 'tag' is discarded. When a packet > matches a "REJECT with TCP-Reset" rule, netfilter immediately sends a > TCP RESET to the end that sent the packet. Sounds nice in theory, but reality bites back. RELATED also applies to the TCP Reset packets to SYN packets. I just tried this at home to confirm my findings. Please review the below firewall script. It does not send the TCP RST packets unless you make one minor change: To add 'RELATED,' to the line underneath '#General State Matching' Please note that it has the single state matching lines as recommended by various others on this list. > It almost sounds like you built a nearly stateless firewall. It's more or less like the below but duplicates ESTABLISHED everywhere ------------------------------ A='/sbin/iptables' EXIF='ppp0' LANIF='eth1' #Clear $A -F $A -F INPUT $A -F OUTPUT $A -F FORWARD $A -F -t mangle $A -F -t nat $A -X #Setup policies $A -P INPUT DROP $A -P OUTPUT DROP $A -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward # Some basics # Accept loopback interface $A -A INPUT -i lo -j ACCEPT A='/sbin/iptables' EXIF='ppp0' LANIF='eth1' #Clear $A -F $A -F INPUT $A -F OUTPUT $A -F FORWARD $A -F -t mangle $A -F -t nat $A -X #Setup policies $A -P INPUT DROP $A -P OUTPUT DROP $A -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward # Some basics # Accept loopback interface $A -A INPUT -i lo -j ACCEPT $A -A OUTPUT -o lo -j ACCEPT # SSH from LAN $A -A INPUT -i $LANIF -p tcp --dport 22 -j ACCEPT #general NAT $A -t nat -A POSTROUTING -o $EXIF -j MASQUERADE #General State Matching $A -A OUTPUT -m state --state ESTABLISHED -j ACCEPT $A -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #Allowed HTTP/HTTPS Sites #bbc $A -A FORWARD -i $LANIF -o $EXIF -d 212.58.244.22 -p tcp -m multiport --dports '80,443' -j ACCEPT #Send RST to LAN for all other 80/443 connections $A -A FORWARD -i $LANIF -p tcp -m multiport --dports '80,443' -j REJECT --reject-with tcp-reset -------------------- Matt ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-10 19:29 ` Matt Killock @ 2017-01-11 10:21 ` André Paulsberg-Csibi (IBM Consultant) 2017-01-11 10:34 ` Matt Killock 0 siblings, 1 reply; 16+ messages in thread From: André Paulsberg-Csibi (IBM Consultant) @ 2017-01-11 10:21 UTC (permalink / raw) To: Matt Killock, Neal P. Murphy Cc: netfilter@vger.kernel.org, netfilter-owner@vger.kernel.org After your mail now I am prudent to test this more thou I have somewhat verified in a test FW that you do not need RELATED rule for the IPTABLES to be allowed to generate a TCP RST packet internally . From what you sent me directly , you also allowed this in the OUTPUT chain which makes no sense to me ... ... but it maybe that the rules set has somehow been "broken" and it is now causing un-intended packet handling . I will try to change my OUTPUT rules to LOG any output that is regarded as RELATED with full options , That will not change anything in the FW rules itself just add a LOG entry at the start of the OUTPUT chain to see if TCP RST generated inside the IPTABLES FORWARD chain has to pass the OUTPUT chain at any time ... Best regards Andr√© Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS -----Original Message----- From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Matt Killock Sent: 10. januar 2017 20:30 To: Neal P. Murphy <neal.p.murphy@alum.wpi.edu> Cc: netfilter@vger.kernel.org; netfilter-owner@vger.kernel.org Subject: Re: Iptables Reject with TCP Reset > This doesn't make much sense. A RELATED packet is the first packet of > a new conn that a helper has determined is related to an existing conn > (e.g., the data conn of an FTP control session). Once a RELATED packet > is replied to, the resulting conn is an ordinary, vanilla ESTABLISHED > conn; specifically, the RELATED 'tag' is discarded. When a packet > matches a "REJECT with TCP-Reset" rule, netfilter immediately sends a > TCP RESET to the end that sent the packet. Sounds nice in theory, but reality bites back. RELATED also applies to the TCP Reset packets to SYN packets. I just tried this at home to confirm my findings. Please review the below firewall script. It does not send the TCP RST packets unless you make one minor change: To add 'RELATED,' to the line underneath '#General State Matching' Please note that it has the single state matching lines as recommended by various others on this list. > It almost sounds like you built a nearly stateless firewall. It's more or less like the below but duplicates ESTABLISHED everywhere ------------------------------ A='/sbin/iptables' EXIF='ppp0' LANIF='eth1' #Clear $A -F $A -F INPUT $A -F OUTPUT $A -F FORWARD $A -F -t mangle $A -F -t nat $A -X #Setup policies $A -P INPUT DROP $A -P OUTPUT DROP $A -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward # Some basics # Accept loopback interface $A -A INPUT -i lo -j ACCEPT A='/sbin/iptables' EXIF='ppp0' LANIF='eth1' #Clear $A -F $A -F INPUT $A -F OUTPUT $A -F FORWARD $A -F -t mangle $A -F -t nat $A -X #Setup policies $A -P INPUT DROP $A -P OUTPUT DROP $A -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward # Some basics # Accept loopback interface $A -A INPUT -i lo -j ACCEPT $A -A OUTPUT -o lo -j ACCEPT # SSH from LAN $A -A INPUT -i $LANIF -p tcp --dport 22 -j ACCEPT #general NAT $A -t nat -A POSTROUTING -o $EXIF -j MASQUERADE #General State Matching $A -A OUTPUT -m state --state ESTABLISHED -j ACCEPT $A -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #Allowed HTTP/HTTPS Sites #bbc $A -A FORWARD -i $LANIF -o $EXIF -d 212.58.244.22 -p tcp -m multiport --dports '80,443' -j ACCEPT #Send RST to LAN for all other 80/443 connections $A -A FORWARD -i $LANIF -p tcp -m multiport --dports '80,443' -j REJECT --reject-with tcp-reset -------------------- Matt -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: Iptables Reject with TCP Reset 2017-01-11 10:21 ` André Paulsberg-Csibi (IBM Consultant) @ 2017-01-11 10:34 ` Matt Killock 0 siblings, 0 replies; 16+ messages in thread From: Matt Killock @ 2017-01-11 10:34 UTC (permalink / raw) To: André Paulsberg-Csibi (IBM Consultant) Cc: Neal P. Murphy, netfilter, netfilter-owner On 2017-01-11 10:21, André Paulsberg-Csibi wrote: > From what you sent me directly , you also allowed this in the OUTPUT > chain which makes no sense to me ... > ... but it maybe that the rules set has somehow been "broken" and it > is now causing un-intended packet handling . You might need INPUT, OUTPUT & FORWARD policies all to be 'DROP' for this behaviour. I reproduced this at home using the below script (now corrected for copy/paste errors) It's very basic, and should allow you to telnet from an internal host to the allowed HTTP site but refuse all other port 80's I used tcpdump on the firewall to monitor the LAN interface. -------------------------------------------------- A='/sbin/iptables' EXIF='ppp0' LANIF='eth1' #Clear $A -F $A -F INPUT $A -F OUTPUT $A -F FORWARD $A -F -t mangle $A -F -t nat $A -X #Setup policies $A -P INPUT DROP $A -P OUTPUT DROP $A -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward # Some basics # Accept loopback interface $A -A INPUT -i lo -j ACCEPT $A -A OUTPUT -o lo -j ACCEPT # SSH from LAN $A -A INPUT -i $LANIF -p tcp --dport 22 -j ACCEPT #general NAT $A -t nat -A POSTROUTING -o $EXIF -j MASQUERADE #General State Matching $A -A OUTPUT -m state --state ESTABLISHED -j ACCEPT $A -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #Allowed HTTP/HTTPS Sites #bbc $A -A FORWARD -i $LANIF -o $EXIF -d 212.58.244.22 -p tcp -m multiport --dports '80,443' -j ACCEPT #Send RST to LAN for all other 80/443 connections $A -A FORWARD -i $LANIF -p tcp -m multiport --dports '80,443' -j REJECT --reject-with tcp-reset -------------------------- Matt ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-06 16:28 ` Matt Killock 2017-01-06 16:35 ` Noel Kuntze @ 2017-01-06 17:30 ` Ethy H. Brito 2017-01-06 23:26 ` Neal P. Murphy 2 siblings, 0 replies; 16+ messages in thread From: Ethy H. Brito @ 2017-01-06 17:30 UTC (permalink / raw) To: Matt Killock, netfilter@vger.kernel.org On Fri, 6 Jan 2017 16:28:31 +0000 Matt Killock <matt.killock@praemium.com> wrote: > > Depends on your rule set. Check and fix it. The target usually works. > > As a test, I made the very first FORWARD rule this: > > iptables -A FORWARD -i eth1 -p tcp -s 192.168.20.0/24 -d 212.58.244.71 > --dport 80 -j REJECT --reject-with tcp-reset > > 'iptables -n -L' output: > > Chain FORWARD (policy DROP) > target prot opt source destination > REJECT tcp -- 192.168.20.0/24 212.58.244.71 tcp dpt:80 > reject-with tcp-reset > > > However, no Reset packets can be observed: > > # tcpdump -ni eth1 host 192.168.20.164 > 16:23:00.706667 IP 192.168.20.164.50105 > 212.58.244.71.80: Flags [SEW], seq > 2763730948, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length > 0 16:23:02.717733 IP 192.168.20.164.50106 > 212.58.244.71.80: Flags [SEW], > seq 2464499683, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], > length 0 > > If this does usually work then could you give me a clue on what ruleset it > does work with? > Is the 192.168.20.0/24 network at the "same side" of eth1 ?? The rule, as it is written, expects an incoming packet thru eth1 and outgoing thru any interface towards port 80. Therefore 192.168.20.0/24 must be at the "same side" of the eth1. Ethy ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-06 16:28 ` Matt Killock 2017-01-06 16:35 ` Noel Kuntze 2017-01-06 17:30 ` Ethy H. Brito @ 2017-01-06 23:26 ` Neal P. Murphy 2017-01-06 23:40 ` Noel Kuntze 2 siblings, 1 reply; 16+ messages in thread From: Neal P. Murphy @ 2017-01-06 23:26 UTC (permalink / raw) Cc: netfilter@vger.kernel.org On Fri, 6 Jan 2017 16:28:31 +0000 Matt Killock <matt.killock@praemium.com> wrote: > > Depends on your rule set. Check and fix it. The target usually works. > > As a test, I made the very first FORWARD rule this: > > iptables -A FORWARD -i eth1 -p tcp -s 192.168.20.0/24 -d 212.58.244.71 --dport 80 -j REJECT --reject-with tcp-reset Dumb question: can you reset a TCP conn that isn't ESTABLISHED? I don't think a TCP reset applies to the first SYN packet. Here are the rules I use when a conn passes outside its allowed time frame: -A timedaction -p tcp -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset -A timedaction -j REJECT --reject-with icmp-admin-prohibited When a packet is received for an established TCP conn, a reset is returned to the sender. Each direction is handled separately. Once a particular direction has been reset, it is no longer ESTABLISHED, and further packets in that direction are rejected with ICMP 'admin prohibited' packets. In short, each direction of established TCP conns is reset individually. All other conns, including each reset direction of TCP conns, are rejected via ICMP. N ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Iptables Reject with TCP Reset 2017-01-06 23:26 ` Neal P. Murphy @ 2017-01-06 23:40 ` Noel Kuntze 0 siblings, 0 replies; 16+ messages in thread From: Noel Kuntze @ 2017-01-06 23:40 UTC (permalink / raw) To: Neal P. Murphy; +Cc: netfilter@vger.kernel.org [-- Attachment #1.1: Type: text/plain, Size: 878 bytes --] On 07.01.2017 00:26, Neal P. Murphy wrote: > Dumb question: can you reset a TCP conn that isn't ESTABLISHED? I don't think a TCP reset applies to the first SYN packet. Yes, you can and have to. It's specified as such. It does. > -A timedaction -p tcp -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset > -A timedaction -j REJECT --reject-with icmp-admin-prohibited You should reject all TCP packets, not just the ones that belong to an established connection. > and further packets in that direction are rejected with ICMP 'admin prohibited' packets. That's invalid behaviour. See above. > All other conns, including each reset direction of TCP conns, are rejected via ICMP. See above. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 866 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2017-01-11 10:34 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-06 15:19 Iptables Reject with TCP Reset Matt Killock
2017-01-06 16:09 ` Noel Kuntze
2017-01-06 16:28 ` Matt Killock
2017-01-06 16:35 ` Noel Kuntze
[not found] ` <HK2PR0201MB212932A38853DB306E300014E8630@HK2PR0201MB2129.apcprd02.prod.outlook.com>
2017-01-06 17:52 ` Noel Kuntze
2017-01-09 10:45 ` Matt Killock
2017-01-10 7:35 ` André Paulsberg-Csibi (IBM Consultant)
2017-01-10 10:09 ` Matt Killock
2017-01-10 11:41 ` André Paulsberg-Csibi (IBM Consultant)
2017-01-10 18:32 ` Neal P. Murphy
2017-01-10 19:29 ` Matt Killock
2017-01-11 10:21 ` André Paulsberg-Csibi (IBM Consultant)
2017-01-11 10:34 ` Matt Killock
2017-01-06 17:30 ` Ethy H. Brito
2017-01-06 23:26 ` Neal P. Murphy
2017-01-06 23:40 ` Noel Kuntze
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.