Iptables Loop Hook

mithoviel · 01-24-2011, 08:26 AM

Hi,

I have a few mail servers (CentOS 5.5) that are running OSSEC Active Response (2.5.1) on Iptables (1.3.5-5.3.el5_4.1). We are currently having a problem where we get loop hook errors:
Jan 24 04:15:03 servername kernel: iptables: loop hook 1 pos 464080 00000022

this is the firewall-drop.sh we are currently using:

Code:

#!/bin/sh
# Adds an IP to the iptables drop list (if linux)
# Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
# Adds an IP to the ipsec drop list (if aix)
# Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec
# Expect: srcip
# Author: Ahmet Ozturk (ipfilter and IPSec)
# Author: Daniel B. Cid (iptables)
# Last modified: Feb 14, 2006

UNAME=`uname`
ECHO="/bin/echo"
GREP="/bin/grep"
IPTABLES="/sbin/iptables"
IPFILTER="/sbin/ipf"
GENFILT="/usr/sbin/genfilt"
LSFILT="/usr/sbin/lsfilt"
MKFILT="/usr/sbin/mkfilt"
RMFILT="/usr/sbin/rmfilt"
ARG1=""
ARG2=""
RULEID=""
ACTION=$1
USER=$2
IP=$3

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log


# Checking for an IP
if [ "x${IP}" = "x" ]; then
   echo "$0: <action> <username> <ip>" 
   exit 1;
fi



# Blocking IP
if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
   echo "$0: invalid action: ${ACTION}"
   exit 1;
fi



# We should run on linux
if [ "X${UNAME}" = "XLinux" ]; then
   if [ "x${ACTION}" = "xadd" ]; then
      ARG1="-I INPUT -s ${IP} -j DROP"
      ARG2="-I FORWARD -s ${IP} -j DROP"
   else
      ARG1="-D INPUT -s ${IP} -j DROP"
      ARG2="-D FORWARD -s ${IP} -j DROP"
   fi
   
   # Checking if iptables is present
   ls ${IPTABLES} >> /dev/null 2>&1
   if [ $? != 0 ]; then
      IPTABLES="/usr"${IPTABLES}
      ls ${IPTABLES} >> /dev/null 2>&1
      if [ $? != 0 ]; then
         exit 0;
      fi
   fi

   # Executing and exiting
   ${IPTABLES} ${ARG1}
   ${IPTABLES} ${ARG2}                             

   exit 0;
   
# FreeBSD, SunOS or NetBSD with ipfilter
elif [ "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XSunOS" -o "X${UNAME}" = "XNetBSD" ]; then
   
   # Checking if ipfilter is present
   ls ${IPFILTER} >> /dev/null 2>&1
   if [ $? != 0 ]; then
      exit 0;
   fi    

   # Checking if echo is present
   ls ${ECHO} >> /dev/null 2>&1
   if [ $? != 0 ]; then
       exit 0;
   fi    
   
   if [ "x${ACTION}" = "xadd" ]; then
      ARG1="\"@1 block out quick from any to ${IP}\""
      ARG2="\"@1 block in quick from ${IP} to any\""
      IPFARG="${IPFILTER} -f -"
   else
      ARG1="\"@1 block out quick from any to ${IP}\""
      ARG2="\"@1 block in quick from ${IP} to any\""
      IPFARG="${IPFILTER} -rf -"
   fi
  
   # Executing it 
   eval ${ECHO} ${ARG1}| ${IPFARG}       
   eval ${ECHO} ${ARG2}| ${IPFARG}
   
   exit 0;

# AIX with ipsec
elif [ "X${UNAME}" = "XAIX" ]; then

  # Checking if genfilt is present
  ls ${GENFILT} >> /dev/null 2>&1
  if [ $? != 0 ]; then
     exit 0;
  fi
         
  # Checking if lsfilt is present
  ls ${LSFILT} >> /dev/null 2>&1
  if [ $? != 0 ]; then
     exit 0;
  fi
  # Checking if mkfilt is present
  ls ${MKFILT} >> /dev/null 2>&1
  if [ $? != 0 ]; then
     exit 0;
  fi
         
  # Checking if rmfilt is present
  ls ${RMFILT} >> /dev/null 2>&1
  if [ $? != 0 ]; then
     exit 0;
  fi

  if [ "x${ACTION}" = "xadd" ]; then
    ARG1=" -v 4 -a D -s ${IP} -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -w B -D \"Access Denied by OSSEC-HIDS\"" 
    #Add filter to rule table
    eval ${GENFILT} ${ARG1}
    
    #Deactivate  and activate the filter rules.
    eval ${MKFILT} -v 4 -d
    eval ${MKFILT} -v 4 -u
  else
    # removing a specific rule is not so easy :(
     eval ${LSFILT} -v 4 -O  | ${GREP} ${IP} | 
     while read -r LINE
     do
         RULEID=`${ECHO} ${LINE} | cut -f 1 -d "|"`
         let RULEID=${RULEID}+1
         ARG1=" -v 4 -n ${RULEID}"
         eval ${RMFILT} ${ARG1}
     done
    #Deactivate  and activate the filter rules.
    eval ${MKFILT} -v 4 -d
    eval ${MKFILT} -v 4 -u
  fi

else
    exit 0;
fi

Any help would be appreciated. Thank you!

unSpawn · 01-25-2011, 03:47 PM

Welcome to LQ. Hope you like it here.

Please note that while running a proper firewalling rule set contributes to the security posture of a machine, iptables != security always. (I'll move your thread to the Software forum RSN. Feel free to suggest a more appropriate forum if you can think of one.) IIGC in earlier kernel versions there were relations to loop hooks in combination with certain iptables versions but I've never encountered one with iptables-1.3.5-5.3.el5_4.1 and the most recent kernel-2.6.18-194.32.1.el5 or earlier versions. So when did this problem start? What changed software or configuration-wise at that time? Have you checked Centos and Red Hat bug trackers for similar issues? Have you considered running a debug kernel and iptables package?

mithoviel · 01-26-2011, 07:26 AM

Thanks for moving the thread to the appropriate forum. The thought occurred to me that this is a gray area in between security and software, and I chose the prize between door number one.

This problem didn't begin until we enabled active response on OSSEC. We have noticed that it happens when the firewall_drop.sh adds a lot of rules at once. I have checked everywhere for any record of this problem and have found nothing.

I'll look into the debug packages.

Thanks again!

unSpawn · 01-26-2011, 10:29 AM

Quote:

Originally Posted by mithoviel

Thanks for moving the thread to the appropriate forum.

Haven't done that yet.

Quote:

Originally Posted by mithoviel

The thought occurred to me that this is a gray area in between security and software

It really isn't as there is no security issue with Netfilter itself. Then again it's easy to get taxonomy wrong.

Quote:

Originally Posted by mithoviel

We have noticed that it happens when the firewall_drop.sh adds a lot of rules at once.

Try this: I cut down the script to the bare essentials as you don't run this on Solaris or AIX, I moved the log to /var/log/ and I added a timeout between adding rules:

Code:

#!/bin/sh
# Adds an IP to the iptables drop list (if linux)
# Requirements: Linux with iptables
# Expect: srcip
# Author: Ahmet Ozturk (ipfilter and IPSec)
# Author: Daniel B. Cid (iptables)
# Last modified: Jan 26, 2011

ECHO="/bin/echo"; IPTABLES="/sbin/iptables"
ARG1=""; ARG2=""; RULEID=""; ACTION=$1; USER=$2; IP=$3; SLEEP="3s"

[ -x $ECHO ] || exit 1
[ -x $IPTABLES ] || { echo "Missing ${IPTABLES}, exiting."; exit 1; }
echo "`date` $0 $1 $2 $3 $4 $5" >> /var/log/active-responses.log
[ ${#IP} -eq 0 ] && { echo "$0: <action> <username> <ip>"; exit 1; }
[ "x${ACTION}" = "xadd" -o "x${ACTION}" = "xdelete" ]  || { echo "$0: invalid action: ${ACTION}";  exit 1; }
[ "x${ACTION}" = "xadd" ] && VAR="I" || VAR="D"
${IPTABLES} -${VAR} INPUT -s ${IP} -j DROP;
sleep $SLEEP
${IPTABLES} -${VAR} FORWARD -s ${IP} -j DROP
sleep $SLEEP

exit 0

If with this timeout there's no errors try going from 3 seconds to 2 and maybe to 1.

* I don't like the script design (or lack of) as it just adds rules to your filter table INPUT chain which can become a performance drain as every packet not matched in a previous rule will have to traverse all rules until a match is found. Also because it adds rules to the end of your filter table INPUT chain a packet may exit on a prior rule match (say based solely on state and port) and thus never hit that rule. I would be much more in favor of using ipset [0|1] in the raw table PREROUTING chain (for loading a gazillion rules see HIPAC). It seems ELRepo has kmod-ipset and ipset-utils RPMS but in the "Testing" repo so best try that out on a workstation and not move it to production until you've tested it well: YMMV(VM).

archtoad6 · 01-30-2011, 08:32 AM

Quote:

Originally Posted by unSpawn

I don't like the script design (or lack of)

Me either. I think the basic structure is bad. 4 more brickbats:

There is no help. However it is implemented, it should be close to the top of the file. My preference is to define a shell function called _help which puts the instructions out as a here document. YPMV.
The variable "USER" is defined but never used. Its purpose should be stated.
The # of arguments should be the 1st qualifying test of the input. Perhaps like this:
Code:
```
if [[ $@ -ne 3 ]] && _hep
```
where _hep is a shell function something like this:
Code:
```
_hep () {
   << EOhep
   $0: <action> <username> <ip>
   $0 -h for full help
EOhep
}
```
I would use a case statement, & perhaps a series of shell functions, rather than an extended if
to deal w/ the different unices.

Warning: While I checked the sh man page to verify that my syntax is allowed, I script in bash & usually don't bother w/ the differences. I may have made mistakes.