iptables NEW or SYN

iptables NEW or SYN

[Markus Feldmann]

Hi All,

i am still experiment with iptables and the state extension. Some of my 
rules shall catch packets with the state NEW, but it doesn't catch all 
packets. Sometimes there are packets that have the SYN Flag set which go 
through my rules with the state NEW.

Any idea why?
I thought SYN is included in the state NEW, is that wrong?

What is the difference between SYN and NEW?

regards Markus

Re: iptables NEW or SYN

[Jan Engelhardt]

On Thursday 2010-05-13 19:08, Markus Feldmann wrote:

> Hi All,
>
> i am still experiment with iptables and the state extension. Some of my rules
> shall catch packets with the state NEW, but it doesn't catch all packets.
> Sometimes there are packets that have the SYN Flag set which go through my
> rules with the state NEW.
>
> Any idea why?

Where's the ruleset?

> I thought SYN is included in the state NEW, is that wrong?

There are cases where SYN can be INVALID, naturally. Furthermore, CTs 
may be NEW even if the packet is not TCP SYN.

> What is the difference between SYN and NEW?

Kinda like the difference between "new" and "refurbished".

Re: iptables NEW or SYN

[Markus Feldmann]

Ok i post some important rules, but i think nobody will watch this:




1.        iptables -N attacksinput
2.        iptables -A INPUT -i "$DSLIF" -j attacksinput
3.        iptables -A attacksinput -m state --state ESTABLISHED,RELATED 
-j RETURN
4.        iptables -A attacksinput -m recent --rcheck -m hashlimit 
--hashlimit-name attacksinput_bl --hashlimit-upto 6/hour 
--hashlimit-burst 20 --hashlimit-mode srcip -j LOG --log-level info 
--log-prefix "attacksinput(bl): "
5.        iptables -A attacksinput -m recent --update --seconds 600 -j DROP
6.        iptables -A attacksinput -p tcp -m state --state NEW -m 
multiport --dports 1:79,81:442,444:65535 -m hashlimit --hashlimit-name 
attacksinputnot_80 --hashlimit-upto 6/hour --hashlimit-burst 20 
--hashlimit-mode srcip -j LOG --log-level info --log-prefix 
"attacksinput(!80): "
7.        iptables -A attacksinput -p tcp -m state --state NEW -m 
multiport --dports 1:79,81:442,444:65535 -m recent --set -j DROP
8.        iptables -A attacksinput -p tcp -m state --state NEW -m 
hashlimit --hashlimit-name http --hashlimit-upto 6/hour 
--hashlimit-burst 20 --hashlimit-mode srcip --dport 80 -j RETURN
9.        iptables -A attacksinput -p tcp -m state --state NEW -m 
hashlimit --hashlimit-name https --hashlimit-upto 6/hour 
--hashlimit-burst 20 --hashlimit-mode srcip --dport 443 -j RETURN
10.       iptables -A attacksinput -p icmp --icmp-type 8 -j RETURN
11.       iptables -A attacksinput -m state --state NEW,INVALID -m 
hashlimit --hashlimit-name attacksinput_new_inv --hashlimit-upto 6/hour 
--hashlimit-burst 20 --hashlimit-mode srcip -j LOG --log-level info 
--log-prefix "attacksinput(NEW,INVALID): "
12.       iptables -A attacksinput -m state --state NEW,INVALID -m 
recent --set -j DROP
13.       iptables -A attacksinput -m hashlimit --hashlimit-name 
attacksinput_rest --hashlimit-upto 6/hour --hashlimit-burst 20 
--hashlimit-mode srcip -j LOG --log-level info --log-prefix "attacksinput: "
14.       iptables -A attacksinput -m recent --set -j DROP





Description:
All Packets from the Internet, which comes over ppp0 and want to go into 
my Apache-Server, goes into the chain "attacksinput". Only connections 
to port 80 and 443 are valid and RETURN to the mein chain, all other 
will be logged and dropped.

I friend tried to connect to my server, but couldnt establish a 
connection, here is the log:
https://debianforum.de/forum/pastebin.php?mode=view&s=34615

His computer tries several times to connect, but it fails. The first 
tries send the SYN Flag. Normaly it should be catched by my rule 9 but 
it would catched by the rule 11.

Any idea ?

Regards Markus

Re: iptables NEW or SYN

[Markus Feldmann]

Jan Engelhardt schrieb:
> 
>> What is the difference between SYN and NEW?
> 
> Kinda like the difference between "new" and "refurbished".
So the state NEW is like refurbished and the syn Flag is really new?

Re: iptables NEW or SYN

[Markus Feldmann]

Markus Feldmann schrieb:
> Jan Engelhardt schrieb:
>>
>>> What is the difference between SYN and NEW?
>>
>> Kinda like the difference between "new" and "refurbished".
So NEW means the IP was never seen before and the SYN flag means, that a 
new connection begins? So the first packet from a source adress is NEW 
whether or nor it has the SYN flag set ?

Is that correct?

If this is the case, than i need only the SYN flag to let establish 
incoming connection to my apache-Server?

regards Markus

Re: iptables NEW or SYN

[Pascal Hambourg]

Hello,

Markus Feldmann a écrit :
> So NEW means the IP was never seen before and the SYN flag means, that a 
> new connection begins? So the first packet from a source adress is NEW 
> whether or nor it has the SYN flag set ?

Not exactly. The connection tracking works per connection, not per
source address. NEW means that the packet belongs to a connection that
was not seen by the connection tracking before. SYN (without RST nor
ACK) means that the packet purpose is to start a new TCP connection, but
it could be a duplicate SYN for an already established connection.

> If this is the case, than i need only the SYN flag to let establish 
> incoming connection to my apache-Server?

It depends on your needs.

Re: iptables NEW or SYN

[Markus Feldmann]

Pascal Hambourg schrieb:
> 
> It depends on your needs.

The state NEW doesn't work for my apache server, only the --syn flag. It 
seems that many packets on my server wouldn't catched from the NEW rule, 
because my server thinks they are not NEW. The clients still want to 
establish a connection, but my server only let NEW packets in. If some 
of my frineds want to connect several times, or when the first packet 
doesn't fit up with my rules. Then they fall in my blacklist and i got 
problems. :-(

So it is better to set up a rule with the --syn argument combined with 
the hashlimit extension, to be save against syn flood attacks.

What do you think?

regards markus

Re: iptables NEW or SYN

[Markus Feldmann]

Jan Engelhardt schrieb:
> On Thursday 2010-05-13 19:08, Markus Feldmann wrote:
> 
>> I thought SYN is included in the state NEW, is that wrong?
> 
> There are cases where SYN can be INVALID, naturally. Furthermore, CTs 
> may be NEW even if the packet is not TCP SYN.
What are CTs?

Re: iptables NEW or SYN

[Curby]

On Thu, May 13, 2010 at 12:05 PM, Markus Feldmann
<feldmann_markus@gmx.de> wrote:
> What are CTs?

Mebbe Conntrack?  The basic point that Jan's trying to make is that
NEW/ESTABLISHED/INVALID/RELATED describes packets as they're seen by
the connection tracking.  It is not necessarily related to whether a
TCP packet has the SYN flag set.

If a new and valid ICMP ping packet comes in, it's considered NEW by
conntrack because it's not associated with any other traffic, not is
it INVALID.  That's an example of NEW packets that don't have to be
TCP SYN.

--Mike

Re: iptables NEW or SYN

[Markus Feldmann]

Curby schrieb:
> On Thu, May 13, 2010 at 12:05 PM, Markus Feldmann
> <feldmann_markus@gmx.de> wrote:
>> What are CTs?
> 
> Mebbe Conntrack?  The basic point that Jan's trying to make is that
> NEW/ESTABLISHED/INVALID/RELATED describes packets as they're seen by
> the connection tracking.  It is not necessarily related to whether a
> TCP packet has the SYN flag set.
> 
> If a new and valid ICMP ping packet comes in, it's considered NEW by
> conntrack because it's not associated with any other traffic, not is
> it INVALID.  That's an example of NEW packets that don't have to be
> TCP SYN.
I try an example and you say whether i am right.

If i meet a girl, which i doesnt meet before, than she is NEW.
When i meet a girl every day which, than she is only new at the first 
meet but the meeting is every day a new experience (syn).

Is that correct?

So the state NEW is the sight view of my computer and the syn only 
means, there is a foreign computer which wants to establish a new 
connection.

Ist that right?

If that is right than i need the --syn argument not the state NEW for my 
apache-server.

regards Markus

Re: iptables NEW or SYN

[Mistick Levi]

NEW is a packet which the firewall did not see before( Yes , meeting a
new person today)
ESTABLISHED - Is a connection that already exists ( an open session:
Meeting a girl in the way to the store ( NEW ) then meeting her in our
way back from the store ( ESTABLISHED - we are already familiar ).

SYN is a part of TCP (
http://en.wikipedia.org/wiki/Transmission_Control_Protocol- this could
help understand better ).
the 3-way handshake is done: "SYN" -> "SYN ACK" -> "ACK"
The reply of SYN-ACK Transfer the state to ESTABLISHED.

Kind regards
Levi Yechiel

On Thu, May 13, 2010 at 9:45 PM, Markus Feldmann <feldmann_markus@gmx.de> wrote:
> Curby schrieb:
>>
>> On Thu, May 13, 2010 at 12:05 PM, Markus Feldmann
>> <feldmann_markus@gmx.de> wrote:
>>>
>>> What are CTs?
>>
>> Mebbe Conntrack?  The basic point that Jan's trying to make is that
>> NEW/ESTABLISHED/INVALID/RELATED describes packets as they're seen by
>> the connection tracking.  It is not necessarily related to whether a
>> TCP packet has the SYN flag set.
>>
>> If a new and valid ICMP ping packet comes in, it's considered NEW by
>> conntrack because it's not associated with any other traffic, not is
>> it INVALID.  That's an example of NEW packets that don't have to be
>> TCP SYN.
>
> I try an example and you say whether i am right.
>
> If i meet a girl, which i doesnt meet before, than she is NEW.
> When i meet a girl every day which, than she is only new at the first meet
> but the meeting is every day a new experience (syn).
>
> Is that correct?
>
> So the state NEW is the sight view of my computer and the syn only means,
> there is a foreign computer which wants to establish a new connection.
>
> Ist that right?
>
> If that is right than i need the --syn argument not the state NEW for my
> apache-server.
>
> regards Markus
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: iptables NEW or SYN

[Markus Feldmann]

Thanks for your answer,

i have an ESTABLISHED rule, look at line 127

http://pastebin.com/HSJdf6NK

regards MArkus

Re: iptables NEW or SYN

[Curby]

On Thu, May 13, 2010 at 3:45 PM, Markus Feldmann <feldmann_markus@gmx.de> wrote:
> Thanks for your answer,
>
> i have an ESTABLISHED rule, look at line 127

Having a rule doesn't mean that it's doing what you want it to.  =)
Since you have DROP policies, having EST/REL packets return to the
originating INPUT/FORWARD chain just drops them if nothing else
matches.  Instead, try ACCEPT, as in:

iptables -A attacksinput -m state --state ESTABLISHED,RELATED -j ACCEPT

Can I get confirmation from Jan or someone else that a preferred and
more future-proof syntax is the following?

iptables -A attacksinput -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

--Mike

Re: iptables NEW or SYN

[Markus Feldmann]

Thanks for your help,

I changed this at this afternoon today, because otherwise my server is
not reachable. I changed line 132 and 133 from "state NEW" to the
iptables argument "--syn".

I have no idea why NEW does not work but --syn.

@Curby
The packets will not dropped in the INPUT chain, see the LOG of my friend.
https://debianforum.de/forum/pastebin.php?mode=view&s=34615
All packets will only dropped in the attacksinput chain. I made this log
with <grep SRC=84.141.159.142 /var/log/syslog>, so it contains all
dropped packets from my friend.

When the packets with DPORT=80,443 goes back to the INPUT chain it will
be ACCEPTED, see line 241 to 247. But as i said the packets will only be
dropped in my atttacksinput chain and i don't know why.

The first dropped packet of my friend has the DPT=443 (Redirection from
80 to 443) and SYN flag set with TCP protocol. So i asume that the first
packets with DPORT=80 were accepted. The next packet (singular) with
DPT=443 was dropped at <attacksinput(NEW,INVALID)>, so it went over the
rule in line 133. Line 133 says clearly to catch all NEW packets with
DPT=443. Because it didn't so, the packet was not NEW, and because it
was catched by <attacksinput(NEW,INVALID)>, it has to be INVALID !

Question, is a packet still marked as NEW, after it is redirected from
80 to 443 ???

regards Markus

Re: iptables NEW or SYN

[Markus Feldmann]

I post my <iptables -L -n -v> so that you can see, all my chains contain 
a LOG followed by a DROP statement at the end. So i am sure that i know 
about all pakets which are dropped. Because of this, only in my 
attacksinput chain were packets dropped.

http://pastebin.com/Fb2uvBX4

regards Markus

Re: iptables NEW or SYN

[Markus Feldmann]

My Apache Server does a redirect from 80 to 443.

regards MArkus

Re: iptables NEW or SYN

[Jan Engelhardt]

On Friday 2010-05-14 02:06, Markus Feldmann wrote:

> Thanks for your help,
>
> I changed this at this afternoon today, because otherwise my server is
> not reachable. I changed line 132 and 133 from "state NEW" to the
> iptables argument "--syn".
>
> I have no idea why NEW does not work but --syn.

Just to be wary - some distributions use -i/-o lo -j NOTRACK in the raw 
table, which disables state tracking for loopback.

> Question, is a packet still marked as NEW, after it is redirected from
> 80 to 443 ???

It is marked as NEW,DNAT (-m conntrack; -m state won't help you)

Re: iptables NEW or SYN

[Markus Feldmann]

Jan Engelhardt schrieb:
> On Friday 2010-05-14 02:06, Markus Feldmann wrote:
> 
> It is marked as NEW,DNAT (-m conntrack; -m state won't help you)
[SOLVED] Hi All,

thank you all that was the Problem. i changed my attacksinput chain to:
http://pastebin.com/5YwC4r2i

And it works now. :-)

regards Markus

Re: iptables NEW or SYN

[Mart Frauenlob]

On 13.05.2010 20:45, Markus Feldmann wrote:

> I try an example and you say whether i am right.
> 
> If i meet a girl, which i doesnt meet before, than she is NEW.
> When i meet a girl every day which, than she is only new at the first
> meet but the meeting is every day a new experience (syn).
> 
> Is that correct?
> 
> So the state NEW is the sight view of my computer and the syn only
> means, there is a foreign computer which wants to establish a new
> connection.
> 
> Ist that right?
> 
> If that is right than i need the --syn argument not the state NEW for my
> apache-server.
> 
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#STATEMACHINE

Re: iptables NEW or SYN

[ratheesh k]

On Thu, May 13, 2010 at 6:47 PM, Markus Feldmann <feldmann_markus@gmx.de> wrote:
> Hi All,
>
> i am still experiment with iptables and the state extension. Some of my
> rules shall catch packets with the state NEW, but it doesn't catch all
> packets. Sometimes there are packets that have the SYN Flag set which go
> through my rules with the state NEW.
>
> Any idea why?
> I thought SYN is included in the state NEW, is that wrong?
>
> What is the difference between SYN and NEW?
>
> regards Markus
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Please use  netfilter-users list advise of  experts in netfilter  .
-Ratheesh .