iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

[Thibault Le Meur]

Hi,

I've got a strange behaviour on a Linux Fedora system with:
* kernel : kernel-2.6.11-1.27_FC3
* iptables: iptables-1.2.11-3.1.FC3

On with this kernel the iptables rules on the loopback interface _must_be_
changed from:
iptables -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT
To:
iptables -A INPUT  -i lo   -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT  -o lo   -s 127.0.0.1 -d 127.0.0.1  -j ACCEPT

Otherwise some trafic on the loopback interface is dropped:
* for instance a simple ssh localhost results in the following log
Jun  1 17:01:52 crikitu kernel: RULE 4 -- DENY IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=54315 DF PROTO=TCP SPT=22 DPT=33769
WINDOW=8192 RES=0x00 ACK PSH URGP=0

Note that this modification wasn't necessary with my old kernel
(kernel-2.6.11-1.14_FC3).

A bug is already opened on the Fedora's bugzilla
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158710) but I'd like
to know if anyone here has an idea of what is occurring.
Is it a known issue? If this is not the best list to ask for this, is there
a better list to get support from?

Thank you in advance.
Thibault.

Re: iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

[Taylor, Grant]

> iptables -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
> iptables -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT

If your firewall has a policy of DROP for any traffic that is not explicitly allowed then this rule would not work for any thing other than the first packet.  Try using this instead:

iptables -A INPUT  -i lo  -m state --state NEW,RELATED,ESTABLISHED  -j ACCEPT
iptables -A OUTPUT  -o lo  -m state --state NEW,RELATED,ESTABLISHED  -j ACCEPT

I'm just shooting from the hip here, but that would be my first guess.



Grant. . . .

RE : iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

[Thibault Le Meur]

Thanks for your reply,

> > iptables -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
> > iptables -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT
> 
> If your firewall has a policy of DROP for any traffic that is not
> explicitly allowed then this rule would not work for any thing other than
> the first packet.  Try using this instead:

You're right, but in fact I didn't give the whole configuration. The
iptables script is generated by Fwbuilder and the following lines are
relevant:

# Default policy is to DROP everything
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

# First accept any related, established packets
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Then Rule 0 for the loopback interface
#
$IPTABLES -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT

#
# Then other traffic rules for eth0, and non-interface specific rules
#

> ...Try using this instead:
> iptables -A INPUT  -i lo  -m state --state NEW,RELATED,ESTABLISHED  -j
> ACCEPT
> iptables -A OUTPUT  -o lo  -m state --state NEW,RELATED,ESTABLISHED  -j
> ACCEPT

I think the "# First accept any related, established packets" rules should
do the same as the proposed modification.

Am I right?

Thibault

Re: RE : iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

[Taylor, Grant]

Thibault Le Meur wrote:
> Thanks for your reply,

*nod*  No problem.

> You're right, but in fact I didn't give the whole configuration. The
> iptables script is generated by Fwbuilder and the following lines are
> relevant:
> 
> # Default policy is to DROP everything
> $IPTABLES -P OUTPUT  DROP
> $IPTABLES -P INPUT   DROP
> $IPTABLES -P FORWARD DROP
> 
> # First accept any related, established packets
> $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> #
> # Then Rule 0 for the loopback interface
> #
> $IPTABLES -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
> $IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT
> 
> I think the "# First accept any related, established packets" rules should
> do the same as the proposed modification.
> 
> Am I right?

I would think so and agree with you on this one.

I'm taking it that there is more to your script?  If that is the case could we see the entire script or at the very least an output of iptables-save after your script has run?



Grant. . . .

RE : iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

[Thibault Le Meur]

> could we see the entire script or at the very least an output of iptables-
> save after your script has run?

The issue is related to a bug that was recently patched into Netfilter
(https://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019543.html)

Here is the script I used to confirm the bug:
----------------------------------------------------------------------------
----------------------------------------------------------------------------
#!/bin/sh
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
IPTABLES="/sbin/iptables"

# Default policy
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

# Flush tables
cat /proc/net/ip_tables_names | while read table; do
  test "X$table" = "Xmangle" && continue
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done

# Accept related, established
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Rule 0 (lo)"
# Added to confirm the bug
$IPTABLES -N lo_INVALID_RULE
$IPTABLES -A INPUT  -i lo  -m state --state INVALID  -j lo_INVALID_RULE
$IPTABLES -A OUTPUT  -o lo  -m state --state INVALID  -j lo_INVALID_RULE
$IPTABLES -A lo_INVALID_RULE -j LOG  --log-level info --log-prefix
"lo_INVALID_RULE - Accept "
$IPTABLES -A lo_INVALID_RULE -j ACCEPT

# Standard loopback rule
$IPTABLES -N lo_NEW_RULE
$IPTABLES -A INPUT  -i lo  -m state --state NEW  -j lo_NEW_RULE
$IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j lo_NEW_RULE
$IPTABLES -A lo_NEW_RULE -j LOG  --log-level info --log-prefix "lo_NEW_RULE
- Accept "
$IPTABLES -A lo_NEW_RULE -j ACCEPT

# Simple test policy
$IPTABLES -A OUTPUT  -s 160.228.120.129  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -d 160.228.120.129  -p tcp -m tcp  --dport 22 -m state
--state NEW  -j ACCEPT
----------------------------------------------------------------------------
----------------------------------------------------------------------------


With this script and the Fedora new kernel-2.6.11-1.27_FC3, a "ssh
localhost" command results in the following logs:
Jun  2 10:47:41 MYHOST kernel: lo_NEW_RULE - Accept IN= OUT=lo SRC=127.0.0.1
DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47020 DF PROTO=TCP
SPT=52640 DPT=22 WINDOW=32767 RES=0x00 SYN URGP=0
Jun  2 10:47:41 MYHOST kernel: lo_NEW_RULE - Accept IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47020 DF PROTO=TCP SPT=52640 DPT=22
WINDOW=32767 RES=0x00 SYN URGP=0
Jun  2 10:47:41 MYHOST kernel: lo_INVALID_RULE - Accept IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=40002 DF PROTO=TCP SPT=22 DPT=52640
WINDOW=8192 RES=0x00 ACK PSH URGP=0
Jun  2 10:47:41 MYHOST kernel: lo_INVALID_RULE - Accept IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=47026 DF PROTO=TCP SPT=52640 DPT=22
WINDOW=8192 RES=0x00 ACK PSH URGP=0

Thanks again,
Thibault