Re: dropped SSH sessions with kernels >= 4.14 upon iptables clear then load [REGRESSION][BISECTED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 14 Aug 2018 15:19:27 -0700
"Doug Smythies" <dsmythies@xxxxxxxxx> wrote:

> I don't know what to say, it is 100% repeatable for me, on multiple
> computers.

I do not doubt that, just curious what's the configuration difference and
how I still didn't hit that.

> There has to be some traffic on the SSH session while the rules
> are disabled for this to occur.

There is, in my case.

> Also, the session has to have been started
> with the rules in place.

That's met too.

> Additionally, and just learned from Florian's e-mail:
> 
> /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal
> 
> has to be 0.

Set to 0 on my systems.

> https://askubuntu.com/questions/1059781/ufw-allows-22-for-ipv4-and-ipv6-but-ssh-disconnects-when-enabling

Here is the difference. Your script:

$IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT

It seems that if the kernel now empties the conntrack table due to no
conntrack rules in iptables, with such a ruleset there will be no record for
your SSH connection, so it can't continue, unless initiated again (NEW)
specifically as a new connection (--syn). You can check if that's indeed the
case by comparing contents of "/proc/net/nf_conntrack" before and after reset.

And here's why it still works for me. In my case the rules are just:

-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m set --match-set myipv4 src -m tcp --dport 22 -j ACCEPT

(the ipset part should be irrelevant)

I accept everything to port 22, without involving -m conntrack. Personally I
prefer the firewall to be as stateless as possible (and switched to fully
stateless on several machines, at least on the IPv6 side).

Is there a significant reason for filtering it as strictly as in your example,
e.g. what kind of threats the more strict rules are preventing that mine don't?

-- 
With respect,
Roman
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux