stateful UDP with unknown source port on INPUT?

stateful UDP with unknown source port on INPUT?

[noa levy]

Hi,
I am working on a machine that needs to send SNMP informs, and receive ACKs 
for these informs. I am using iptables as my firewall, and I need to find a 
way to open a pinhole for the ACK to get back to me. My problem is that SNMP 
informs are sent to a predefined UDP port (162) but the ACKs are returned 
from a random port.
The following rules exist to allow established UDP sessions:
iptables -A INPUT-p udp -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT

My problem is that, since the source port of the ACK is a random one, the 
ACKs are dropped. Is there a way to allow all incoming UDP packets with an 
unknown source port and an established dest port?

Any help will be greatly appreciated,
Thanks,
Noa

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: stateful UDP with unknown source port on INPUT?

[Martijn Lievaart]

noa levy wrote:
> Hi,
> I am working on a machine that needs to send SNMP informs, and receive
> ACKs for these informs. I am using iptables as my firewall, and I need
> to find a way to open a pinhole for the ACK to get back to me. My
> problem is that SNMP informs are sent to a predefined UDP port (162)
> but the ACKs are returned from a random port.
> The following rules exist to allow established UDP sessions:
> iptables -A INPUT-p udp -m state –state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
>
> My problem is that, since the source port of the ACK is a random one,
> the ACKs are dropped. Is there a way to allow all incoming UDP packets
> with an unknown source port and an established dest port?

Not directly, but you could use the recent match for this. On outgoing
requests, add the IP to the recent set. On incoming packets, first match
on the destination port, then match on recent to see if the IP had an
recent outgoing request.

I use a similar strategy to reject (instead of drop) indent queries from
hosts I made a tcp connection to and that works, so this should to.

HTH,
M4

Re: stateful UDP with unknown source port on INPUT?

[noa levy]

Thanks!
I forgot to mention, though, that my source port for the SNMP informs is 
also random, so I can't match against the destination port for the incoming 
packet - does the recent target also maintain a port list or is it IP 
addresses only?


>From: Martijn Lievaart <m@rtij.nl>
>To: noa levy <noalevy@hotmail.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: stateful UDP with unknown source port on INPUT?
>Date: Fri, 30 Mar 2007 01:06:15 +0200
>
>noa levy wrote:
>>Hi,
>>I am working on a machine that needs to send SNMP informs, and receive 
>>ACKs for these informs. I am using iptables as my firewall, and I need to 
>>find a way to open a pinhole for the ACK to get back to me. My problem is 
>>that SNMP informs are sent to a predefined UDP port (162) but the ACKs are 
>>returned from a random port.
>>The following rules exist to allow established UDP sessions:
>>iptables -A INPUT-p udp -m state –state ESTABLISHED -j ACCEPT
>>iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
>>
>>My problem is that, since the source port of the ACK is a random one, the 
>>ACKs are dropped. Is there a way to allow all incoming UDP packets with an 
>>unknown source port and an established dest port?
>
>Not directly, but you could use the recent match for this. On outgoing 
>requests, add the IP to the recent set. On incoming packets, first match on 
>the destination port, then match on recent to see if the IP had an recent 
>outgoing request.
>
>I use a similar strategy to reject (instead of drop) indent queries from 
>hosts I made a tcp connection to and that works, so this should to.
>
>HTH,
>M4
>

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.com/

Re: stateful UDP with unknown source port on INPUT?

[Franck Joncourt]

[-- Attachment #1: Type: text/plain, Size: 1031 bytes --]

On Sun, Apr 01, 2007 at 03:39:30PM +0300, noa levy wrote:
> Thanks!
> I forgot to mention, though, that my source port for the SNMP informs is 
> also random, so I can't match against the destination port for the incoming 
> packet - does the recent target also maintain a port list or is it IP 
> addresses only?
> 

From the iptables tutorial :

iptables -A INPUT -m recent --name example --rsource
The --rsource match is used to tell the recent match to save the source
address and port in the recent list. This is the default behavior of the
recent match.

iptables -A INPUT -m recent --name example --rdest
The --rdest match is the opposite of the --rsource match in that it
tells the recent match to save the destination address and port to the
recent list.

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#RECENTMATCH


-- 
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: stateful UDP with unknown source port on INPUT?

[Robert Nichols]

noa levy wrote:
> Thanks!
> I forgot to mention, though, that my source port for the SNMP informs is 
> also random, so I can't match against the destination port for the 
> incoming packet - does the recent target also maintain a port list or is 
> it IP addresses only?

How about something like this:

iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to-source :29999
iptables -t mangle -A PREROUTING -p udp --dport 29999 -j MARK --set-mark 99
iptables -A input -p udp -dport ! 29999 -m mark --mark 99 -j ACCEPT

That 29999 source port is an arbitrary number outside the bounds set in
/proc/sys/net/ipv4/ip_local_port_range.  The mark number is also arbitrary.
The overall effect is that your SNMP inform packets will all appear to
come from port 29999.  Replies to that port will be marked prior to being
de-SNAT-ed.  Now, in the filter table you can ACCEPT marked packets that
have been recognized by de-SNAT and thus no longer have a destination
port of 29999.  Any bogus packets sent to port 29999 will still contain
that port number when they hit the filter rule, and thus will not be
accepted.

I have no way to test any of the above, so view it all with appropriate
suspicion.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.

Re: stateful UDP with unknown source port on INPUT?

[Robert Nichols]

I wrote:
> noa levy wrote:
> 
>> Thanks!
>> I forgot to mention, though, that my source port for the SNMP informs 
>> is also random, so I can't match against the destination port for the 
>> incoming packet - does the recent target also maintain a port list or 
>> is it IP addresses only?
> 
> 
> How about something like this:
> 
> iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to-source :29999
> iptables -t mangle -A PREROUTING -p udp --dport 29999 -j MARK --set-mark 99
> iptables -A input -p udp -dport ! 29999 -m mark --mark 99 -j ACCEPT

Which, of course, won't work because de-SNAT won't recognize the reply
packets coming from a random port.  I really shouldn't try to post
something that complex, and untested, late at night.  Sorry.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.