LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-26-2003, 07:24 PM   #1
koningshoed
Member
 
Registered: May 2002
Location: South Africa
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
iptables (netfilter) losing packets!


Hello all,

yes, I'm serious, according to me, the netfilter code in linux (2.4.18 - patched ipt_ULOG.c as well as 2.5.69 - and therefor likely 2.5.72 as well) loses packets under some circumstances. Yes, I felt the same way, ok, here it goes, I flush my tables, and set all policies to accept, and then add some logging and some denying (We're writing a portknock server and is trying to tap into the ULOG target in order to pick up the knocks).

iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -p tcp --destination-port 745:1000 --syn -j ULOG
iptables -A INPUT -p tcp --destination-port 745:1000 --syn -j DROP

that settles the firewall part, and the environment for the port knocking to be able to occur. Replace LOG for ULOG in the above and find logging info by tailing /var/log/messsages.

Now, out portknock program produces the following output, and this works correctly (try the above without the DROP rule).

$ ./portknock --remote=localhost --option=ssh --pass=private
Good.
MD5: 2c:17:c6:39:37:71:ee:30:48:ae:34:d6:b3:80:c5:ec
CSEQ: 73:73:68:00:00:00:00:00:00:00:00:00:00:00:00:68
ESEQ: 18:89:5b:21:62:bf:22:49:53:e3:ce:03:3c:10:d3:e2
knock: 769
knock: 882
knock: 836
knock: 778
knock: 843
knock: 936
knock: 779
knock: 818
knock: 828
knock: 972
knock: 951
knock: 748
knock: 805
knock: 761
knock: 956
knock: 971

But, when I use the "full" ruleset as above, I end up with the following three lines in my log:

Jun 27 01:09:00 kroon kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65216 DF PROTO=TCP SPT=32816 DPT=769 WINDOW=32767 RES=0x00 SYN URGP=0
Jun 27 01:09:03 kroon kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65217 DF PROTO=TCP SPT=32816 DPT=769 WINDOW=32767 RES=0x00 SYN URGP=0
Jun 27 01:09:09 kroon kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65218 DF PROTO=TCP SPT=32816 DPT=769 WINDOW=32767 RES=0x00 SYN URGP=0

Which is
1) All the same (The first packet).
2) Incomplete.

iptables also only reports having seen 3 packets (using the counters).

Please tell me it's just me screwing up. I really do not want to go bug-hunting in kernel code ...

I'm willing to send all code I have on request to specified email addresses.
 
Old 06-26-2003, 10:42 PM   #2
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
I am not familiar with the details of portknocking -- just the basic idea. try these rules (as a portknock may or may not send a 'syn' packet to the various ports):
Code:
iptables -A INPUT -p tcp --destination-port 745:1000 \
    -m state --state NEW -j ULOG
iptables -A INPUT -p tcp --destination-port 745:1000 \
    -m state --state NEW -j DROP
I think that is more or less what you intended with the syn packets...
If you think iptables is still dropping packets, remove the '-m state --state NEW' bit.

hope this helps...

-t.

Last edited by beltorak; 06-26-2003 at 10:43 PM.
 
Old 06-27-2003, 07:50 PM   #3
koningshoed
Member
 
Registered: May 2002
Location: South Africa
Distribution: Gentoo
Posts: 103

Original Poster
Rep: Reputation: 15
Problem solved. See http://www.kroon.co.za/portknock

Anyway, I feel extremely stupid. The iptables commands are fine, so is my ulogport program (although it seems weird). After using hping to perform a sequenced knock I realized that the problem was in the client code. When a socket times out, it's ripped to threads in the kernel, although not as expected. Executing a successive connect on the same sockets fails, but it doesn't fail with EBADFS, but rather with one of ETIMEOUT ECONNREFUSED or EINTR (I suspect ECONNREFUSED as it seems to be attempting to reconnect to the same ports). Anyway, I modified the client to use a clean socket for each connect system call and it now works as expected.

Sorry about this.
 
Old 06-28-2003, 03:31 PM   #4
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
hey, not a problem. Good that you figured it out, and even better that you told us what it was.

What ulog program are you using? is it of yer own writ? I wrote a small program to partially decode the ulog messages, and am working on a better one now when I have time (yeah, right, time hahaha).

-t.
 
Old 06-28-2003, 05:09 PM   #5
koningshoed
Member
 
Registered: May 2002
Location: South Africa
Distribution: Gentoo
Posts: 103

Original Poster
Rep: Reputation: 15
You can easily help, I'm publishing my code (http://www.kroon.co.za/ulogport), and yes, it is of my own design. It sucks atm, all it can do is check that the packet was a tcp packet, and if so, what the source ip was and the destination port, it prints this out. The only reason I wrote it in the first place was to work with my portknock program (http://www.kroon.co.za/portknock) which can be configured to do all kinds of really wicked stuff. I'm actually still looking for beta testers (hint hint).

And I suspect what I call portknocking is something else from what you understand? portknocking is when some packets are sent to your ip stack to test it, hack it, etc (or at least that is what I understand). We are using it as a method of passing data through a firewall, or rather, to give commands to the firewall from a remote location. So far we have managed to configure it to open ssh for us to a given ip without having access to the server.

Well, actually, for that specific tryout I merely constructed a simple syn-blocking firewall, and logged some SYN packets to ULOG which I picked up as the knocks. Then I send a specific sequence of knocks, which the server then picks up, and takes appropriate action (opening ssh in this case).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how netfilter handles fragmented packets??? cranium2004 Linux - Networking 1 11-21-2004 01:47 PM
Netfilter / IPtables SWAT Linux - Newbie 3 11-11-2003 10:04 AM
Netfilter/iptables on Linux Debra Programming 1 10-03-2002 08:40 PM
Netfilter/iptables on Linux Debra Linux - General 2 10-03-2002 08:27 PM
Firewall, netfilter, iptables...? snowbaby Linux - Security 9 08-13-2002 04:22 AM


All times are GMT -5. The time now is 09:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration