LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-18-2011, 03:25 AM   #1
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
iptables: verify traffic on port to check if it is legitimate for that port.


Hello,

Is there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?

One obvious example that probably clarifies my question:
When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic.
Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.

I can't seem to find the correct description for this kind of technique to give me any good results on the google.

thanks for any advice,

Lieven
 
Old 04-18-2011, 03:57 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
FOr things like this you need some form of proxy, it's nothing to do with iptables at all. In your OpenVPN example the traffic would be valid though, as it's a proxy capable SSL VPN, so would go to a proxy and ask to CONNECT to a remote point with SSL, which is exactly the same as a normal web connection. There is nothing to descriminate between. You can look at terminating SSL on the proxy and reencrypting, using, for example, squid3, but that's no fun really.
 
1 members found this post helpful.
Old 04-18-2011, 05:17 AM   #3
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Original Poster
Rep: Reputation: 27
proxy port check service

Thanks for the tip,

I was hoping that iptables had an extension for this but in fact the proxyserver seems to be the more appropriate place to do this. (as you state correctly)
I was already using the openvpn 2.1 function --port-share, it can differentiate between traffic for itself and real https traffic.
But the openvpn example is just an example.

thanks for your help.
 
Old 04-18-2011, 06:24 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
iptables can do string matching and the likes, but it's not really something suitable to iptables. the port sharing is, in itself, a proxy, so is not distinguishing real https traffic, but real http traffic, i.e. the stuff inside the tunnel, which iptables has no business seeing.
 
1 members found this post helpful.
Old 04-18-2011, 07:49 AM   #5
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Original Poster
Rep: Reputation: 27
https

that is a good point indeed. In the frequent case of openvpn/https, how can iptables even look in the ssl stream? It should probably play man-in-the-middle but the certificates would probably be wrong/unsecure.

Is there a header or something that distinguishes openvpn? That would be encrypted too, no? So openvpn first has to decrypt the ssl which it can only do if the data was signed with the correct key? (I'm wondering how this --port-share function works)

String matching would not work, anyway, I really want to avoid iptables string-matching feature as it seems to be error-prone due to the fact that packets don't really care about strings, right?

I will look in the direction of transparent proxy, maybe squid, and/or snort to check if the data going through the port in question is actually ok for the service listening on that port. I don't want bad packets and don't want anybody from inside using the open port for anything except for the service it was meant to serve. (http, https, ssh, smtp, ...)


If you have any more tips, they are always welcome but the question were to look for a solution seems answered. :-) Much stuff to research! :-))

thanks!
 
Old 04-18-2011, 08:00 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
well the ssl tunnel will be established between the client and the openvpn server as I understand it, and a conventional tunnel is established. Note that the http CONNECT method is only relevant to proxying (AFAIK) and a normal direct HTTPS connection uses no HTTP methods at all until after the connection is established (which leads to awkward issues like not being able to server multiple certs on a single port) so the client can connect to anything that talks SSL in the first instance. The OpenVPN server can then look at what is asked off it by the client. If it sees "GET / HTTP/1.1\r\nHost: www.server.com\r\n\r\n" then it can take that request and spit it at a real web server, and similar things are possible for SSH, where the client explictly identifies itself with a similar string, and could point that traffic at a real SSH server, and of course, whatever identifies a VPN request (which could well actually be a specific HTTP request) for itself and acts accordingly.
 
1 members found this post helpful.
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables: Block all traffic on NAT except for port 22 for eth0 Blue_Ice Linux - Security 4 01-12-2010 06:33 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
port 25 forwarding iptables FC4, can't get it to pass traffic sahib2u Linux - Security 4 03-01-2006 10:00 AM
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 07:26 PM
How to filter traffic using port+process in IPTables muath Linux - Security 10 03-01-2004 11:20 AM


All times are GMT -5. The time now is 08:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration