enquiry on ownership of packet (linux iptables)

ching <lsching17@xxxxxxxxx> · Thu, 08 Mar 2012 06:13:24 +0800

Dear all,

I am learning to setup firewall using IP Tables. My system is Ubuntu 
11.10 linux x64 (linux kernel 3.3-rc5)

My goal is:
    1. Allow authorized user to accessing internet only
    2. Isolate network daemons from loopback device and LAN, but they 
are allowed to access internet

To achieve this, my firewall is built with the following logic:

  1. Default policy drop
  2. For input chain, listen to a few ports only
  3. For output chain, log all dropped package for debugging.

I spotted that a few package is dropped on output chain: ICMP, IGMP 
(Proto type=2) and TCP package. They do not have owner id.

Now I want to silent them by adding accept rule, but I have the 
following question about the ownership of packet.
According to the documentation of iptables: "Packets from kernel threads 
do have a socket, but usually no owner.

  1. Is it possible that misbehaved program send “no owner” package 
(e.g. ICMP/IGMP)? (assume that program has no root privilege and cannot 
access setuid executable)
  2. Can I assume that “no owner” package always comes from kernel or 
program with root privilege?
  3. Why the TCP package in my log can be “no owner”?
  4. How to write a rule to "accept" all "no-owner" outbound package?

Thank a lot
Ching
#IGMP (PROTO=2)
kernel: [   17.476219] [IPTABLES]: dropped IN= OUT=vmnet1 SRC=172.16.27.1 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
kernel: [   17.500206] [IPTABLES]: dropped IN= OUT=vmnet8 SRC=172.16.225.1 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 

#ICMP
kernel: [ 7485.926583] [IPTABLES]: dropped IN= OUT=eth0 SRC=192.168.11.2 DST=208.86.198.92 LEN=576 TOS=0x00 PREC=0xC0 TTL=64 ID=12970 PROTO=ICMP TYPE=11 CODE=1 [SRC=208.86.198.92 DST=192.168.11.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=48 ID=27571 MF PROTO=UDP SPT=7567 DPT=65402 LEN=1849 ] 
kernel: [   13.249733] [IPTABLES]: dropped IN= OUT=vmnet8 SRC=fe80:0000:0000:0000:0250:56ff:fec0:0008 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 

#TCP packet without owner
kernel: [ 6099.368655] [IPTABLES]: dropped IN= OUT=eth0 SRC=192.168.11.2 DST=222.49.251.140 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=65403 DPT=49631 WINDOW=0 RES=0x00 RST URGP=0 
kernel: [  380.975820] [IPTABLES]: dropped IN= OUT=eth0 SRC=192.168.11.2 DST=1.195.204.197 LEN=120 TOS=0x00 PREC=0x00 TTL=64 ID=64746 DF PROTO=TCP SPT=47859 DPT=10759 WINDOW=29 RES=0x00 ACK PSH FIN URGP=0 
*security
:INPUT ACCEPT [155114:111048110]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189557:159665631]
COMMIT

*raw
:PREROUTING ACCEPT [155235:111062052]
:OUTPUT ACCEPT [189607:159672135]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [155235:111062052]
:INPUT ACCEPT [155235:111062052]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189607:159672135]
:POSTROUTING ACCEPT [189594:159674670]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:zLog_Drop - [0:0]
:zNetwork_Daemon - [0:0]

#drop and log chain
-A zLog_Drop -m limit --limit 1/min --limit-burst 10 -j LOG --log-prefix "[IPTABLES]: dropped " --log-uid 
-A zLog_Drop -j DROP

#network daemon outbound chain
-A zNetwork_Daemon ! -d 192.168.0.0/16 -o eth0 -j ACCEPT               #allow connection to non-lan ip only
-A zNetwork_Daemon -d 192.168.11.1/32 -o eth0 -p udp -m udp --dport 53 -j ACCEPT               #allow DNS
-A zNetwork_Daemon ! -o eth0 -j DROP               #silent log by dropping local traffic
-A zNetwork_Daemon -j zLog_Drop               #log and drop

#input chain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT               #allow established connection
-A INPUT -p tcp -m multiport --dports 10000:10010 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT                #listen to a few port only
-A INPUT -p udp -m multiport --dports 10000:10010 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT                #listen to a few port only
-A INPUT -i lo -j ACCEPT               #allow localhost inbound

#output chain
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                #allow established connection
-A OUTPUT -m owner --uid-owner zamule -j zNetwork_Daemon                #daemon
-A OUTPUT -m owner --uid-owner debian-transmission -j zNetwork_Daemon                #daemon
-A OUTPUT -m owner --uid-owner zhttpfileserver -j zNetwork_Daemon                #daemon
-A OUTPUT -m owner --uid-owner avahi -j ACCEPT                #trusted
-A OUTPUT -m owner --uid-owner root -j ACCEPT                #trusted
#-A OUTPUT -p icmp -j ACCEPT 
#-A OUTPUT -p igmp -j ACCEPT 
-A OUTPUT -j zLog_Drop                #allow established connection

COMMIT