two negatived parameters

two negatived parameters

[Akolinare]

Hi,

I have a little question with two negatived parameters in one rule.

I create a rule, which should only match if source and destination are not
the given. I think that it is easy and try the following rule:

iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT

But with this rule pakets from host1 to host3 (or from host2 to host3) were
not affected. It seems like the logical combination is OR and not AND unlike
the not negatived rule.
I think that the rule is logical right. Is it a little bug or have I
misunderstood something?

I used the version 1.2.11 with kernel 2.4.26.

  Markus

-- 
NEU: Bis zu 10 GB Speicher für e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail

Re: two negatived parameters

[Alistair Tonner]

On September 6, 2004 04:28 am, Akolinare@gmx.net wrote:
> Hi,
>
> I have a little question with two negatived parameters in one rule.
>
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
>
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
>
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND
> unlike the not negatived rule.
> I think that the rule is logical right. Is it a little bug or have I
> misunderstood something?
>
> I used the version 1.2.11 with kernel 2.4.26.
>
>   Markus

	I take it to mean that packets from host2 to host 3 were NOT accepted by this 
rule? ... What do the counters for the rule say? ( iptables -L -n -v -x  ).

	What other rules exist that might affect said packets? -- I note the above is  
an ADD.  Could rules farther up the FORWARD chain have already 
accepted/denied the said packets?

	FYI -- I just tested this by inserting a double negative rule in my firewall 

	iptables -I tcp_packets -p tcp -s ! {internal_lan} -d ! {internal lan ip} 
--dport 25 -j allowed 

	and sending myself an email from outside.  The packet counter incremented 
appropriately.

	2.6.7 linux iptables 1.2.11

	and now that rule is gone.

	Alistair

Re: two negatived parameters

[Cedric Blancher]

Le lun 06/09/2004 à 10:28, Akolinare@gmx.net a écrit :
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND unlike
> the not negatived rule.

When you build a rule, all parameters are combined with an AND, and it's
logical (to me) that it is style the case here. When you write :

	iptables -A FORWARD -s host1 -d host2 -j ACCEPT

You say :

	if packet is (from host1) AND (to host2) then ACCEPT

Now, if you negate a parameter, you only negate this one, not a couple
of them. So you get :

	if packet is (not from host1) AND (not to host2) then ACCEPT

Which can be translated as :

	if packet is not (from host1 OR to host2) then ACCEPT

And it explains why your packets are not matched, as your test packet is
from host1. So there's no bug (imho) ;)

But there's something about the second packet that should matche (host2
to host3). Can you confirm that this very packet does not match ? As
Alistair, I did a similar test (iptables 1.2.11 on 2.6.5 kernel) on a
double negative rule and it matched.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: two negatived parameters

[Jason Opperisano]

On Mon, 2004-09-06 at 04:28, Akolinare@gmx.net wrote:
> Hi,
> 
> I have a little question with two negatived parameters in one rule.
> 
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
> 
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
> 
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND unlike
> the not negatived rule.
> I think that the rule is logical right. Is it a little bug or have I
> misunderstood something?
> 
> I used the version 1.2.11 with kernel 2.4.26.
> 
>   Markus

a rule matches only when all the parameters are true.  a packet from
host1 does not match your example rule (it explicitly says "-s !
host1"), and this is how it should work.  consider the non-negative
example:

  -A FORWARD -s host1 -d host2 -j ACCEPT

would you propose that a packet from host1 to host3 should match that
rule?  i don't think so...

in your example rule, as soon as the source is host1 or the destination
is host2--the rule no longer matches.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: two negatived parameters

[Aleksandar Milivojevic]

Akolinare@gmx.net wrote:
> Hi,
> 
> I have a little question with two negatived parameters in one rule.
> 
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
> 
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
> 
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND unlike
> the not negatived rule.
> I think that the rule is logical right. Is it a little bug or have I
> misunderstood something?

If src is host1 and dst is host3 you get:

not true and not false = false and true = false

So the rule does not match, and packets from host1 to host3 will not be 
affected by it.  Also, note that "not host1 and not host2" is logically 
the same thing as "not (host1 or host2)".  Which was probably the reason 
why it looked like an or to you.  Double negations in human languages do 
not always translate well into negations in computer languages.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: two negatived parameters

[Jason Opperisano]

On Mon, 2004-09-06 at 04:28, Akolinare@gmx.net wrote:
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
> 
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
> 
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND unlike
> the not negatived rule.
> I think that the rule is logical right. Is it a little bug or have I
> misunderstood something?

not to beat this thread to death...but if your original intention was to
ACCEPT any traffic not from host1 OR any traffic not to host2, try
explicitly dropping the specific traffic, rather than trying to
implicitly allow traffic as a negation:

  iptables -A FORWARD -s host1 -j DROP
  iptables -A FORWARD -d host2 -j DROP
  iptables -A FORWARD -j ACCEPT

or--if your intention was to jump to a custom chain where the source is
not host1 nor is the destination host2:

  iptables -A FORWARD -s ! host1 -j custom
    iptables -A custom -d host2 -j RETURN
    # neither the source is host1, 
    # nor the dest is host2 at this point in the chain
    iptables -A custom [ ... ]

hope this helps you get towards your goal...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: two negatived parameters

[Akolinare]

> I take it to mean that packets from host2 to host 3 were NOT accepted by
this 
> rule? ... What do the counters for the rule say? ( iptables -L -n -v -x 
).

yes, I already look after the counter. A paket from host2 to host3 dont
increase the counter. 

> What other rules exist that might affect said packets? -- I note the above
is  
> an ADD.  Could rules farther up the FORWARD chain have already 
> accepted/denied the said packets?

this was only a example. I tested also on a other pc, with has normal no
rulesset to be sure.

> FYI -- I just tested this by inserting a double negative rule in my
firewall 
> 
> iptables -I tcp_packets -p tcp -s ! {internal_lan} -d ! {internal lan ip} 
> --dport 25 -j allowed 
> 
> and sending myself an email from outside.  The packet counter incremented 
> appropriately.

Sorry, but why are you able to send with this rule a mail from outside to a
mailserver in your internal network? I suppose, that with the "-d !
{internal lan ip}" it ist not possible to send a paket to your mailserver.

> well... my two cents :-)
>
> iptables -A FORWARD -s host1 -d host2 -j DROP

well sorry it is not that easy as it seems. The rule should forward pakets
to a user-chain only if host1 ist not the source and host2 are is not the
destination.

I also tested with the 2.6.7 kernel and 1.2.11, so I can exclude this.

-- 
Supergünstige DSL-Tarife + WLAN-Router für 0,- EUR*
Jetzt zu GMX wechseln und sparen http://www.gmx.net/de/go/dsl

Re: two negatived parameters

[Aleksandar Milivojevic]

Akolinare@gmx.net wrote:
>>iptables -A FORWARD -s host1 -d host2 -j DROP
> 
> well sorry it is not that easy as it seems. The rule should forward pakets
> to a user-chain only if host1 ist not the source and host2 are is not the
> destination.

Actually, it is...  Let draw things out, so that you can see clearly 
where you made mistake...

What you have is !A AND !B, which is the same thing as !(A OR B), which 
gives you following table:

A B T
0 0 1
0 1 0
1 0 0
1 1 0

This obviously is not what you wanted.  It matches only when both source 
and destination of the packet are not as specified.

What you want is logical operation that will result in this table:

A B T
0 0 1
0 1 1
1 0 1
1 1 0

Translated from table to formula, this would be !(A AND B) (it is 
trivial to see that above is negated AND operator table), which could 
also be written as !A OR !B (if you preffer this form).  Now, AFAIK, 
neither of those can be acomplished directly in Netfilter as one liner. 
  You can only use and operator, and you can negate arguments only 
directly, and somehow I doubt you can specify -s or -d multiple times on 
same line.  But as a workaround, what  somebody (you ommited who when 
quoting) suggested will do exactly what you want:

    iptables -A FORWARD -s host1 -d host2 -j DROP
    iptables -A FORWARD -j ACCEPT

The first line will drop what you wanted to drop.  The second will 
accept all the rest.  Unless there were more rules to follow and more 
checks to be done for host1 and host2 (in which case, you can do them in 
user defined chain, and change first line to jump there instead of 
dropping packet right away).  Something along the lines of:

    iptables -A FORWARD -s host1 -d host2 -j SOMETHING
    iptables -A FORWARD -j ACCEPT
    iptables -N SOMETHING
    iptables -A SOMETHING -p tcp --dport 80 -j ACCEPT
    iptables -A SOMETHING -j DROP

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7