LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables does not block anything (https://www.linuxquestions.org/questions/linux-security-4/iptables-does-not-block-anything-4175554061/)

fornax 09-21-2015 05:48 AM
iptables does not block anything
 
Hi, I guess this is a rather simple problem, but I could not figure it out yet.

I am currently forced to work on a Ubuntu 14.04.1 (3.16.0-30-generic) and
face a really strange behavior, namely iptables not blocking anything.

Config:

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
Tried as well with explicit DROP anything rules in each chain.

As mentioned, I can see incoming traffic of all kinds on all interfaces with tcpdump -- just like iptables not being active at all.

I already removed ufw and network-manager which might be messing with the configuration.

Thanks for any hints on this.

zhjim 09-21-2015 06:19 AM
Just because tcpdump shows traffic that does not mean iptables not blocking things. IIRC tcpdump shows traffic regardless of iptables settings.
Also have in mind that iptables works on the ip level thus arp packets are not effect by it.

With that out of the way did you try to connect to something from your machine to something outside of the machine? Can you ping your gateway for example?
Regarding the numbers behind the single chains. I'm not sure if they count up if the machine sees traffic in contrast of traffic beeing directed to it.

network-manager should not affect iptables. But ufw definitely should

fornax 09-21-2015 06:29 AM
Interesting, from my previous experience tcpdump never displayed any traffic that was blocked.
It seems you're right. My current setup is just generic traffic testing to a promisc interface
w/o any service actually listening. For ping there are no responses (as I would expect it).
Do you know a way I can force the listening socket behind iptables?

zhjim 09-21-2015 08:25 AM
Quote:
Originally Posted by fornax (Post 5423371)
Interesting, from my previous experience tcpdump never displayed any traffic that was blocked.
It seems you're right. My current setup is just generic traffic testing to a promisc interface
w/o any service actually listening. For ping there are no responses (as I would expect it).
Searching for "tcpdump iptables" it seems that the output of tcpdump differs depending on the direction packets go. Incoming packages are first seen by tcpdump then by iptables. Outgoing packages first go through iptables then through tcpdump. Also i can't confirm this it makes sense. libpcap is used by tcpdump and might give some more info. One intresting sites is http://sgros-students.blogspot.de/20...h-tcpdump.html
Also this heavily depends on the interface you have tcpdump listen to. As well as promisc mode set or not.

Quote:
Originally Posted by fornax (Post 5423371)
Do you know a way I can force the listening socket behind iptables?
Not sure what you ask for here. Searching "socket" within man iptables shows the "owner" module. Specially the --uid-owner option of it. And --socket-exists that matches if there is a socket.
"socket" module is also within the man page. NFLOG target and ULOG target as well.

If you just want to match a specific interface use -i eth0 for incoming on eth0 or -o eth0 for outgoing on eth0....

fornax 09-21-2015 10:46 AM
Sorry that was unclear. As the behavior really seems to depend on a lot of factors, I was looking for a way to explicitly force tcpdump to listen before and/or after iptables.
But the link you provided already somehow answers the question. At least I have a good point for further research.
Thank you for your help!


All times are GMT -5. The time now is 09:47 AM.