conntrack-tools 0.9.14 can not block the connection

conntrack-tools 0.9.14 can not block the connection

[Richard Feng]

Hi,

I am using Linux 2.6.29. I have the problem for using 'conntrack' 
(version:0.9.14) to block the traffic.
Using the following command as example:
  conntrack -D -s 1.1.1.1 -d 2.2.2.2
After execution, it appears the connection info was deleted -
  conntrack -L | grep 1.1.1.1 -- shows the entry was deleted.

However, the connection is still active - is this the correct behaviour? 

From the documentation (from conntrack-tools.netfilter.org), somewhere it says 
that "have to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 
zero".There is simply no 'netfilter' folder under my 
folder '/proc/sys/net/ipv4'. Is this the problem? How could I fix it?


Thanks,
Richard Feng

Re: conntrack-tools 0.9.14 can not block the connection

[Jan Engelhardt]

On Friday 2010-05-07 01:51, Richard Feng wrote:

>Hi,
>
>I am using Linux 2.6.29. I have the problem for using 'conntrack' 
>(version:0.9.14) to block the traffic.
>Using the following command as example:
>  conntrack -D -s 1.1.1.1 -d 2.2.2.2
>After execution, it appears the connection info was deleted -
>  conntrack -L | grep 1.1.1.1 -- shows the entry was deleted.

If something does not exist, conntrack won't output it.

>However, the connection is still active - is this the correct behaviour? 

Yes.

>>From the documentation (from conntrack-tools.netfilter.org), somewhere it says 
>that "have to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 
>zero".There is simply no 'netfilter' folder under my 
>folder '/proc/sys/net/ipv4'. Is this the problem? How could I fix it?

Upgrading to a newer kernel (you're probably running some stoneage 
thing).

RE: conntrack-tools 0.9.14 can not block the connection

[Rob Sterenborg]

Jan Engelhardt wrote:
> On Friday 2010-05-07 01:51, Richard Feng wrote:
> 
> >Hi,
> >
> >I am using Linux 2.6.29. I have the problem for using 'conntrack'
[...]
> Upgrading to a newer kernel (you're probably running some stoneage
> thing).

For my information: I know that 2.6.29 isn't recent, but is it already
considered a 'stone age thing'?


--
Rob

RE: conntrack-tools 0.9.14 can not block the connection

[Jan Engelhardt]

On Friday 2010-05-07 10:49, Rob Sterenborg wrote:

>Jan Engelhardt wrote:
>> On Friday 2010-05-07 01:51, Richard Feng wrote:
>> 
>> >Hi,
>> >
>> >I am using Linux 2.6.29. I have the problem for using 'conntrack'
>[...]
>> Upgrading to a newer kernel (you're probably running some stoneage
>> thing).
>
>For my information: I know that 2.6.29 isn't recent, but is it already
>considered a 'stone age thing'?

Let's requote:
>that "have to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 

That file "ip_conntrack_tcp_be_liberal" was last seen in ...
anyway, it's nf_conntrack_tcp_be_liberal now.

Re: conntrack-tools 0.9.14 can not block the connection

[Pascal Hambourg]

Hello,

Richard Feng a écrit :
> 
> I am using Linux 2.6.29. I have the problem for using 'conntrack' 
> (version:0.9.14) to block the traffic.
> Using the following command as example:
>   conntrack -D -s 1.1.1.1 -d 2.2.2.2
> After execution, it appears the connection info was deleted -
>   conntrack -L | grep 1.1.1.1 -- shows the entry was deleted.
> 
> However, the connection is still active

What do you mean exactly ?
The conntrack tool only deals with netfilter connection tracking, not
with the actual connection (e.g. it won't send RST's in order to tear it
down). How it may affect the actual connection depends on the iptables
ruleset.

Re: conntrack-tools 0.9.14 can not block the connection

[Richard Feng]

Thanks Jan for your answer - I still got some questions in the following.

On May 7, 2010 12:55:44 am Jan Engelhardt wrote:
> On Friday 2010-05-07 01:51, Richard Feng wrote:
> 
> >Hi,
> >
> 
> >However, the connection is still active - is this the correct behaviour? 
> 
> Yes.
So 'conntrack -D' can not really cut current connections?  It can only delete 
entry from the state table? I just want to make sure - from the 
document "http://conntrack-tools.netfilter.org/manual.html#conntrack". It 
clearly said "Delete on entry, this can be used to block traffic (you have to 
set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)".
> >>From the documentation (from conntrack-tools.netfilter.org), somewhere it 
says 
> >that "have to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal 
to 
> >zero".There is simply no 'netfilter' folder under my 
> >folder '/proc/sys/net/ipv4'. Is this the problem? How could I fix it?
>
> Upgrading to a newer kernel (you're probably running some stoneage 
> thing).
Thank you for your pointer at a later reply - I found it now 
at /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal. And it was set "0".

Regards,
Richard
 

Re: conntrack-tools 0.9.14 can not block the connection

[Richard Feng]

On May 7, 2010 02:57:51 am Pascal Hambourg wrote:
> Hello,
> 
> Richard Feng a écrit :
> > 
> > I am using Linux 2.6.29. I have the problem for using 'conntrack' 
> > (version:0.9.14) to block the traffic.
> > Using the following command as example:
> >   conntrack -D -s 1.1.1.1 -d 2.2.2.2
> > After execution, it appears the connection info was deleted -
> >   conntrack -L | grep 1.1.1.1 -- shows the entry was deleted.
> > 
> > However, the connection is still active
> 
> What do you mean exactly ?
> The conntrack tool only deals with netfilter connection tracking, not
> with the actual connection (e.g. it won't send RST's in order to tear it
> down). How it may affect the actual connection depends on the iptables
> ruleset.
> 
It says it can block traffic in the 
document "http://conntrack-tools.netfilter.org/manual.html#conntrack".
Maybe the doc is outdated? What should I do if I want to break current 
connection? Using 'cutter'?

Re: conntrack-tools 0.9.14 can not block the connection

[Jan Engelhardt]

On Friday 2010-05-07 18:17, Richard Feng wrote:

>>>From the documentation (from conntrack-tools.netfilter.org),
>>>somewhere it says that "have to set
>>>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to
>>>zero".There is simply no 'netfilter' folder under my folder
>>>'/proc/sys/net/ipv4'. Is this the problem? How could I fix it?

>So 'conntrack -D' can not really cut current connections?  It can
>only delete entry from the state table? I just want to make sure -
>from the document
>"http://conntrack-tools.netfilter.org/manual.html#conntrack". It
>clearly said "Delete on entry, this can be used to block traffic
>(you have to set
>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)".

The documentation seems to be off here. If you only delete a ct
entry, the next packet (even if a TCP ACK or something) will make
a new ct with NEW as a ctstate.

To really have a TCP/SCTP connection blocked after deletion of the ct 
entry, you have to only allow NEW ctstates with the initla TCP/SCTP 
packet (SYN/INIT).

Re: conntrack-tools 0.9.14 can not block the connection

[Pascal Hambourg]

Richard Feng a écrit :
> On May 7, 2010 02:57:51 am Pascal Hambourg wrote:
>>
>> The conntrack tool only deals with netfilter connection tracking, not
>> with the actual connection (e.g. it won't send RST's in order to tear it
>> down). How it may affect the actual connection depends on the iptables
>> ruleset.
>>
> It says it can block traffic in the 
> document "http://conntrack-tools.netfilter.org/manual.html#conntrack".

Do you mean this : "this can be used to block traffic" ?
It can be used to block traffic, but does not block traffic by itself.
Subsequent packets of a deleted TCP connection will just be in the
INVALID state, it is up to the iptables ruleset to drop such packets if
this is what you want.

> What should I do if I want to break current connection? Using 'cutter'?

What do you want to achieve exactly ? Drop/reject subsequent packets ?
Then see above, you need iptables. Or actively close the connection ?
Then you need a tool such as cutter.

Re: conntrack-tools 0.9.14 can not block the connection

[Richard Feng]

On May 7, 2010 11:51:27 am Pascal Hambourg wrote:
> 
> Do you mean this : "this can be used to block traffic" ?
> It can be used to block traffic, but does not block traffic by itself.
> Subsequent packets of a deleted TCP connection will just be in the
> INVALID state, it is up to the iptables ruleset to drop such packets if
> this is what you want.
> > What should I do if I want to break current connection? Using 'cutter'?
> 
> What do you want to achieve exactly ? Drop/reject subsequent packets ?
> Then see above, you need iptables. Or actively close the connection ?
> Then you need a tool such as cutter.
> 
Thank you very much - I think that is the answer I am looking for.

Re: conntrack-tools 0.9.14 can not block the connection

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Friday 2010-05-07 18:17, Richard Feng wrote:
> 
>>> >From the documentation (from conntrack-tools.netfilter.org),
>>>> somewhere it says that "have to set
>>>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to
>>>> zero".There is simply no 'netfilter' folder under my folder
>>>> '/proc/sys/net/ipv4'. Is this the problem? How could I fix it?
> 
>> So 'conntrack -D' can not really cut current connections?  It can
>> only delete entry from the state table? I just want to make sure -
>>from the document
>> "http://conntrack-tools.netfilter.org/manual.html#conntrack". It
>> clearly said "Delete on entry, this can be used to block traffic
>> (you have to set
>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)".
> 
> The documentation seems to be off here. If you only delete a ct
> entry, the next packet (even if a TCP ACK or something) will make
> a new ct with NEW as a ctstate.
> 
> To really have a TCP/SCTP connection blocked after deletion of the ct 
> entry, you have to only allow NEW ctstates with the initla TCP/SCTP 
> packet (SYN/INIT).

Yes, you need a well-formed stateful rule-set "to cut" the connection
(at least you have to add a rule to block traffic in INVALID stats).
Probably this is not clear enough in the doc. I can write a patch for
this or alternatively accept one.

Thank you for the comments.

Re: conntrack-tools 0.9.14 can not block the connection

[Pablo Neira Ayuso]

Pablo Neira Ayuso wrote:
> Jan Engelhardt wrote:
>> On Friday 2010-05-07 18:17, Richard Feng wrote:
>>
>>>> >From the documentation (from conntrack-tools.netfilter.org),
>>>>> somewhere it says that "have to set
>>>>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to
>>>>> zero".There is simply no 'netfilter' folder under my folder
>>>>> '/proc/sys/net/ipv4'. Is this the problem? How could I fix it?
>>> So 'conntrack -D' can not really cut current connections?  It can
>>> only delete entry from the state table? I just want to make sure -
>> >from the document
>>> "http://conntrack-tools.netfilter.org/manual.html#conntrack". It
>>> clearly said "Delete on entry, this can be used to block traffic
>>> (you have to set
>>> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to zero)".
>> The documentation seems to be off here. If you only delete a ct
>> entry, the next packet (even if a TCP ACK or something) will make
>> a new ct with NEW as a ctstate.
>>
>> To really have a TCP/SCTP connection blocked after deletion of the ct 
>> entry, you have to only allow NEW ctstates with the initla TCP/SCTP 
>> packet (SYN/INIT).
> 
> Yes, you need a well-formed stateful rule-set "to cut" the connection
> (at least you have to add a rule to block traffic in INVALID stats).

With "stats" I meant "state", and liberal tracking must be disabled as said.

Re: conntrack-tools 0.9.14 can not block the connection

[Jan Engelhardt]

On Friday 2010-05-07 21:14, Pablo Neira Ayuso wrote:
>>> The documentation seems to be off here. If you only delete a ct
>>> entry, the next packet (even if a TCP ACK or something) will make
>>> a new ct with NEW as a ctstate.
>>>
>>> To really have a TCP/SCTP connection blocked after deletion of the ct 
>>> entry, you have to only allow NEW ctstates with the initla TCP/SCTP 
>>> packet (SYN/INIT).
>> 
>> Yes, you need a well-formed stateful rule-set "to cut" the connection
>> (at least you have to add a rule to block traffic in INVALID stats).
>
>With "stats" I meant "state", and liberal tracking must be disabled as said.

Which is the default anyway. :-)

I think what was really meant was tcp_loose, not tcp_be_liberal.
Anyway, I don't want to give bad hints. It's better to
use a restrictive ruleset than tweaking sysctls.

Re: conntrack-tools 0.9.14 can not block the connection

[Pascal Hambourg]

Jan Engelhardt a écrit :
> On Friday 2010-05-07 21:14, Pablo Neira Ayuso wrote:
>>>> The documentation seems to be off here. If you only delete a ct
>>>> entry, the next packet (even if a TCP ACK or something) will make
>>>> a new ct with NEW as a ctstate.
>>>>
>>>> To really have a TCP/SCTP connection blocked after deletion of the ct 
>>>> entry, you have to only allow NEW ctstates with the initla TCP/SCTP 
>>>> packet (SYN/INIT).

Jan made an interesting point. TCP conntrack has a liberal/strict
sysctl, but I do not see any for SCTP conntrack. If I'm not mistaken, is
SCTP conntrack of the liberal or strict kind ?

>>> Yes, you need a well-formed stateful rule-set "to cut" the connection
>>> (at least you have to add a rule to block traffic in INVALID stats).
>> With "stats" I meant "state", and liberal tracking must be disabled as said.
> 
> Which is the default anyway. :-)
> 
> I think what was really meant was tcp_loose, not tcp_be_liberal.

In my understanding, tcp_loose only allows conntrack to pick up
connections from the middle, but packets are still INVALID until the
required number of packets is seen and accepted. Am I wrong ?

Re: conntrack-tools 0.9.14 can not block the connection

[Jozsef Kadlecsik]

On Fri, 7 May 2010, Pascal Hambourg wrote:

> > I think what was really meant was tcp_loose, not tcp_be_liberal.
> 
> In my understanding, tcp_loose only allows conntrack to pick up
> connections from the middle, but packets are still INVALID until the
> required number of packets is seen and accepted. Am I wrong ?

No, the packets are set to the usual states, there's no packet counting.

With tcp_loose enabled (default) conntrack accepts non-SYN packets as 
"NEW" ones, i.e. attempts to pick up connections from the middle.

With tcp_be_liberal enabled (default is disabled) out of window packets 
are not marked as INVALID.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: conntrack-tools 0.9.14 can not block the connection

[Jan Engelhardt]

On Saturday 2010-05-08 22:33, Jozsef Kadlecsik wrote:

>On Fri, 7 May 2010, Pascal Hambourg wrote:
>
>> > I think what was really meant was tcp_loose, not tcp_be_liberal.
>> 
>> In my understanding, tcp_loose only allows conntrack to pick up
>> connections from the middle, but packets are still INVALID until the
>> required number of packets is seen and accepted. Am I wrong ?
>
>No, the packets are set to the usual states, there's no packet counting.
>
>With tcp_loose enabled (default) conntrack accepts non-SYN packets as 
>"NEW" ones, i.e. attempts to pick up connections from the middle.
>
>With tcp_be_liberal enabled (default is disabled) out of window packets 
>are not marked as INVALID.

And for grand completeness on the reader's behalf: an out-of-window 
packet can not occur if there is no previous ct entry (for the same 
tcp connection) whose window values could be compared to to see if 
there is an out-of-window condition.

Re: conntrack-tools 0.9.14 can not block the connection

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

Jozsef Kadlecsik wrote:
> On Fri, 7 May 2010, Pascal Hambourg wrote:
> 
>>> I think what was really meant was tcp_loose, not tcp_be_liberal.
>> In my understanding, tcp_loose only allows conntrack to pick up
>> connections from the middle, but packets are still INVALID until the
>> required number of packets is seen and accepted. Am I wrong ?
> 
> No, the packets are set to the usual states, there's no packet counting.
> 
> With tcp_loose enabled (default) conntrack accepts non-SYN packets as 
> "NEW" ones, i.e. attempts to pick up connections from the middle.
> 
> With tcp_be_liberal enabled (default is disabled) out of window packets 
> are not marked as INVALID.

I have applied the following patch to the documentation based on this
discussion. I have also uploaded a new version of the webpage.

[-- Attachment #2: f.patch --]
[-- Type: text/x-patch, Size: 1867 bytes --]

doc: description on how to block traffic with conntrack was incomplete

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch completes the documentation with the following discussion
that took place in the mailing list.

http://marc.info/?l=netfilter&m=127335152521674&w=2

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/manual/conntrack-tools.tmpl |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index b897318..ab4e5fb 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -19,7 +19,7 @@
   </authorgroup>
 
   <copyright>
-   <year>2008</year>
+   <year>2008-2010</year>
    <holder>Pablo Neira Ayuso</holder>
   </copyright>
 
@@ -198,7 +198,12 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown.
 conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated.
  </programlisting>
 
-<para>Delete one entry, this can be used to block traffic (you have to set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</emphasis> to zero).</para>
+<para>Delete one entry, this can be used to block traffic if:</para>
+<itemizedlist>
+ <listitem><para>You have a stateful rule-set that blocks traffic in INVALID state.</para></listitem>
+ <listitem><para>You have to set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose</emphasis> or <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis>, depending on your kernel version, to zero.</para></listitem>
+</itemizedlist>
+
 <programlisting>
  # conntrack -D -p tcp --dport 3486
  tcp      6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1

Re: conntrack-tools 0.9.14 can not block the connection

[Pascal Hambourg]

Jan Engelhardt a écrit :
> On Saturday 2010-05-08 22:33, Jozsef Kadlecsik wrote:
>>
>> With tcp_loose enabled (default) conntrack accepts non-SYN packets as 
>> "NEW" ones, i.e. attempts to pick up connections from the middle.
>>
>> With tcp_be_liberal enabled (default is disabled) out of window packets 
>> are not marked as INVALID.
> 
> And for grand completeness on the reader's behalf: an out-of-window 
> packet can not occur if there is no previous ct entry (for the same 
> tcp connection) whose window values could be compared to to see if 
> there is an out-of-window condition.

Thanks to both of you for clarifying.