From: ching <lsching17@gmail.com>
To: netfilter@vger.kernel.org
Subject: enquiry on ownership of packet (linux iptables)
Date: Thu, 08 Mar 2012 06:13:24 +0800 [thread overview]
Message-ID: <4F57DD84.6080700@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1285 bytes --]
Dear all,
I am learning to setup firewall using IP Tables. My system is Ubuntu
11.10 linux x64 (linux kernel 3.3-rc5)
My goal is:
1. Allow authorized user to accessing internet only
2. Isolate network daemons from loopback device and LAN, but they
are allowed to access internet
To achieve this, my firewall is built with the following logic:
1. Default policy drop
2. For input chain, listen to a few ports only
3. For output chain, log all dropped package for debugging.
I spotted that a few package is dropped on output chain: ICMP, IGMP
(Proto type=2) and TCP package. They do not have owner id.
Now I want to silent them by adding accept rule, but I have the
following question about the ownership of packet.
According to the documentation of iptables: "Packets from kernel threads
do have a socket, but usually no owner.
1. Is it possible that misbehaved program send “no owner” package
(e.g. ICMP/IGMP)? (assume that program has no root privilege and cannot
access setuid executable)
2. Can I assume that “no owner” package always comes from kernel or
program with root privilege?
3. Why the TCP package in my log can be “no owner”?
4. How to write a rule to "accept" all "no-owner" outbound package?
Thank a lot
Ching
[-- Attachment #2: dropped_package_log.txt --]
[-- Type: text/plain, Size: 1217 bytes --]
#IGMP (PROTO=2)
kernel: [ 17.476219] [IPTABLES]: dropped IN= OUT=vmnet1 SRC=172.16.27.1 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
kernel: [ 17.500206] [IPTABLES]: dropped IN= OUT=vmnet8 SRC=172.16.225.1 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
#ICMP
kernel: [ 7485.926583] [IPTABLES]: dropped IN= OUT=eth0 SRC=192.168.11.2 DST=208.86.198.92 LEN=576 TOS=0x00 PREC=0xC0 TTL=64 ID=12970 PROTO=ICMP TYPE=11 CODE=1 [SRC=208.86.198.92 DST=192.168.11.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=48 ID=27571 MF PROTO=UDP SPT=7567 DPT=65402 LEN=1849 ]
kernel: [ 13.249733] [IPTABLES]: dropped IN= OUT=vmnet8 SRC=fe80:0000:0000:0000:0250:56ff:fec0:0008 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
#TCP packet without owner
kernel: [ 6099.368655] [IPTABLES]: dropped IN= OUT=eth0 SRC=192.168.11.2 DST=222.49.251.140 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=65403 DPT=49631 WINDOW=0 RES=0x00 RST URGP=0
kernel: [ 380.975820] [IPTABLES]: dropped IN= OUT=eth0 SRC=192.168.11.2 DST=1.195.204.197 LEN=120 TOS=0x00 PREC=0x00 TTL=64 ID=64746 DF PROTO=TCP SPT=47859 DPT=10759 WINDOW=29 RES=0x00 ACK PSH FIN URGP=0
[-- Attachment #3: iprules.txt --]
[-- Type: text/plain, Size: 2277 bytes --]
*security
:INPUT ACCEPT [155114:111048110]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189557:159665631]
COMMIT
*raw
:PREROUTING ACCEPT [155235:111062052]
:OUTPUT ACCEPT [189607:159672135]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [155235:111062052]
:INPUT ACCEPT [155235:111062052]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189607:159672135]
:POSTROUTING ACCEPT [189594:159674670]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:zLog_Drop - [0:0]
:zNetwork_Daemon - [0:0]
#drop and log chain
-A zLog_Drop -m limit --limit 1/min --limit-burst 10 -j LOG --log-prefix "[IPTABLES]: dropped " --log-uid
-A zLog_Drop -j DROP
#network daemon outbound chain
-A zNetwork_Daemon ! -d 192.168.0.0/16 -o eth0 -j ACCEPT #allow connection to non-lan ip only
-A zNetwork_Daemon -d 192.168.11.1/32 -o eth0 -p udp -m udp --dport 53 -j ACCEPT #allow DNS
-A zNetwork_Daemon ! -o eth0 -j DROP #silent log by dropping local traffic
-A zNetwork_Daemon -j zLog_Drop #log and drop
#input chain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #allow established connection
-A INPUT -p tcp -m multiport --dports 10000:10010 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT #listen to a few port only
-A INPUT -p udp -m multiport --dports 10000:10010 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT #listen to a few port only
-A INPUT -i lo -j ACCEPT #allow localhost inbound
#output chain
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #allow established connection
-A OUTPUT -m owner --uid-owner zamule -j zNetwork_Daemon #daemon
-A OUTPUT -m owner --uid-owner debian-transmission -j zNetwork_Daemon #daemon
-A OUTPUT -m owner --uid-owner zhttpfileserver -j zNetwork_Daemon #daemon
-A OUTPUT -m owner --uid-owner avahi -j ACCEPT #trusted
-A OUTPUT -m owner --uid-owner root -j ACCEPT #trusted
#-A OUTPUT -p icmp -j ACCEPT
#-A OUTPUT -p igmp -j ACCEPT
-A OUTPUT -j zLog_Drop #allow established connection
COMMIT
reply other threads:[~2012-03-07 22:13 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F57DD84.6080700@gmail.com \
--to=lsching17@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox