IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[06:02]<mrrynfmr>were you just editing the f= part?
[06:02]<rlraxne>yup
[06:02]<rlraxne>http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;h=af8adcba23a7235da6a57206d36e53ef451fb67a;hb=82d6897fefca6206bca7153805b4c5359ce97fc4;f=net/netfilter/nf_conntrack_core.c
[06:02]<mrrynfmr>that does nothing when you specify the specific hash
[06:02]<mrrynfmr>look at the header of the file
[06:03]<rlraxne>but ok
[06:03]<rlraxne>so it seems that in 2.6.18 the ipt_unclean has been sort of merged into the core and is now performed on EVERY packet
[06:03]<rlraxne>no need to drop -state INVALID or a custom badtcp chain ?
[06:04]<mrrynfmr>unclean was never a good idea... it's gone
[06:04]<rlraxne>i liked the idea of a specific module which you could use if you want to or not
[06:04]<mrrynfmr>but yeah, same kinda point
[06:04]<mrrynfmr>well, it's part of connection tracking
[06:04]<rlraxne>yes now it is
[06:04]<mrrynfmr>conntrack can't handle packets with bad TCP flags
[06:04]<rlraxne>but anyway...
[06:04]<mrrynfmr>so it must set them to something...
[06:05]<rlraxne>since i use some oldish 2.4 kernel i think i still need by custom badtcp chain
[06:05]<mrrynfmr>look in 2.4 source if you want
[06:05]<mrrynfmr>it'll be in ip_conntrack_proto_tcp.c
[06:05]<rlraxne>you mean that 2.6.18 sets the packets to INVALID ?
[06:05]<mrrynfmr>net/ipv4/netfilter/ iirc
[06:05]<mrrynfmr>correct
[06:05]<rlraxne>ahh k
[06:05]<rlraxne>so basically
[06:05]<rlraxne>to test my custom chain i should have the INVALID check first
[06:06]<mrrynfmr>right
[06:06]<rlraxne>and then the checks for the other combinations
[06:06]<mrrynfmr>actually, check before with no jumps, and after with jumps
[06:06]<rlraxne>and then just iptables -L -n -v to see if INVALID traps all the bad packets or if some of them gets through to my custom chain
[06:06]<mrrynfmr>then you see if INVALID catches them
[06:06]<rlraxne>actually, check before with no jumps, and after with jumps <- ?
[06:07]<mrrynfmr>iptables -A chain -p tcp --tcp-flags SYN,FIN
[06:07]<mrrynfmr>that will just increment counters
[06:07]<rlraxne>ahh yes
[06:08]<rlraxne>will find out which kernel i have in that floppy
[06:09]<rlraxne>2.4.19
[06:09]<mrrynfmr>old
[06:10]<rlraxne>yeah i know
[06:10]<rlraxne>but still functional for this purpose
[06:10]<rlraxne>i will however try to build my own distro using 2.6 and stuff
[06:11]<rlraxne>but that will come in autumn or so
[06:11]<rlraxne>it will basically be based on floppyfw but with my needs
[06:13]<rlraxne>2.4.19 is down and im checking the ip conntrack proto tcp
[06:13]<mrrynfmr>looks like it doesn't have it
[06:14]<mrrynfmr>(I was checking 2.4.33)
[06:14]<rlraxne>the tcp packet check in 2.4.19 was kind of... unexisting :P
[06:14]<rlraxne>it had only basic stuff
[06:15]<rlraxne> /* We're guaranteed to have the base header, but maybe not the
[06:15]<rlraxne> options. */
[06:15]<rlraxne>i mean i rest my case :P
[06:15]<rlraxne>but still
[06:15]<rlraxne>ill put the invalid check first and then followed by the approved combinations
[06:16]<rlraxne>this way it will be functional also with iptables from 2.6 and the functionallity can be verified with iptables -L -v -n -t BADTCP
[06:32]<rlraxne>danieldg: still there ?
[06:32]<mrrynfmr>yeah
[06:34]<rlraxne>danieldg: http://www.tbg.nu/iptables.txt
[06:34]<rlraxne>what do you think about that ?
[06:34]<rlraxne>the badtcp custom chain that is which is printed in the top of the txt file
[06:35]<rlraxne>all flags are valid only for established packets
[06:35]<rlraxne>except syn and syn + psh which will be for new packets
[06:35]<mrrynfmr>looks good to me
[06:36]<rlraxne>i think i can comment out the new not syn first rule there
[06:36]<rlraxne>since the
[06:36]<rlraxne>iptables -A BADTCP -p tcp --tcp-flags ALL SYN -m state --state NEW -j RETURN should take care of that part
[06:36]<rlraxne>and that packets who didnt match that will be dropped anyway
[06:36]<mrrynfmr>yes
[06:36]<rlraxne>i have the state INVALID before the badtcp check
[06:37]<rlraxne>in its own custom chain
[06:37]<rlraxne>what is your opinion of the existens of RST packets vs FIN packets ?
[06:37]<rlraxne>which one is more common (and should be placed higher in the badtcp chain) ?
[06:37]<rlraxne>ACK should be the far most common so those are placed first :)
[06:50]<rlraxne>http://www.tbg.nu/iptables.txt - has now the updated BADTCP custom chain...
[09:43]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[12:44]<rlraxne>im having an issue with -p icmp --icmp-type destination-unreachable
[12:44]<rlraxne>according to the log type=3 code=3 wont be allowed by the above rule
[12:55]<rlraxne>nevermind solved it
[14:05]<rlraxne>which is usually more common in regular tcp traffic... packets containing RST flag or packets containing FIN flag ?
[14:08]<wjjmmwjjmlnacnz>FIN
[14:13]<rlraxne>oki tnx... I have now updated (once again :P) the BADTCP chain at http://www.tbg.nu/iptables.txt
[14:19]<wjjmmwjjmlnacnz>http://rafb.net/paste/results/I0ebfu52.html
[14:20]<wjjmmwjjmlnacnz>FIN is for regular 3-way handshake disconnection, while RST is for resetting e.g. if you just pull the cable, power drop etc.
[14:20]<wjjmmwjjmlnacnz>*FIN is the regular 3-way
[14:20]<wjjmmwjjmlnacnz>FIN -> FIN,ACK -> ACK
[14:23]<rlraxne>hmm
[14:23]<rlraxne>isnt closing: fin,ack -> ack fin,ack <- ack ?
[14:26]<wjjmmwjjmlnacnz>Yes, you are right.
[14:26]<wjjmmwjjmlnacnz>ACK,FIN to close by Client.
[14:26]<wjjmmwjjmlnacnz>Server sends ACK ; half closed
[14:27]<wjjmmwjjmlnacnz>Server sends ACK, FIN
[14:27]<wjjmmwjjmlnacnz>Client sends ACK ; completely closed
[14:28]<rlraxne>i thought that something would stick after digging in docs during nighthours :P
[14:29]<wjjmmwjjmlnacnz>Actually, yes, that is what I think all the time too :-/
[14:29]<rlraxne>err
[14:29]<rlraxne>i was speaking about myself :P
[14:29]<wjjmmwjjmlnacnz>Me too :-D
[14:29]<rlraxne>i have had some strange wakehours lately :P
[14:29]<wjjmmwjjmlnacnz>Don't remind me of that ...
[14:29]<rlraxne>lik 04am -> 11am next day, sleep until 22pm and stuff like that =)
[14:30]<wjjmmwjjmlnacnz>I know what you mean *sight*

Back to #iptables
Or go to some related logs:
#gentoo
#suse
#netbsd
#gentoo
#gentoo