Tracking broadcasting replies *only* using 'conntrack'

Tracking broadcasting replies *only* using 'conntrack'

[Joris Korbeeck]

 /proc/net/ip_conntrack shows the following record after running 'nmblookup «hostname»':

udp 17 26 src=192.168.1.2 dst=192.168.1.255 sport=43290 dport=137 packets=3 bytes=234 [UNREPLIED] src=192.168.1.255 dst=192.168.1.2 sport=137 dport=43290 packets=0 bytes=0 mark=0 secmark=0 use=1

 Almost all traffic has been blocked using Ubuntu's ufw (thus actually iptables). I want to *allow* replies on this broadcast request using a rule which looks like:

-A ufw-before-input -m conntrack --ctstate ESTABLISHED -p udp -s 192.168.1.0/24 --sport 137 -j ACCEPT

 But unfortunately 'conntrack' doesn't recognize the sender's IP address (e.g. 192.168.1.3) as a 'member' of 192.168.1.255. Does anyone have a solution to allow these replies to hostname resolution requests which make use of random ports?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Tracking broadcasting replies *only* using 'conntrack'

[Pascal Hambourg]

Joris Korbeeck a écrit :
> 
>  But unfortunately 'conntrack' doesn't recognize the sender's IP
> address (e.g. 192.168.1.3) as a 'member' of 192.168.1.255. Does anyone
> have a solution to allow these replies to hostname resolution requests
> which make use of random ports?

Indeed conntrack does not handle broadcasts. You need to load the 
NetBIOS Name Service conntrack helper module ip_conntrack_netbios_ns (on 
older kernels) or nf_conntrack_netbios_ns (on newer kernels).

RE: Tracking broadcasting replies *only* using 'conntrack'

[Joris Korbeeck]

 Ubuntu's UFW firewall is easy to use and by default allows replies to established connections. Unfortunately—and this is where Pascal's tip fits in—it doesn't recognize responses to broadcasts, because iptables lacks this feature.

 Therefore adding "nf_conntrack_netbios_ns" to UFW's default parameter 'IPT_MODULES' in /etc/default/ufw fixes the NetBIOS hostname resolution functionality.

 Pascal, thanks for your valuable suggestion!

Joris

> Date: Tue, 25 Nov 2008 12:08:38 +0100
> From: pascal.mail@plouf.fr.eu.org
> To: netfilter@vger.kernel.org
> Subject: Re: Tracking broadcasting replies *only* using 'conntrack'
> 
> Joris Korbeeck a écrit :
>> 
>>  But unfortunately 'conntrack' doesn't recognize the sender's IP
>> address (e.g. 192.168.1.3) as a 'member' of 192.168.1.255. Does anyone
>> have a solution to allow these replies to hostname resolution requests
>> which make use of random ports?
> 
> Indeed conntrack does not handle broadcasts. You need to load the 
> NetBIOS Name Service conntrack helper module ip_conntrack_netbios_ns (on 
> older kernels) or nf_conntrack_netbios_ns (on newer kernels).
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/