Statefull SOCKS filter

Statefull SOCKS filter

[Peter Christensen]

Hi,

I'm currently in the development of a transparent firewall bridge, whose 
sole purpose is to filter our everything but LAN traffic and traffic for 
a list of privileged servers on the Internet. Since it is meant to work 
on an bunch of different network configurations out-of-box, it must be 
able to detect and filter proxy traffic as well.

My problem is specifically with making a SOCKS filter. I've done it in 
user-space with great success (basically a state machine), but I 
naturally want this to be done in iptables. And here is the real question:

Are the any preferred "smart" way of doing this kind of statefull 
filters, where some upper software layer handles the actual connection 
for me, if you follow me? At first I thought connection tracking was the 
way to go, but apparently this is primarily for temporarily accepting a 
given connection based on the content of another connection.
I CAN solve the whole thing just by making a basic match filter, having 
my own array of current connections with their appropriate SOCKS state 
(This is basically what my user-space equivalent does), but I think that 
it is quite a lot of work, especially if a similar thing is already done 
elsewhere in the kernel. After all, the bridge does not have a 
tremendous amount of processing power!

I apologize if I'm just too uninformed, but I've so far failed to find 
any documentation of how to make an actual statefull filter, whose 
purpose was NOT to help out NAT etc.

-- 
Best regards

Peter Christensen

Developer
------------------
Cool Systems ApS

Tel: +45 2888 1600
  @ : pch@coolsystems.dk
www: www.coolsystems.dk

Re: Statefull SOCKS filter

[Alexey Toptygin]

Perhaps libipq and the QUEUE target will do what you want?

 			Alexey

Re: Statefull SOCKS filter

[Peter Christensen]

AFAIK libipq is about having filters in user space which really isn't my 
issue. I have no problem writing kernel modules, and moving stuff into 
user space will only make more overhead without actually adding anything 
useful.
What I am searching for is some solution so that I will not have to keep 
track of all undergoing connections manually. I imagine that this is 
already done somewhere in iptables, and if so I find it waste of time to 
do it again, and spend time creating hash tables etc. etc.
As I pointed out, there aren't really much CPU power. Actually, the 
perfect solution was to write my own OS to the bridge, since I can then 
minimize useless overhead all around, but this will without doubt take 
significantly more time than just writing modules for iptables in linux.
Claims are that netfilter have stateful packet filtering, which I 
interpret as an interface which makes it easy to create state machines 
on IPv4 TCP connections, but I probably have misinterpreted the idear of 
"stateful packet filtering". I imagine a callback such as this (simplified):


int stateful_callback (netfilter_conn_t *conn) {
   switch (conn->state) {
     case STATE_1:
       if (foo)
         conn->state = STATE_2;
       else
         conn->state = STATE_2;
       break;

     case STATE_2:
       // Stuff
   ...
   }
   return (conn->state == STATE_n ? NF_DROP : NF_ACCEPT);
}



--
Best regards

Peter Christensen

Developer
------------------
Cool Systems ApS

Tel: +45 2888 1600
  @ : pch@coolsystems.dk
www: www.coolsystems.dk


Alexey Toptygin wrote:
> 
> Perhaps libipq and the QUEUE target will do what you want?
> 
>             Alexey

Re: Statefull SOCKS filter

[Allen Francom]

Once upon a time I interacted with a project called "Hogwash".

This was all layer 2 and seemed to be off to a great start.

Sounds more like what you need, "transparent".

The maintainer resigned, however the code ran, based on
Snort and associated libraries.

With a lot of help from others, I made a binding
for these rules into IPTables via the QUEUE target... but
that wasn't all that clean.  Maybe skip the IPTables
entirely, and "do like hogwash did".

2 cents...

On Thu, 9 Mar 2006, Peter Christensen wrote:
> I'm currently in the development of a transparent firewall bridge, whose sole 
> purpose is to filter our everything but LAN traffic and traffic for a list of 
> privileged servers on the Internet. Since it is meant to work on an bunch of 
> different network configurations out-of-box, it must be able to detect and 
> filter proxy traffic as well.

Re: Statefull SOCKS filter

[Peter Christensen]

Hmm, I think I'll just do the connection state maintenance manually... 
Hopefully I will be able to do it reasonable fast.

--
Best regards

Peter Christensen

Developer
------------------
Cool Systems ApS

Tel: +45 2888 1600
  @ : pch@coolsystems.dk
www: www.coolsystems.dk


Allen Francom wrote:
> 
> 
> Once upon a time I interacted with a project called "Hogwash".
> 
> This was all layer 2 and seemed to be off to a great start.
> 
> Sounds more like what you need, "transparent".
> 
> The maintainer resigned, however the code ran, based on
> Snort and associated libraries.
> 
> With a lot of help from others, I made a binding
> for these rules into IPTables via the QUEUE target... but
> that wasn't all that clean.  Maybe skip the IPTables
> entirely, and "do like hogwash did".
> 
> 2 cents...
> 
> On Thu, 9 Mar 2006, Peter Christensen wrote:
>> I'm currently in the development of a transparent firewall bridge, 
>> whose sole purpose is to filter our everything but LAN traffic and 
>> traffic for a list of privileged servers on the Internet. Since it is 
>> meant to work on an bunch of different network configurations 
>> out-of-box, it must be able to detect and filter proxy traffic as well.