Conntrack for related service

Conntrack for related service

[Mikhail]

Hello,

I have a small network of Windows boxes behind Linux firewall/router. I run
Debian Sarge 3.1 without X there. I have a server on the LAN that serves
clients from the Internet over RMI connection on the certain port. RMI is
basically connection-oriented TCP/IP protocol. I do DNAT for such requests
to that local server. All is working fine so far.

 Problem: those clients from the Internet need direct access to the MS SQL
server over TCP/IP on the different port. I want to open and DNAT MS SQL
port dynamically - if client already has ESTABLISHED connection over RMI
port I want allow access to MS SQL port, otherwise I'd like to drop the
request. If the client got disconnected over RMI then it is OK to reject
direct requests from him to MS SQL thereafter. How can this be accomplished
with iptables?

Re: Conntrack for related service

[Gáspár Lajos]

Mikhail wrote:
> Hello,
>
> I have a small network of Windows boxes behind Linux firewall/router. I run
> Debian Sarge 3.1 without X there. I have a server on the LAN that serves
> clients from the Internet over RMI connection on the certain port. RMI is
> basically connection-oriented TCP/IP protocol. I do DNAT for such requests
> to that local server. All is working fine so far.
>
>  Problem: those clients from the Internet need direct access to the MS SQL
> server over TCP/IP on the different port. I want to open and DNAT MS SQL
> port dynamically - if client already has ESTABLISHED connection over RMI
> port I want allow access to MS SQL port, otherwise I'd like to drop the
> request. If the client got disconnected over RMI then it is OK to reject
> direct requests from him to MS SQL thereafter. How can this be accomplished
> with iptables?
>
>   
I think that there is no iptables solution...
I would create an IPSec/VPN tunnel... If the user connects then you can 
enable all required connections (MSQQL, etc.)


In the other hand if you even find any solution I think you can not 
protect your data...
IF the user has ESTABLISHED connection WITH RMI then he also CAN access 
the SQL server even with OTHER programs than the RMI !!!

P.S.: As I know RMI is like RPC under Java ....

Re: Conntrack for related service

[Martijn Lievaart]

<citaat van="Mikhail">
> Hello,
>
> I have a small network of Windows boxes behind Linux firewall/router. I
> run
> Debian Sarge 3.1 without X there. I have a server on the LAN that serves
> clients from the Internet over RMI connection on the certain port. RMI is
> basically connection-oriented TCP/IP protocol. I do DNAT for such requests
> to that local server. All is working fine so far.
>
>  Problem: those clients from the Internet need direct access to the MS SQL
> server over TCP/IP on the different port. I want to open and DNAT MS SQL
> port dynamically - if client already has ESTABLISHED connection over RMI
> port I want allow access to MS SQL port, otherwise I'd like to drop the
> request. If the client got disconnected over RMI then it is OK to reject
> direct requests from him to MS SQL thereafter. How can this be
> accomplished
> with iptables?

Should be possible using reject. Something along these lines.

-A FORWARD -m state RELATED,ESTABLISHED -j ACCEPT
# Maybe you restrict this more, for now accept RMI from everywhere
-A FORWARD -p tcp -dport $rmiport -j RMI
-A FORWARD -p tcp -dport $mssql -j MSSQL
... other rules ...

-A RMI -p tcp --tcp-flags FIN FIN -j RMIFIN
-A RMI -m recent --name rmi --set
-A RMI -j ACCEPT
-A RMIFIN -m recent --name rmi --remove
-A RMIFIN -j ACCEPT
-A MSSQL -m recent --name rmi -rcheck -j ACCEPT
-A MSSQL -j LOG --prefix "mssql without rmi "
-A MSSQL -j DROP

HTH,
M4

RE: Conntrack for related service

[Mikhail]

-----Original Message-----
From: Martijn Lievaart [mailto:m@rtij.nl] 
Sent: Thursday, August 03, 2006 12:04 PM
To: Mikhail
Cc: netfilter@lists.netfilter.org
Subject: Re: Conntrack for related service
Should be possible using reject. Something along these lines.

-A FORWARD -m state RELATED,ESTABLISHED -j ACCEPT
# Maybe you restrict this more, for now accept RMI from everywhere
-A FORWARD -p tcp -dport $rmiport -j RMI
-A FORWARD -p tcp -dport $mssql -j MSSQL
... other rules ...

-A RMI -p tcp --tcp-flags FIN FIN -j RMIFIN
-A RMI -m recent --name rmi --set
-A RMI -j ACCEPT
-A RMIFIN -m recent --name rmi --remove
-A RMIFIN -j ACCEPT
-A MSSQL -m recent --name rmi -rcheck -j ACCEPT
-A MSSQL -j LOG --prefix "mssql without rmi "
-A MSSQL -j DROP

HTH,
M4


Thanks' a lot for the script - it did the trick! Here is my updated version:

iptables -t mangle -N RMI
iptables -t mangle -N RMIFIN
iptables -t mangle -N MSSQL

iptables -t mangle -A PREROUTING -p tcp -d $external_ip --dport $rmi_port -j
RMI
iptables -t mangle -A PREROUTING -p tcp -d $external_ip --dport @mssql_port
-j MSSQL

iptables -t mangle -A RMI -p tcp --tcp-flags RST RST -j RMIFIN
iptables -t mangle -A RMI -p tcp --tcp-flags FIN FIN -j RMIFIN
iptables -t mangle -A RMI -m recent --name rmi --set
iptables -t mangle -A RMI -j ACCEPT

iptables -t mangle -A RMIFIN -m recent --name rmi --remove
#iptables -t mangle -A RMIFIN -j LOG --log-prefix "rmi fin "
iptables -t mangle -A RMIFIN -j ACCEPT

iptables -t mangle -A MSSQL -m recent --name rmi --rcheck -j ACCEPT
iptables -t mangle -A MSSQL -j LOG --log-prefix "mssql without rmi "
iptables -t mangle -A MSSQL -j DROP

I've placed this filter in mangle table before I do my DNAT. I've also added
the rule to clean up recent list in case of RST type of disconnect.
  It seems to me though that script in this version has a flaw. Let's say
someone creates 2 instances of the same application with the same source
address and then closes one of them. I think this will effectively kill
MSSQL connection for the remaining instance. Is there any way to count RMI
connections originated from the same source IP and then start dropping MSSQL
requests only in case that count reaches 0?

Mikhail.

Re: Conntrack for related service

[Martijn Lievaart]

Mikhail wrote:

>I've placed this filter in mangle table before I do my DNAT. I've also added
>the rule to clean up recent list in case of RST type of disconnect.
>  It seems to me though that script in this version has a flaw. Let's say
>someone creates 2 instances of the same application with the same source
>address and then closes one of them. I think this will effectively kill
>MSSQL connection for the remaining instance. Is there any way to count RMI
>connections originated from the same source IP and then start dropping MSSQL
>requests only in case that count reaches 0?
>  
>

Yes you're right. What you could do is not look at fin and rst packets, 
but use the timing feature of the recent module. Use a large timeout. So 
what you want is , if there has been activity from this ip address in 
the past X seconds on the RMI port, allow the mssql port.

Obviously that will not work if there has been no activity on the RMI 
port recently (or in case you have a lot of connections, the connection 
got evicted by recent for a newer one). But if rmi activity always 
occurs shortly before opening a connection to mssql it should do the trick.

HTH,
M4