LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-05-2005, 01:16 PM   #1
-Nw- neX
Member
 
Registered: Apr 2004
Distribution: Gentoo, RHL, CentOS, Ubuntu, FreeBSD,
Posts: 88

Rep: Reputation: 15
netfilter/iptables in kernel: module vs static


hey guys...

this seems to be the best place to ask this. im looking for advice on the subject [possibly several]. a little backgroud first.

ive been trying to plug this hole: http://www.securityfocus.com/archive...9/2005-02-25/2
[over sized info querry causes immediate crash of any Quake3 based gaming engine]

one method is to use the q3infofix_linux.c found here: http://aluigi.altervista.org/patches/q3infofix.zip

so far, [sadly] the patch has not worked and i anticipate no fix forthcoming from ID software. so as the alternitive, ive been working on getting the hole plugged via iptables. here is the rule i have written, credit to SCDS_reyalP on the bani.anime.net forums for this.

Quote:
Description:
# skip TCP header, to 3rd byte of UDP header (4 bytes including dest port
# and size), mask off dest port, check for length740 (0x2e4) and up
# 0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF
#
# first 4 bytes of UDP payload match
# 0xffffffff and next 8 match "geti" "nfo " 0x67657469 0x6e666f20
#0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF &&
#0>>22&0x3C@12&0xFFFFFFFF=0x67657469 &&
#0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20

To use this in a firewall chain, you will want something like
iptables -A <mychain> -p udp -d <myserver> --dport <myserverport> -m u32 --u32 <patern listed above> -j DROP
hence...

Code:
Q3INFOBOOM_STRING="0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF && 0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 &&
0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20"

iptables -A INPUT -p UDP --dport 27960 -m u32 --u32 $Q3INFOBOOM_STRING -j DROP
[ no -d $IP_ADDR just because this is a public host. no NAT. ]

so, down to the questions. i currently have netfilter compiled into the kernel as static code, not modules. unfortunatley, i have not been able to call the u32 module. is this because i have the code compiled statically? [QoS is enabled - this was not my choice BTW, i prefer modules] from what i have been reading, not many people compile netfilter directly into the kernel. im hoping to do a recompile, but im just wondering _WHY_ i cant call the module properly. any info would be useful.
 
Old 03-05-2005, 02:44 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
AFAIK, the u32 match isn't normally part of the default iptables installation, so you need to patch the kernel with patch-o-matic (pom) in order to use the u32 match. Once patched you should see the u32 option appear in the kernel configuration menu ( during the make menuconfig or xconfig step), which you then need to enable before compiling. I'd also recommend including them as modules. For some reason people occasionally get odd results with them in the kernel.
 
Old 03-05-2005, 04:39 PM   #3
-Nw- neX
Member
 
Registered: Apr 2004
Distribution: Gentoo, RHL, CentOS, Ubuntu, FreeBSD,
Posts: 88

Original Poster
Rep: Reputation: 15
u32 is acutally part of QoS.

yep. thats what im thinking too. ANY lib that i try and call is met with /lib/iptables/libipt_FOO not found. and the lib really is not there to call.

this leads me to belive that there must be another way to call --match $SOME_FILTER with the code compiled statically, but i have yet to find this method.

is netfilter-as-module the PREFERED method?
 
Old 03-07-2005, 02:05 AM   #4
-Nw- neX
Member
 
Registered: Apr 2004
Distribution: Gentoo, RHL, CentOS, Ubuntu, FreeBSD,
Posts: 88

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
AFAIK, the u32 match isn't normally part of the default iptables installation, so you need to patch the kernel with patch-o-matic (pom) in order to use the u32 match. Once patched you should see the u32 option appear in the kernel configuration menu ( during the make menuconfig or xconfig step), which you then need to enable before compiling. I'd also recommend including them as modules. For some reason people occasionally get odd results with them in the kernel.
how stable is the patch-o-matic? ive read some HOWTO articles on it, and some other misc info. basically just a kind of front end for cvs sort of. with PoM, would i be able to safely get the needed modules, and do a make modules install without too much issue? [with netfilter compiled as a module first]
 
Old 03-25-2005, 12:56 PM   #5
-Nw- neX
Member
 
Registered: Apr 2004
Distribution: Gentoo, RHL, CentOS, Ubuntu, FreeBSD,
Posts: 88

Original Poster
Rep: Reputation: 15
well... got u32 working properly. modules are loading, all is well.

still working on the actual SYNTAX of the cls_u32 rule.
 
Old 03-25-2005, 07:44 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Could you post a brief writeup of the procedure you used? I haven't used the u32 match before, so I'm kind of curious of how you got it working (plus someone with a similar problem might find this thread via a search). Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Netfilter / IPtables SWAT Linux - Newbie 3 11-11-2003 10:04 AM
Help installing custom netfilter module TySoft Linux - Networking 3 08-04-2003 05:41 PM
true way on compiling kernel and static iptables klog2_k Linux - Software 0 07-15-2003 11:21 PM
Netfilter/iptables on Linux Debra Linux - Newbie 0 10-03-2002 07:33 PM
Firewall, netfilter, iptables...? snowbaby Linux - Security 9 08-13-2002 04:22 AM


All times are GMT -5. The time now is 09:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration