Questions about the workings of iptables

Questions about the workings of iptables

[Small, Jim]

I've been using netfilter/iptables for some time and I'm planning on doing a
presentation on it to a local user group.  I've used most of the major
firewalls (pf, ipfilter, iptables, PIX, and CheckPoint) and I've been
comparing features.  Note--I know there are other firewalls like G2,
NetScreen, and CyberGuard and I'm not trying to knock them by leaving them
out!

Two popular firewall features I'm exploring are stateful inspection and
initial TCP sequence randomizing.  I've looked in the archives and couldn't
find very much.  So please allow me to ask:

1)  How extensive is IPTables stateful packet filtering?  Especially with
TCP and the recent reset paranoia
(http://www.uniras.gov.uk/vuls/2004/236929/index.htm), what is checked for
stateful TCP inspection?  Are the sequence numbers carefully scrutinized as
part of the state check?  For an excellent paper on TCP state checking, I
like the following:
http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz

Is there a listing of everything the connection tracking modules do?
If connection tracking or stateful inspection does not include TCP sequence
checking, is there a way to add it?  Is it well tested/supported?


2)  Can IPTables randomize initial TCP sequence numbers?  If not, is there
an add-on that can?  I saw IP Personality, that's not really what I want.  I
would prefer something that can randomize all initial TCP sequence numbers
traversing an IPTables firewall.

As to why this is important, many clients have weak TCP ISN (Initial TCP
Sequence Number) generators.  While Linux is good in this aspect, many
clients like Windows are not.  And it is not always possible to replace
Windows clients or other clients with weak ISNs.  Proxying might be an
option, but I would really like to know if there is a stateful firewall
option or add-on.


Thanks,
   <> Jim

Re: Questions about the workings of iptables

[Antony Stone]

On Monday 26 July 2004 1:51 pm, Small, Jim wrote:

> 1)  How extensive is IPTables stateful packet filtering?  Are the sequence
> numbers carefully scrutinized as part of the state check?

No.   AFAIK the connection tracking in netfilter checks only src+dst IP+port, 
nothing else.

> Is there a listing of everything the connection tracking modules do?

Netfilter source code is probably your best bet here.

> If connection tracking or stateful inspection does not include TCP sequence
> checking, is there a way to add it?

I do not know of a patch to provide this.   It would be in patch-o-matic if 
there is one.

> 2)  Can IPTables randomize initial TCP sequence numbers?

No.   Netfilter doesn't change the packets on their way past, except for:
 - NAT, which will change as little as necessary to achieve the required 
ersult (ie source port numbers don't get changed if it can be helped)
 - mangle rules which specifically change things in the headers

> If not, is there an add-on that can?

How about a Linux or BSD-based proxy server :) ?

You really want something which is going to generate its own sequence numbers 
to do this properly (and a proxy server would help with your first question 
above as well).

I know that's not really the answer you wanted, but I'm not aware of any way 
to do these with netfilter itself.

Regards,

Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Questions about the workings of iptables

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1127 bytes --]


Hi Antony, hi Jim,

On Mon, Jul 26, 2004 at 02:17:33PM +0100, Antony Stone told us:
> On Monday 26 July 2004 1:51 pm, Small, Jim wrote:
> 
> > 1)  How extensive is IPTables stateful packet filtering?  Are the sequence
> > numbers carefully scrutinized as part of the state check?
> 
> No.   AFAIK the connection tracking in netfilter checks only src+dst IP+port, 
> nothing else.
> 
> > Is there a listing of everything the connection tracking modules do?
> 
> Netfilter source code is probably your best bet here.
> 
> > If connection tracking or stateful inspection does not include TCP sequence
> > checking, is there a way to add it?
> 
> I do not know of a patch to provide this.   It would be in patch-o-matic if 
> there is one.

look at the TCP window tracking patch in pom-ng. Harald has submitted it
to davem for inclusion in the mainline 2.6.9 kernel recently. Don't know
if it will be included in 2.4, too.


regards,

Sven

-- 
Linux zion 2.6.8-rc2 #1 Sun Jul 18 15:00:48 CEST 2004 i686 athlon i386 GNU/Linux
 16:02:43  up 7 days, 17:31,  1 user,  load average: 1.06, 1.08, 1.02

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Questions about the workings of iptables

[Ashutosh]

> No.   AFAIK the connection tracking in netfilter checks only src+dst 
> IP+port,
> nothing else.

.. And the Protocol


-- 
Ashutosh Naik
.

Re: Questions about the workings of iptables

[Antony Stone]

On Tuesday 27 July 2004 8:20 am, Ashutosh wrote:

> > No.   AFAIK the connection tracking in netfilter checks only src+dst
> > IP+port, nothing else.
>
> .. And the Protocol

Er, well, yes.   I kind of took this bit for granted, but you're correct; a 
conntrack entry for a TCP connection between a.b.c.d:e and v.w.x.y:z will not 
match UDP packets on the same IPs and ports :)

Also, conntrack entries take care of non-TCP/UDP connections (eg ICMP, ESP) 
which do not have port numbers, therefore src+dst IP (and protocol) are the 
only things matched here.

Regards,

Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Questions about the workings of iptables

[John A. Sullivan III]

On Tue, 2004-07-27 at 03:20, Ashutosh wrote:
> > No.   AFAIK the connection tracking in netfilter checks only src+dst 
> > IP+port,
> > nothing else.
> 
> .. And the Protocol

and I would assume there is a timer - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Questions about the workings of iptables

[Antony Stone]

On Tuesday 27 July 2004 2:41 pm, John A. Sullivan III wrote:

> On Tue, 2004-07-27 at 03:20, Ashutosh wrote:
> > > No.   AFAIK the connection tracking in netfilter checks only src+dst
> > > IP+port,
> > > nothing else.
> >
> > .. And the Protocol
>
> and I would assume there is a timer - John

Oh yes, there are timers, but that's not part of the information from the 
original packet which gets matched in future packets, which is what I was 
discussing, and what I think the original question was about (!?).

Regards,

Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Questions about the workings of iptables

[Ashutosh Naik]

On Tue, 27 Jul 2004 15:22:40 +0100, Antony Stone 
<Antony@Soft-Solutions.co.uk> wrote:

> On Tuesday 27 July 2004 2:41 pm, John A. Sullivan III wrote:
>
>> On Tue, 2004-07-27 at 03:20, Ashutosh wrote:
>> > > No.   AFAIK the connection tracking in netfilter checks only src+dst
>> > > IP+port,
>> > > nothing else.
>> >
>> > .. And the Protocol
>>
>> and I would assume there is a timer - John
>
> Oh yes, there are timers, but that's not part of the information from the
> original packet which gets matched in future packets, which is what I was
> discussing, and what I think the original question was about (!?).

Yes, What actually get matched is only the 5 tuples.. 
srcIP+destIP+srcport+destport+Protocol



-- 
Ashutosh Naik
Teneoris Networks India Pvt. Ltd.

RE: Questions about the workings of iptables

[Jason Opperisano]

> 1)  How extensive is IPTables stateful packet filtering?  Especially with
> TCP and the recent reset paranoia
> (http://www.uniras.gov.uk/vuls/2004/236929/index.htm), what is checked for
> stateful TCP inspection?  Are the sequence numbers carefully scrutinized as
> part of the state check?  For an excellent paper on TCP state checking, I
> like the following:
> http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz.ps.gz

the "tcp-window-tracking patch" available in patch-o-matic is based upon the paper by Guido van Rooij that you reference.

-j