[BUG] Netfilter in Linux 2.6.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello!

While experiement with ipsec I found the following problems:

Encapsulated ipsec data (esp) passes through iptables and becomes
decrypted. So far so fine.

Now what happens with thoso unencrypted packages? It looks like
they travel through iptables again!

Have a look at this example:

I use 

http://schotteli.us/~nico/firewall-masq

as my firewall script on the host named "bruehe".

With a notebook (named scice) I start an ipsec connection
with isakmpd via wlan to bruehe:

isampd.scice -> wlan0.scice -> wlan0.bruehe -> isakmpd.bruehe.

So far no problems.

The SAs are set fine: [ipsec-bug.setkey]

When I try to ping bruehe it is successful:

scice% ping -c2 192.168.42.1
PING 192.168.42.1 (192.168.42.1): 56 data bytes
64 bytes from 192.168.42.1: icmp_seq=0 ttl=64 time=8.4 ms
64 bytes from 192.168.42.1: icmp_seq=1 ttl=64 time=4.8 ms

--- 192.168.42.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.8/6.6/8.4 ms


logged from host named baby, which is sniffing in the wlan:

03:11:04.577573 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x3) (DF)
03:11:04.579071 bruehe.wlan.intern.schottelius.org >
scice.wlan.intern.schottelius.org: ESP(spi=0xaa714402,seq=0x3)
03:11:06.193495 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x4) (DF)
03:11:06.199202 bruehe.wlan.intern.schottelius.org >
scice.wlan.intern.schottelius.org: ESP(spi=0xaa714402,seq=0x4)


Now I try to ssh to 192.168.42.2 == bruehe.

I don't get any reply, only a timeout (because of the -j DROP rule).

Log from baby:

03:14:42.538601 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x8) (DF)
03:14:47.390054 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0x9) (DF)
03:14:57.094131 scice.wlan.intern.schottelius.org >
bruehe.wlan.intern.schottelius.org: ESP(spi=0xd4b291d4,seq=0xa) (DF)

As you see, no response, although the rules should match them:

# 
# IKE from wlan
# 
iptables  -I INPUT -i $DEV_WLAN  -p udp --sport 500 --dport 500 -j
ACCEPT
ip6tables -I INPUT -i $DEV_WLAN  -p udp --sport 500 --dport 500 -j
ACCEPT

#
# ESP encryption and authentication from wlan
#
iptables  -I INPUT -i $DEV_WLAN -p esp -j ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p esp -j ACCEPT

#
# AH 
# 
iptables  -I INPUT -i $DEV_WLAN -p ah -j ACCEPT
ip6tables -I INPUT -i $DEV_WLAN -p ah -j ACCEPT


As ssh gets blocked, I assume after decryting the packages they
are matching against the rules again.

Is that right?

This looks for me like bug in netfilter...

Greetings,

Nico

ps: I am on the linux-net ML, not on the netfilter ML, so
    please CC-me when replying.

-- 
Keep it simple & stupid, use what's available.
pgp: 8D0E E27A          | Nico Schottelius
http://nerd-hosting.net | http://linux.schottelius.org

bruehe:/usr/src/linux# setkey -D
192.168.42.2 192.168.42.1 
        esp mode=tunnel spi=3568472532(0xd4b291d4) reqid=0(0x00000000)
        E: rijndael-cbc  95a4ad71 799ae14e 9c145bb1 3628a4d8
        A: hmac-sha1  4bbea868 1b4e334f 3f7317e2 40b221b6 f4a5c58e
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Jan 23 16:43:23 2004   current: Jan 23 16:47:18 2004
        diff: 235(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=9319 refcnt=0
192.168.42.1 192.168.42.2 
        esp mode=tunnel spi=2859549698(0xaa714402) reqid=0(0x00000000)
        E: rijndael-cbc  3c94ab69 28414ac0 9069dc1f 282d376d
        A: hmac-sha1  72710b06 754daf00 8f2aca9f d8e63ac5 7f468a99
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Jan 23 16:43:23 2004   current: Jan 23 16:47:18 2004
        diff: 235(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=9319 refcnt=0



scice# setkey -D
192.168.42.2 192.168.42.1 
        esp mode=tunnel spi=3568472532(0xd4b291d4) reqid=0(0x00000000)
        E: rijndael-cbc  95a4ad71 799ae14e 9c145bb1 3628a4d8
        A: hmac-sha1  4bbea868 1b4e334f 3f7317e2 40b221b6 f4a5c58e
        seq=0x00000000 replay=16 flags=0x00000000 state=mature 
        created: Jan 23 16:43:18 2004   current: Jan 23 16:47:54 2004
        diff: 276(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=2783 refcnt=0
192.168.42.1 192.168.42.2 
        esp mode=tunnel spi=2859549698(0xaa714402) reqid=0(0x00000000)
        E: rijndael-cbc  3c94ab69 28414ac0 9069dc1f 282d376d
        A: hmac-sha1  72710b06 754daf00 8f2aca9f d8e63ac5 7f468a99
        seq=0x00000000 replay=16 flags=0x00000000 state=mature 
        created: Jan 23 16:43:18 2004   current: Jan 23 16:47:54 2004
        diff: 276(s)    hard: 1200(s)   soft: 1080(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=2783 refcnt=0

Attachment: pgp00155.pgp
Description: PGP signature

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux