Re: Firewall Configuration Help

["Christoph A." <casmls@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3364 bytes --]

On 28.07.2009 11:09, Julien Vehent wrote:
>> # The following will NOT interfere with local inter-process traffic,
> whose
>> # packets have the source IP of the local loopback interface, e.g.
>> 127.0.0.1
>>
>> $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix "Spoofed source IP"
>> $IPTABLES -A INPUT -s $IP_LOCAL -j DROP
>>
>> # Tell netfilter that all TCP sessions do indeed begin with SYN
>>
>> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
>> --log-prefix "Stealth scan attempt?"
>> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>>
>>
> 
> My understanding of the conntrack subsystem is that a connection cannot be
> in the state NEW without a syn packet, therefore I don't think this is
> useful.


I also thought that such a packet has the state INVALID, but after
making some tests I saw that such TCP packets (! --syn with state NEW)
are possible, but considering his hole ruleset these packets would be
DROPed anyway by his default policy, because he has no
-A INPUT ... --state NEW -j ACCEPT
rules in his ruleset.
This means that the rule is redundant and should be removed to minimize
the number of rules.

Just for the record, I tested it like this:
I generated a packet with hping that has only the ACK flag set and
to see the state I created some logging rules:

iptables -A INPUT -p tcp --sport 9999 ! --syn -m state --state NEW -j
LOG --log-prefix "NEW_: "
iptables -A INPUT -p tcp --sport 9999 ! --syn -m state --state RELATED
-j LOG --log-prefix "RELATED_: "
iptables -A INPUT -p tcp --sport 9999 ! --syn -m state --state
ESTABLISHED -j LOG --log-prefix "ESTABLISHED_: "
iptables -A INPUT -p tcp --sport 9999 ! --syn -m state --state INVALID
-j LOG --log-prefix "INVALID_: "


test #1: (ACK flag set)
hping3 -c 1 -I wlan0 -A -s 9999 -p 1110 localhost

Logging output:
NEW_: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=192.168.1.33 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=4943
PROTO=TCP SPT=9999 DPT=1110 WINDOW=512 RES=0x00 ACK URGP=0

state => NEW
------------------------------------------------------
test #2 (no TCP flags set):
hping command:

hping -c 1 -I wlan0 -s 9999 -p 1111 localhost

Logging output:
INVALID_: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=192.168.1.33 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=9687
PROTO=TCP SPT=9999 DPT=1111 WINDOW=512 RES=0x00 URGP=0

(test was made with iptables v1.4.3.1)


On 05.08.2009 15:35, Mart Frauenlob wrote:
> Wrong, from the iptables tutorial 1.2.2 at frozentux:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#STATEMACHINE
>
> The NEW state tells us that the packet is the first packet that we see.
> This means that the first packet that the conntrack module sees, within
> a specific connection, will be matched. For example, if we see a SYN
> packet and it is the first packet in a connection that we see, it will
> match. However, the packet may as well not be a SYN packet and still be
> considered NEW.

Given this fact I'm reconsidering my rules like:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

to be changed to:
iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT
(because this is the samller group of packets and works as well)

best regards,
Christoph A.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]