LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-16-2003, 06:28 AM   #1
jacovds
LQ Newbie
 
Registered: Nov 2003
Posts: 2

Rep: Reputation: 0
IPtables Question


I have a strange problem with a Linux box running kernel 2.4.20 and
iptables 1.2.7a:

I am setting up a firewall using three interfaces: eth0-2
eth0 is attached to the router (untrusted) zone, eth1 to
the internal (trusted) zone and eth2 to the DMZ.

I have a rule that allowes traffic from the untrusted
zone (eth0) to a box in the DMZ (eth2). I do NOT have
a corresponding rule that allows traffic back from the
box in the DMZ to the untrusted zone. I only have a
rule that allows connections that are in the related or
established state back.

eg:

iptables -A untrusted_dmz -p tcp -d $ssh_box --dport 22 -j ACCEPT
iptables -A dmz_untrusted -m state --state RELATED,ESTABLISHED -j ACCEPT

Default policy on all chains/tables is DROP.

For some very weird reason, the resulting connetion from my $ssh_box
is allowed back through the firewall, and according to
/proc/netip_conntrack the state of the connection is ESTABLISHED.
This is clearly contra to the iptables documentation that states that a
tcp connection reaches the ESTABLISHED state once the complete 3-way tcp
handshake is completed. Or is syn+ack replies on syn packets also considered
by the state machine to be RELATED??

This is clearly problematic when trying to write a tight ruleset, and will leave
me with a situation of a stateless FW like ipchains.

Any help would be greatly appreciated.

- Jaco van der Schyff
 
Old 11-16-2003, 07:31 AM   #2
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
1. What do you mean writing "the resulting connetion from my $ssh_box" ?
2. I believe your iptable rules set is long. So it is very difficult to consider what is wrong not seeing them. On the other hand I don't ask about all of them since nobody reads a long listing. Try to extract and post the most important subset.
3. What is more you are using user-define chains "untrusted_dmz" & "dmz_untrusted" without information when they acts.

So sorry, I think nobody will be able to help you.
 
Old 11-16-2003, 02:50 PM   #3
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
I'll have to agree w/ the above; Not enough info.

Perhaps you could describe your desired setup and we can tell you how to implement it.
 
Old 11-16-2003, 11:22 PM   #4
jacovds
LQ Newbie
 
Registered: Nov 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Dorian, to answer your questions

1. By the resulting connection, I am refering to the syn+ack packet from
my $ssh_box that answers the original syn.

2. Yes, quite long

3. I have only one question and that is: Are syn+ack replies on syn packets
considered by IPtables to be RELATED???


- Jaco
 
Old 11-17-2003, 03:33 AM   #5
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
I have never studied the iptables very deeply. So my knowledge is based on docs & current experience. On the other hand I've never had problems and doubts with iptables therefore there was no necessity for me to make any investigations with this subject.
Regarding your questions:
-ESTABLISHED is like the name states: connection established in tcp meaning
-RELATED - all the connections being initiated by accepted connection or being established as a result of existing connection
As you know for instance ftp uses passive or active mode; using state RELATED you can allow active mode to be serviced correctly;
I believe this state service has to be (and it is) implemented not in general way (like ESTABLISHED which can be detected by packet content trace) but for each protocol separately and currently is implemented for well known ones only since 'related' can mean everything (but for well known protocols is defined very precisely).
 
Old 11-17-2003, 06:56 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
A SYN-ACK in response to a connection originating SYN would be considered an ESTABLISHED connection. RELATED connections are a little something different, like the example Doriann33 used with a ftp control channel handing off the connection to a data channel.

To qualify as an ESTABLISHED connection, a packet does not have to follow a complete 3-way TCP handshake, everything from the first SYN-ACK response on would be considered to be part of the ESTABLISHED connection. The terminology is a little confusing as in TCP networking-speak a 3-way handshake is necessary for a connection to be considered ESTABLISHED. Hope that helps.
 
Old 11-17-2003, 07:36 AM   #7
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
The only source I've known is a Rusty's netfilter description. Over there is a very little definition for both interesting 'states'. Let me quote it:
Quote:
ESTABLISHED
A packet which belongs to an existing connection (i.e., a reply packet, or outgoing packet on a connection which has seen replies).
RELATED
A packet which is related to, but not part of, an existing connection, such as an ICMP error, or (with the FTP module inserted), a packet establishing an ftp data connection.
Capt_Caveman: I would be obliged if you post something more about the source of the information you presented above. I would be nice to learn much more...
 
Old 11-17-2003, 08:03 AM   #8
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Hi.

I can verify Capt Caveman's statement.

In the RedHat Firewall book (sorry, don't have it here at work for the proper credits) it states that the ESTABLISHED state does NOT have the same meaning as "established" in TCP. What it does mean is that SYN and SYN/ACK packets have been exchanged. (This is what Capt Caveman said).

To repeat...
The state ESTABLISHED has a different definition in IPTABLES than it does in normal TCP networking.

Cheers,
J.
 
Old 11-17-2003, 08:06 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
From: http://www.sns.ias.edu/~jns/security...conntrack.html

Quote:
Connection tracking's perspective on the state table

We just talked a lot about tcp connection states. Now let's think about this from the perspective of the connection tracking:

Connection tracking only knows about NEW, ESTABLISHED, RELATED and INVALID, classified as described above and in the iptables manpage. To quote Joszef Kadlecsik, who helped me out with a confusion I had initially about this very subject:

When a packet with the SYN+ACK flags set arrrives in response to a packet with SYN set the connection tracking thinks: "I have been just seeing a packet with SYN+ACK which answers a SYN I had previously seen, so this is an ESTABLISHED connection."

The important point here is that the conntrack states are not equivalent to tcp states. We have already seen that a connection doesn't achieve the tcp connection status of ESTABLISHED until the ACK after the SYN+ACK has been seen by the connection tracking module.


There's also a good (though basic) description in the book "Red Hat Linux Firewalls":
Quote:
The state of a connection is changed from NEW to Established whenever the server responds. The term established does not have it's usual TCP/IP meaning, which is a TCP connection having completed a three-way handshake <SNIP>. Instead, the first datagram that establishes two-way communication is deemed to have established the connection.
Doesn't seem to be well documented overall. My guess is it's one of those things that you kind of take for granted and don't put much thought into. For kicks, you can play around with the state table and a packet generator like hping. See what sending various combinations of packets through does to the connection state. It does make sense in terms of network control, otherwise you'd have to explicity write a rule to allow incoming SYN-ACK packets in response to outgoing SYNs on top of allowing ESTABLISHED connections through.

---EDIT---
I believe that last quote is from the same book JordanH is talking about. He got that one in while I was digging it up. Looks like great minds do think alike or at least buy the same books

Last edited by Capt_Caveman; 11-17-2003 at 08:10 AM.
 
Old 11-17-2003, 08:36 AM   #10
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Capt_Caveman:
Thanks a lot for link.
 
Old 11-17-2003, 09:46 AM   #11
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Yes. Good link. Thx.
J.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables question THE RADICAL Linux - Security 4 12-15-2005 03:12 AM
iptables question iomari Linux - Security 4 01-13-2005 12:14 AM
Iptables Question? unixfreak Linux - Security 1 09-01-2004 08:23 PM
iptables Question gauge73 Linux - Networking 3 12-14-2003 12:02 AM
iptables question Texicle Slackware 7 01-19-2003 12:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration