IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1822.57 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-29
[02:56]<mrrynfmr>oops, wrong value
[02:56]<mrrynfmr>maybe it's /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
[02:57]<mrrynfmr>if that exists, it's the right one
[02:57]<vyrn-vnzsr>werneck: try this, iptables -F -t nat && iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[02:57]<rlraxne>"Another way is to install the tcp-window-tracking extension from patch-o-matic, and set the /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to zero, which will make the firewall drop all NEW packets with anything but the SYN flag set. "
[02:58]<wgzggac>vice-versa: ok
[02:58]<mrrynfmr>tcp-window-tracking has been in mainline for a while
[03:00]<wgzggac>vice-versa: no... nothing
[03:01]<wgzggac>vice-versa: the client... something else is needed besides the default config and setting the other as gateway ?
[03:02]<vyrn-vnzsr>werneck: dns servers in /etc/resolv.conf
[03:03]<wgzggac>vice-versa: no... it's right...
[03:05]<rlraxne>but the NEW not SYN is taken care of by
[03:05]<rlraxne>iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j BADTCP_DROP
[03:05]<vyrn-vnzsr>werneck: gemme a few secs ok, got visitors
[03:05]<rlraxne>however... that wont drop a NEW which has say SYN + URG
[03:05]<wgzggac>vice-versa: it seems like the packages get fwded, but not the response...
[03:14]<vyrn-vnzsr>werneck: sorry....how are you checking this?
[03:15]<wgzggac>vice-versa: with ifconfig TX/RX byte count
[03:16]<vyrn-vnzsr>werneck: try iptables-save -c again, are you getting hits on the packet a byte counters now?
[03:18]<wgzggac>vice-versa: the same: http://deadbeefbabe.org/paste/1327/2
[03:20]<wgzggac>vice-versa: is it possible for my ISP to block this ?
[03:21]<vyrn-vnzsr>werneck: no
[03:24]<vyrn-vnzsr>werneck: you're patebin output is looking a little sparse
[03:26]<vyrn-vnzsr>werneck: do you have proper support built into your kernel and or required modules?
[03:27]<wgzggac>vice-versa: yes, all modules
[03:27]<vyrn-vnzsr>werneck: od |grep ip
[03:27]<vyrn-vnzsr>lsmod rather
[03:27]<vyrn-vnzsr>lsmod |grep ip
[03:29]<wgzggac>http://deadbeefbabe.org/paste/1328
[03:36]<vyrn-vnzsr>werneck: iptables -P INPUT ACCEPT && iptables -P OUTPUT ACCEPT && iptables -P FORWARD ACCEPT
[03:38]<vyrn-vnzsr>now let's see iptables-save -c again
[03:39]<wgzggac>well... it doesn't work... this doesn't make any sense
[03:39]<wgzggac>http://deadbeefbabe.org/paste/1330
[03:40]<rlraxne>vice-versa: do you know if performance decrease in iptables if a rule has more things it looks for ?
[03:40]<wgzggac>vice-versa: should I clear everything and put just these rules ?
[03:40]<rlraxne>like a rule such as -p tcp -m state -state NEW -j ACCEPT vs -p tcp --tcp-flags ALL SYN -m state -state NEW -j ACCEPT ?
[03:41]<vyrn-vnzsr>werneck: well like I said, your iptables-save -c output looks too sparse...
[03:41]<wgzggac>vice-versa: what's missing ?
[03:42]<vyrn-vnzsr>Apachez: well it's going to add to it for sure, but it would be marginal
[03:43]<wgzggac>vice-versa: while trying other rules, when I used "iptables -t nat -P POSTROUTING DROP" before "iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0" I lost connection on the gateway machine too... that's ok, right ?
[03:44]<vyrn-vnzsr>werneck: like *mangle *filter
[03:46]<vyrn-vnzsr>werneck: well it's going to drop everything at the POSTROUTING chain, ie never get to the next rule
[03:46]<wgzggac>ok
[03:48]<wgzggac>vice-versa: well... I'll give up for today... thanks for the help...tomorrow I'll try something else
[03:48]<vyrn-vnzsr>ok
[03:49]<vyrn-vnzsr>sorry, just got to many distractions at the moment
[05:41]<rlraxne>is there some rfc which describes valid combinations of tcp flags ?
[05:42]<mrrynfmr>maybe the TCP RFC?
[05:42]<mrrynfmr>otherwise the linux kernel has a list
[05:45]<rlraxne>ill try the linux kernel
[05:46]<rlraxne>know anything more specific like in which file ? :P
[05:46]<mrrynfmr>net/netfilter/nf_conntrack_proto_tcp.c:777
[05:46]<mrrynfmr>line number is from 2.6.18-rc2
[05:47]<mrrynfmr>that's part of conntrack, btw, so you don't need to use these in iptables
[05:47]<mrrynfmr>just drop INVALID state packets
[05:47]<rlraxne>but hmm...
[05:48]<rlraxne>so you mean a filtering for bad tcp flags is not necessary if you perform a -m state -state INVALID ?
[05:48]<mrrynfmr>correct
[05:48]<mrrynfmr>all the rulesets that do filtering are wasting their time
[05:48]<rlraxne>really sure about that ?
[05:48]<mrrynfmr>yep
[05:48]<rlraxne>got a source for that ? :P
[05:48]<mrrynfmr>it's right there in the code
[05:48]<rlraxne>i mean then why is the NEW not SYN check needed ?
[05:48]<mrrynfmr>ask #netfilter to get a developer's opinion
[05:49]<mrrynfmr>in that same file, look at the comment above nf_ct_tcp_loose
[05:49]<rlraxne>i need to find that file somewhere first :P
[05:49]<rlraxne>not that happy to extract 300 meg of linux source on this box :P
[05:49]<mrrynfmr>just a sedc
[05:50]<mrrynfmr>http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;h=af8adcba23a7235da6a57206d36e53ef451fb67a;hb=82d6897fefca6206bca7153805b4c5359ce97fc4;f=net/netfilter/nf_conntrack_proto_tcp.c
[05:50]<rlraxne>kernel.org doesnt seem to have it in extracted form
[05:50]<rlraxne>ohh there it was
[05:50]<mrrynfmr>yes it does - you just need to know where to look :)
[05:51]<rlraxne>:)
[05:56]<rlraxne>hmm im digging through that code but I cant find for which "function" tcp_valid_flags is being called from
[05:56]<mrrynfmr>line 842
[05:56]<rlraxne>yes
[05:57]<rlraxne>but how does 842 tell me that it is "-m state -state INVALID" ?
[05:57]<rlraxne>and not something else ?
[05:57]<mrrynfmr>the return is -NF_ACCEPT, which goes up to the function calling tcp_error...
[05:58]<mrrynfmr>which is inside conntrack core code, probably
[05:58]<rlraxne>ahh 797
[05:58]<rlraxne>1170
[05:58]<rlraxne>struct nf_conntrack_protocol nf_conntrack_protocol_tcp4 =
[05:58]<rlraxne>blbala
[05:59]<mrrynfmr>yep
[05:59]<rlraxne>.error = tcp_error,
[05:59]<rlraxne>so this means it is silently taken care of the conntrack ?
[05:59]<rlraxne>+by
[05:59]<rlraxne>well except for the logentries which might arrive
[05:59]<mrrynfmr>and nf_conntrack_core.c:1100 calls that function
[06:00]<mrrynfmr>which looks like it just sets invalid if it's <= 0
[06:01]<rlraxne>1100 ?
[06:01]<rlraxne>1100 /* tcp_packet will set them */
[06:01]<mrrynfmr>in a different file
[06:01]<rlraxne>net/netfilter/nf_conntrack_core.c
[06:01]<mrrynfmr>yes
[06:01]<rlraxne>1100 in conntrack_core is ->
[06:01]<rlraxne>1100 /* tcp_packet will set them */
[06:02]<mrrynfmr>http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;hb=HEAD;f=net/netfilter/nf_conntrack_core.c
