From: Nick <netfilter@acrasis.net>
To: netfilter@vger.kernel.org
Subject: Firewall sometimes leaking
Date: Wed, 6 May 2020 12:24:49 +0100 [thread overview]
Message-ID: <20200506112449.GD14154@acrasis.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 2022 bytes --]
My firewall leaks, sometimes. I saw this behaviour with FireHOL and
tried Shorewall instead but it continues. Advice in #shorewall on
freenode was that my shorewall configuration is valid.
The firewall has a rule to drop HTTP traffic if the source address is
in an ipset. The ipset is maintained by fail2ban and created by
/etc/shorewall/init:
ipset create f2b-http4 hash:ip family inet comment timeout 2147483 -exist
This is on debian stable, uname -v prints "#1 SMP Debian
4.19.98-1+deb10u1 (2020-04-27)". In debian's "alternatives" system,
iptables is symlinked to /usr/sbin/iptables-nft.
The rule is on line 66 in the attached 'iptables-save -c' output. The
rule usually works but sometimes it doesn't. An example occurrence
follows (times are in BST).
2020-05-02 16:23 last reboot.
2020-05-04 21:03 shorewall last restarted.
2020-05-04 21:13 fail2ban last restarted.
2020-05-05 10:02 I saved the contents of the ipset f2b-http4 to a file.
2020-05-06 04:22 the webserver logged a request from 193.118.53.194.
2020-05-06 04:22 fail2ban warned "193.118.53.194 already banned".
The address was in my saved file, before the request:
# grep '193\.118\.53\.194' ~/f2b-http4-2020-05-05T10:02+01:00.txt
193.118.53.194 timeout 2101355 comment "wronghost"
The address was still in the ipset after the request:
# date +%s && grep '193\.118\.53\.194' <(ipset list f2b-http4)
1588750964
193.118.53.194 timeout 2019727 comment "wronghost"
The decrement in the timeout (from 2101355 to 2019727) matches the
time elapsed from saving the file to checking the ipset:
# date +%s --date="2020-05-05T10:02+01:00"
1588669320
# echo $((1588669320 + (2101355 - 2019727)))
1588750948
# echo $((1588750964 - 1588750948))
16
i.e. they match to within 16s (my file timestamp has minute resolution).
I think the ip address was in the ipset f2b-http4 continuously before,
during and after the time of the http request. Yet the address was
able to reach port 80 at 04:22 today. How?
Thanks,
--
Nick
[-- Attachment #2: iptables-save.txt --]
[-- Type: text/plain, Size: 8363 bytes --]
1 # Generated by xtables-save v1.8.2 on Wed May 6 10:44:54 2020
2 *raw
3 :PREROUTING ACCEPT [268704:22528984]
4 :OUTPUT ACCEPT [16017:1501591]
5 COMMIT
6 # Completed on Wed May 6 10:44:54 2020
7 # Generated by xtables-save v1.8.2 on Wed May 6 10:44:54 2020
8 *nat
9 :PREROUTING ACCEPT [254501:19507810]
10 :INPUT ACCEPT [2822:293211]
11 :POSTROUTING ACCEPT [9372:738643]
12 :OUTPUT ACCEPT [9371:738603]
13 COMMIT
14 # Completed on Wed May 6 10:44:54 2020
15 # Generated by xtables-save v1.8.2 on Wed May 6 10:44:54 2020
16 *mangle
17 :PREROUTING ACCEPT [268704:22528984]
18 :INPUT ACCEPT [68313:9251380]
19 :FORWARD ACCEPT [0:0]
20 :OUTPUT ACCEPT [16017:1501591]
21 :POSTROUTING ACCEPT [16017:1501591]
22 [0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff
23 COMMIT
24 # Completed on Wed May 6 10:44:54 2020
25 # Generated by xtables-save v1.8.2 on Wed May 6 10:44:54 2020
26 *filter
27 :INPUT DROP [0:0]
28 :FORWARD DROP [0:0]
29 :OUTPUT ACCEPT [16017:1501591]
30 :dbl_log - [0:0]
31 :logflags - [0:0]
32 :net-fw - [0:0]
33 :reject - [0:0]
34 :smurflog - [0:0]
35 :smurfs - [0:0]
36 :tcpflags - [0:0]
37 :~log0 - [0:0]
38 :~log1 - [0:0]
39 :~log2 - [0:0]
40 :~log3 - [0:0]
41 :~log4 - [0:0]
42 :sha-lh-7d55c90e26beacf414af - [0:0]
43 :sha-rh-f7dacd76c267f54cf185 - [0:0]
44 :shorewall - [0:0]
45 [68313:9251380] -A INPUT -i ens3 -j net-fw
46 [0:0] -A INPUT -i lo -j ACCEPT
47 [0:0] -A INPUT -m addrtype --dst-type BROADCAST -j DROP
48 [0:0] -A INPUT -m addrtype --dst-type ANYCAST -j DROP
49 [0:0] -A INPUT -m addrtype --dst-type MULTICAST -j DROP
50 [0:0] -A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix "INPUT DROP "
51 [0:0] -A INPUT -j DROP
52 [0:0] -A FORWARD -m addrtype --dst-type BROADCAST -j DROP
53 [0:0] -A FORWARD -m addrtype --dst-type ANYCAST -j DROP
54 [0:0] -A FORWARD -m addrtype --dst-type MULTICAST -j DROP
55 [0:0] -A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix "FORWARD DROP "
56 [0:0] -A FORWARD -j DROP
57 [349:20132] -A dbl_log -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix "dbl_log DROP black4 "
58 [349:20132] -A dbl_log -j SET --add-set black4 src --exist --timeout 2147483
59 [349:20132] -A dbl_log -j DROP
60 [0:0] -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix "logflags DROP "
61 [0:0] -A logflags -j DROP
62 [349:20132] -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -m set --match-set black4 src -j dbl_log
63 [56058:6853054] -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
64 [2309:757149] -A net-fw -p udp -m udp --dport 67:68 -j ACCEPT
65 [39568:1840560] -A net-fw -p tcp -j tcpflags
66 [372:20257] -A net-fw -p tcp -m tcp --dport 80 -m set --match-set f2b-http4 src -m comment --comment HTTP -g ~log0
67 [687:35060] -A net-fw -p tcp -m tcp --dport 25 -m set --match-set f2b-smtp4 src -m comment --comment SMTP -g ~log1
68 [11616:2362493] -A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
69 [375:16304] -A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP
70 [1425:117990] -A net-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
71 [385:16548] -A net-fw -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-upto 10/min --hashlimit-burst 15 --hashlimit-name c_smtp -m connlimit --connlimit-upto 3 --connlimit-mask 32 --connlimit-saddr -m comment --comment SMTP -j ACCEPT
72 [1:40] -A net-fw -p tcp -m tcp --dport 25 -m comment --comment SMTP -g ~log2
73 [0:0] -A net-fw -p tcp -m tcp --dport 22 -m set --match-set ssh4 src -m comment --comment SSH -j ACCEPT
74 [505:22272] -A net-fw -p tcp -m tcp --dport 80 -m hashlimit --hashlimit-upto 20/min --hashlimit-burst 40 --hashlimit-mode srcip --hashlimit-name c_http -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 100 --hashlimit-mode dstip --hashlimit-name s_http -m connlimit --connlimit-upto 5 --connlimit-mask 32 --connlimit-saddr -m comment --comment HTTP -j ACCEPT
75 [0:0] -A net-fw -p tcp -m tcp --dport 80 -m comment --comment HTTP -g ~log3
76 [105:5216] -A net-fw -p tcp -m tcp --dport 443 -m hashlimit --hashlimit-upto 10/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name c_https -m hashlimit --hashlimit-upto 20/min --hashlimit-burst 40 --hashlimit-mode dstip --hashlimit-name s_https -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-saddr -m comment --comment HTTPS -j ACCEPT
77 [0:0] -A net-fw -p tcp -m tcp --dport 443 -m comment --comment HTTPS -g ~log4
78 [14506:4267588] -A net-fw -m addrtype --dst-type BROADCAST -j DROP
79 [0:0] -A net-fw -m addrtype --dst-type ANYCAST -j DROP
80 [3:96] -A net-fw -m addrtype --dst-type MULTICAST -j DROP
81 [30646:1367317] -A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix "net-fw DROP "
82 [35675:1610235] -A net-fw -j DROP
83 [0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
84 [0:0] -A reject -s 224.0.0.0/4 -j DROP
85 [0:0] -A reject -p igmp -j DROP
86 [1:40] -A reject -p tcp -j REJECT --reject-with tcp-reset
87 [0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
88 [0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
89 [0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
90 [0:0] -A smurflog -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix "smurfs DROP "
91 [0:0] -A smurflog -j DROP
92 [2290:751459] -A smurfs -s 0.0.0.0/32 -j RETURN
93 [0:0] -A smurfs -m addrtype --src-type BROADCAST -g smurflog
94 [0:0] -A smurfs -s 224.0.0.0/4 -g smurflog
95 [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
96 [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
97 [0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
98 [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
99 [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
100 [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
101 [0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
102 [370:20137] -A ~log0 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment HTTP -j NFLOG --nflog-prefix "net-fw DROP f2b-http4 "
103 [372:20257] -A ~log0 -m comment --comment HTTP -j DROP
104 [687:35060] -A ~log1 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment SMTP -j NFLOG --nflog-prefix "net-fw DROP f2b-smtp4 "
105 [687:35060] -A ~log1 -m comment --comment SMTP -j DROP
106 [1:40] -A ~log2 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment SMTP -j NFLOG --nflog-prefix "net-fw REJECT r8lim-smtp "
107 [1:40] -A ~log2 -m comment --comment SMTP -j reject
108 [0:0] -A ~log3 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment HTTP -j NFLOG --nflog-prefix "net-fw REJECT r8lim-http "
109 [0:0] -A ~log3 -m comment --comment HTTP -j reject
110 [0:0] -A ~log4 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment HTTPS -j NFLOG --nflog-prefix "net-fw REJECT r8lim-https "
111 [0:0] -A ~log4 -m comment --comment HTTPS -j reject
112 [0:0] -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
113 COMMIT
114 # Completed on Wed May 6 10:44:54 2020
next reply other threads:[~2020-05-06 11:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 11:24 Nick [this message]
2020-05-06 14:22 ` Firewall sometimes leaking Jozsef Kadlecsik
2020-05-06 14:57 ` Nick
2020-05-10 7:56 ` Firewall sometimes leaking [solved] Nick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200506112449.GD14154@acrasis.net \
--to=netfilter@acrasis.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox