The module I write seems to have conflict with iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

* The module I write seems to have conflict with iptables
@ 2007-07-29 17:06 Zheng Da
  2007-07-28 17:35 ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Zheng Da @ 2007-07-29 17:06 UTC (permalink / raw)
  To: netfilter-devel

Hi,

I write a module based on netfilter.
It is proposed to be used in the filter router, is hooked on FORWARD 
point, and has the lowest priority, NF_IP_PRI_LAST.
It does the following things:
When it finds TCP connection from the client to the server, it will 
pretend as the server to build the connection with the client. It blocks 
the SYN and ACK packets from the client, and sends a UDP packet to the 
server, which can force the server build the TCP connection with the client.
It works as follow:
Client                              Router                              
   Server
          -----------SYN--------->
          <-------SYN,ACK----
          -----------ACK--------->
                                                   
----------UDP-------------->
The UDP packet sent by Router contains all information about the TCP 
connection, and can force Server build the TCP connection with Client.
Suppose the topology is as follow:
Client ----------(eth0) Router (eth1) --------- Server
eth1 of Router and Server can't see the SYN and ACK packet from the 
client because of the module in Router.
I want this module to work with iptables, and the configuration of 
iptables in Router is:
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 22 -m state --state 
ESTABLISHED,NEW -j ACCEPT
I want the client can only access SSH service on Server.
After I insert my module into the kernel, Client can build TCP 
connection with Server, and they can communicate with each other.
But after a few minutes, Server can't receive the packets from the 
client any more. So is my module.
If I clear iptables' rules, the module can work well.
So I guess the module I write may have conflict with iptables.
I don't know how the connection track of iptables works.
Is it possible that my module may make the connection track not work.

Best,
Zheng jDa

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: The module I write seems to have conflict with iptables
  2007-07-29 17:06 The module I write seems to have conflict with iptables Zheng Da
@ 2007-07-28 17:35 ` Jan Engelhardt
       [not found]   ` <46ACEC5A.6040103@gmail.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2007-07-28 17:35 UTC (permalink / raw)
  To: Zheng Da; +Cc: netfilter-devel


On Jul 29 2007 19:06, Zheng Da wrote:
>
> I write a module based on netfilter.
> It is proposed to be used in the filter router, is hooked on FORWARD point, and
> has the lowest priority, NF_IP_PRI_LAST.
> It does the following things:
> When it finds TCP connection from the client to the server, it will pretend as
> the server to build the connection with the client. It blocks the SYN and ACK
> packets from the client, and sends a UDP packet to the server, which can force
> the server build the TCP connection with the client.

It is almost impossible to help without seeing code.



	Jan
-- 

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <46ACEC5A.6040103@gmail.com>]

[parent not found: <Pine.LNX.4.64.0707291042080.9488@fbirervta.pbzchgretzou.qr>]

* Re: The module I write seems to have conflict with iptables
       [not found]     ` <Pine.LNX.4.64.0707291042080.9488@fbirervta.pbzchgretzou.qr>
@ 2007-07-30 19:25       ` Zheng Da
       [not found]       ` <46ADDA66.3030207@gmail.com>
  1 sibling, 0 replies; 4+ messages in thread
From: Zheng Da @ 2007-07-30 19:25 UTC (permalink / raw)
  To: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]

Jan Engelhardt wrote:
> On Jul 29 2007 21:36, Zheng Da wrote:
>   
>>>   
>>>       
>>>> I write a module based on netfilter. It is proposed to be used
>>>> in the filter router, is hooked on FORWARD point, and has the
>>>> lowest priority, NF_IP_PRI_LAST. It does the following things:
>>>> When it finds TCP connection from the client to the server, it
>>>> will pretend as the server to build the connection with the
>>>> client. It blocks the SYN and ACK packets from the client, and
>>>> sends a UDP packet to the server, which can force the server
>>>> build the TCP connection with the client.
>>>>     
>>>>         
>>> It is almost impossible to help without seeing code.
>>>
>>>   
>>>       
>> Sorry, I'm just thinking whether the way of my module working may
>> make connection track not work correctly. OK. This is my code. A
>> little big.
>>     
>
> Quite a lot of code, I'd say, so I could not look through all of it.
> I suspect that NF_IP_PRI_LAST and NF_IP_PRI_FIRST may have problematic 
> effects. You could try NF_IP_PRI_FILTER+1 (instead of LAST), and
> NF_IP_PRI_FILTER-1 (instead of FIRST).
>
>
>
> 	Jan
>   
I finally find the problem. The problem is not caused by my module, but 
my configuration of iptables.
The original configuration is:
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -j ACCEPT                         
<------------------change this line
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 22 -m state --state 
ESTABLISHED,NEW -j ACCEPT
If I change the line for the device of eth1 to
iptables -A FORWARD -i eth1 -j ACCEPT -m state --state 
ESTABLISHED,RELATED,NEW
It works.
The problem is what is the difference between
iptables -A FORWARD -i eth1 -j ACCEPT
and
iptables -A FORWARD -i eth1 -j ACCEPT -m state --state 
ESTABLISHED,RELATED,NEW.
I check ip_conntrack in Router, the connections between Client and 
Server are assured in both configurations.
I use Wireshark to capture the packets when in the original 
configuration. I put the result in the attachment.
externel: the packets between Client and Router
internal: the packets between Router and Server
Does anyone have any idea?

Best,
Zheng Da

[-- Attachment #2: external --]
[-- Type: application/octet-stream, Size: 32792 bytes --]

[-- Attachment #3: internal --]
[-- Type: application/octet-stream, Size: 30993 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <46ADDA66.3030207@gmail.com>]

[parent not found: <Pine.LNX.4.64.0707291508260.9488@fbirervta.pbzchgretzou.qr>]

* Re: The module I write seems to have conflict with iptables
       [not found]         ` <Pine.LNX.4.64.0707291508260.9488@fbirervta.pbzchgretzou.qr>
@ 2007-07-30 19:49           ` Zheng Da
  0 siblings, 0 replies; 4+ messages in thread
From: Zheng Da @ 2007-07-30 19:49 UTC (permalink / raw)
  To: Jan Engelhardt, netfilter-devel

Jan Engelhardt wrote:
> On Jul 30 2007 14:32, Zheng Da wrote:
>   
>> I finally find the problem. The problem is not caused by my module, but
>> my configuration of iptables.
>> The original configuration is:
>> iptables -F
>> iptables -X
>> iptables -P FORWARD DROP
>> iptables -A FORWARD -i eth1 -j ACCEPT                        
>> <------------------change this line
>> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
>> iptables -A FORWARD -i eth0 -p tcp --dport 22 -m state --state
>> ESTABLISHED,NEW -j ACCEPT
>>     
>
>   
>> If I change the line for the device of eth1 to
>>
>> 	iptables -A FORWARD -i eth1 -j ACCEPT -m state --state
>> 	ESTABLISHED,RELATED,NEW
>>
>> It works.
>> The problem is what is the difference between
>> 	iptables -A FORWARD -i eth1 -j ACCEPT
>> and
>> 	iptables -A FORWARD -i eth1 -j ACCEPT -m state --state
>> 	ESTABLISHED,RELATED,NEW.
>>     
>
> The first one accepts all packets from eth1, the second only
> EST,REL,NEW -- which excludes INVALID.
>
> INVALID connections do not show up in ip_conntrack I believe, but you can
> make them visible using LOG for example:
>
> 	-i eth1 -m conntrack --ctstate INVALID -j LOG
>   
But it doesn't explain why the change of the configuration can make my 
module work correctly.
I think there should be more difference
>   
>> I check ip_conntrack in Router, the connections between Client and Server
>> are assured in both configurations.
>> I use Wireshark to capture the packets when in the original
>> configuration. I put the result in the attachment.
>> externel: the packets between Client and Router
>> internal: the packets between Router and Server
>>     
>
>   
>> Does anyone have any idea?
>>     
>
> Post to the mailing list, there are more people to answer.
>
>
>
> 	Jan
>   

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-07-30 19:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-29 17:06 The module I write seems to have conflict with iptables Zheng Da
2007-07-28 17:35 ` Jan Engelhardt
     [not found]   ` <46ACEC5A.6040103@gmail.com>
     [not found]     ` <Pine.LNX.4.64.0707291042080.9488@fbirervta.pbzchgretzou.qr>
2007-07-30 19:25       ` Zheng Da
     [not found]       ` <46ADDA66.3030207@gmail.com>
     [not found]         ` <Pine.LNX.4.64.0707291508260.9488@fbirervta.pbzchgretzou.qr>
2007-07-30 19:49           ` Zheng Da

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.