IPtables Question
I have a strange problem with a Linux box running kernel 2.4.20 and
iptables 1.2.7a: I am setting up a firewall using three interfaces: eth0-2 eth0 is attached to the router (untrusted) zone, eth1 to the internal (trusted) zone and eth2 to the DMZ. I have a rule that allowes traffic from the untrusted zone (eth0) to a box in the DMZ (eth2). I do NOT have a corresponding rule that allows traffic back from the box in the DMZ to the untrusted zone. I only have a rule that allows connections that are in the related or established state back. eg: iptables -A untrusted_dmz -p tcp -d $ssh_box --dport 22 -j ACCEPT iptables -A dmz_untrusted -m state --state RELATED,ESTABLISHED -j ACCEPT Default policy on all chains/tables is DROP. For some very weird reason, the resulting connetion from my $ssh_box is allowed back through the firewall, and according to /proc/netip_conntrack the state of the connection is ESTABLISHED. This is clearly contra to the iptables documentation that states that a tcp connection reaches the ESTABLISHED state once the complete 3-way tcp handshake is completed. Or is syn+ack replies on syn packets also considered by the state machine to be RELATED?? This is clearly problematic when trying to write a tight ruleset, and will leave me with a situation of a stateless FW like ipchains. Any help would be greatly appreciated. - Jaco van der Schyff |
1. What do you mean writing "the resulting connetion from my $ssh_box" ?
2. I believe your iptable rules set is long. So it is very difficult to consider what is wrong not seeing them. On the other hand I don't ask about all of them since nobody reads a long listing. Try to extract and post the most important subset. 3. What is more you are using user-define chains "untrusted_dmz" & "dmz_untrusted" without information when they acts. So sorry, I think nobody will be able to help you. |
I'll have to agree w/ the above; Not enough info.
Perhaps you could describe your desired setup and we can tell you how to implement it. |
Dorian, to answer your questions
1. By the resulting connection, I am refering to the syn+ack packet from my $ssh_box that answers the original syn. 2. Yes, quite long 3. I have only one question and that is: Are syn+ack replies on syn packets considered by IPtables to be RELATED??? - Jaco |
I have never studied the iptables very deeply. So my knowledge is based on docs & current experience. On the other hand I've never had problems and doubts with iptables therefore there was no necessity for me to make any investigations with this subject.
Regarding your questions: -ESTABLISHED is like the name states: connection established in tcp meaning -RELATED - all the connections being initiated by accepted connection or being established as a result of existing connection As you know for instance ftp uses passive or active mode; using state RELATED you can allow active mode to be serviced correctly; I believe this state service has to be (and it is) implemented not in general way (like ESTABLISHED which can be detected by packet content trace) but for each protocol separately and currently is implemented for well known ones only since 'related' can mean everything (but for well known protocols is defined very precisely). |
A SYN-ACK in response to a connection originating SYN would be considered an ESTABLISHED connection. RELATED connections are a little something different, like the example Doriann33 used with a ftp control channel handing off the connection to a data channel.
To qualify as an ESTABLISHED connection, a packet does not have to follow a complete 3-way TCP handshake, everything from the first SYN-ACK response on would be considered to be part of the ESTABLISHED connection. The terminology is a little confusing as in TCP networking-speak a 3-way handshake is necessary for a connection to be considered ESTABLISHED. Hope that helps. |
The only source I've known is a Rusty's netfilter description. Over there is a very little definition for both interesting 'states'. Let me quote it:
Quote:
|
Hi.
I can verify Capt Caveman's statement. In the RedHat Firewall book (sorry, don't have it here at work for the proper credits) it states that the ESTABLISHED state does NOT have the same meaning as "established" in TCP. What it does mean is that SYN and SYN/ACK packets have been exchanged. (This is what Capt Caveman said). To repeat... The state ESTABLISHED has a different definition in IPTABLES than it does in normal TCP networking. Cheers, J. |
From: http://www.sns.ias.edu/~jns/security...conntrack.html
Quote:
There's also a good (though basic) description in the book "Red Hat Linux Firewalls": Quote:
---EDIT--- I believe that last quote is from the same book JordanH is talking about. He got that one in while I was digging it up. Looks like great minds do think alike or at least buy the same books :) |
Capt_Caveman:
Thanks a lot for link. |
Yes. Good link. Thx.
J. |
All times are GMT -5. The time now is 02:06 AM. |