RE : iptable 1.2.11 and kernel 2.6.11-1 compatibility issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> could we see the entire script or at the very least an output of iptables-
> save after your script has run?

The issue is related to a bug that was recently patched into Netfilter
(https://lists.netfilter.org/pipermail/netfilter-devel/2005-May/019543.html)

Here is the script I used to confirm the bug:
----------------------------------------------------------------------------
----------------------------------------------------------------------------
#!/bin/sh
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
IPTABLES="/sbin/iptables"

# Default policy
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

# Flush tables
cat /proc/net/ip_tables_names | while read table; do
  test "X$table" = "Xmangle" && continue
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done

# Accept related, established
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Rule 0 (lo)"
# Added to confirm the bug
$IPTABLES -N lo_INVALID_RULE
$IPTABLES -A INPUT  -i lo  -m state --state INVALID  -j lo_INVALID_RULE
$IPTABLES -A OUTPUT  -o lo  -m state --state INVALID  -j lo_INVALID_RULE
$IPTABLES -A lo_INVALID_RULE -j LOG  --log-level info --log-prefix
"lo_INVALID_RULE - Accept "
$IPTABLES -A lo_INVALID_RULE -j ACCEPT

# Standard loopback rule
$IPTABLES -N lo_NEW_RULE
$IPTABLES -A INPUT  -i lo  -m state --state NEW  -j lo_NEW_RULE
$IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j lo_NEW_RULE
$IPTABLES -A lo_NEW_RULE -j LOG  --log-level info --log-prefix "lo_NEW_RULE
- Accept "
$IPTABLES -A lo_NEW_RULE -j ACCEPT

# Simple test policy
$IPTABLES -A OUTPUT  -s 160.228.120.129  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT  -d 160.228.120.129  -p tcp -m tcp  --dport 22 -m state
--state NEW  -j ACCEPT
----------------------------------------------------------------------------
----------------------------------------------------------------------------


With this script and the Fedora new kernel-2.6.11-1.27_FC3, a "ssh
localhost" command results in the following logs:
Jun  2 10:47:41 MYHOST kernel: lo_NEW_RULE - Accept IN= OUT=lo SRC=127.0.0.1
DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47020 DF PROTO=TCP
SPT=52640 DPT=22 WINDOW=32767 RES=0x00 SYN URGP=0
Jun  2 10:47:41 MYHOST kernel: lo_NEW_RULE - Accept IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47020 DF PROTO=TCP SPT=52640 DPT=22
WINDOW=32767 RES=0x00 SYN URGP=0
Jun  2 10:47:41 MYHOST kernel: lo_INVALID_RULE - Accept IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=40002 DF PROTO=TCP SPT=22 DPT=52640
WINDOW=8192 RES=0x00 ACK PSH URGP=0
Jun  2 10:47:41 MYHOST kernel: lo_INVALID_RULE - Accept IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=47026 DF PROTO=TCP SPT=52640 DPT=22
WINDOW=8192 RES=0x00 ACK PSH URGP=0

Thanks again,
Thibault
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux