Re: iptables leaking blocked ip addresses.

["terry l. ridder" <artisticforge@gmail.com>]

hello;

reply below.

On 6/20/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Monday 20 June 2005 12:20, terry l. ridder wrote:
> > > Yikes, this is very long. First, I see that you're doing all your
> > > filtering in nat, PREROUTING and POSTROUTING. Why?
> >
> > because that is the way i know that works.
> 
> Again I doubt you know exactly what it is doing.
>

no one can know exactly what it is doing given all the variables that
may effect what iptables is doing.  unknown bugs in the linux kernel
and/or iptables. memory hiccups. cpu hiccups. random bit flips.

having observed the behaviour of the linux kernel and iptables i
have a reasonable expectation of what they are doing.

>
> For instance in your
> lonely filter table, FORWARD rules there are 3 rules which do nothing
> at all ... ACCEPT targets, when the policy is ACCEPT. (They do packet
> counting which is limited by the "limit" module, so even the packet
> counters are meaningless.)
>
> 
> > it has worked fine for many years.
> 
> Luck.
>

there is no such thing as luck.

> 
> > it was not until i upgraded the
> > firewall machine (new computer with debian sarge) that iptables
> > began to leak.
> >
> > > I prefer to do filtering in the filter table as $DEITY intended. :)
> 
> For me that is more or less a matter of faith. I hope someone who knows
> more about it will come along and explain why your NAT use is poor
> design. In the meantime I bet a few external nmap's of your IP would
> give you some unpleasant surprises.
>

you have my permission to nmap my network, 204.238.34.0/24.
you must post the results of nmap here.

do you have anything to contribute besides sniping at the manner in
which i run and manage my network?
 
>
> > <major sniip>
> >
> > one of the reasons for using table nat is to dnat all ip addresses
> > with destination port 25 (smtp) to the mail server, 204.238.34.206.
> 
> I'd do that with a single DNAT rule,  have a single SNAT rule to let the
> internal mail server out, and do my filtering in filter / FORWARD. It
> also seems odd that you are using NAT at all, since the mail server
> already has a real Internet IP. I only use NAT with RFC 1918 addresses.
>

because the spammers, scammers, and other scum keep hammering
my network trying every address in 204.238.34.0/24 destination port 25.

> 
> > connection tracking is turned off since at one time i was
> > using tarpit instead of just dropping the connections.
> 
> Whatever. Without connection tracking you might as well use ipchains.
>

the tarpit howto does say to turn connection tracking off.

> 
> > i have added logging on both the firewall box, 204.238.34.232, and
> > the mail server, 204.238.34.206. both boxes will be logging the
> > leaks.
> 
> Please do followup with the results; I will be interested to see what
> packets are getting through.
>

i will post the results.

>

-- 
terry l. ridder ><>