IP Chains rules relating to fragments and marking a packet

IP Chains rules relating to fragments and marking a packet

Post by Al Hut » Thu, 28 Oct 1999 04:00:00



First thank you Tom Estep for your help several weeks age when I was
having trouble setting up
ipchains... could ping internet ip addresses ok but services did not
work. I tracked it down
by turning on logging on the input chain and determined that packets
were in fact returning
to the FW.  I replaced the 2 Realtek 8029 cards with 3Com 3c5009b's and
it worked.

I recommend anyone having trouble w/ipchains and masq'g use logging to
debug. It will help you narrow down the possibilities.

I am currently using manual spoof protection. I understand and have the
code to turn in on in ther kernel
but it says to install it "before any interfaces are initialized".  I
assume this means doing in
rc.local is too late. How do i execute in earlier?

Also how do i tell if the kernel was compiled with ALWAYS DEFRAGMENT on,
so i know how vulnerable
i might be to frag attacks. If i DENY frags with -y won't that 'break'
legitimate data streams ?

How does the mark switch work? I've tried -m xxxxx where xxxxx is an
integer number but
the log entry does not show it. Is it logged elsewhere, is it an
accounting flag of some sort?

Anybody else looking at nmap?  (www.insecure.org) good links to security
stuff.

"Windows 3.0  will run on a 286 with 1 meg of RAM" - Microsoft circa
1990. Un huh. And they've been lying
ever since.

 
 
 

IP Chains rules relating to fragments and marking a packet

Post by Tom Easte » Thu, 28 Oct 1999 04:00:00



> First thank you Tom Estep for your help several weeks age when I was
> having trouble setting up
> ipchains... could ping internet ip addresses ok but services did not
> work. I tracked it down
> by turning on logging on the input chain and determined that packets
> were in fact returning
> to the FW.  I replaced the 2 Realtek 8029 cards with 3Com 3c5009b's and
> it worked.

> I recommend anyone having trouble w/ipchains and masq'g use logging to
> debug. It will help you narrow down the possibilities.

> I am currently using manual spoof protection. I understand and have the
> code to turn in on in ther kernel
> but it says to install it "before any interfaces are initialized".  I
> assume this means doing in
> rc.local is too late. How do i execute in earlier?

On my RedHat system, I start and stop my firewall with the script
/etc/rc.d/init.d/firewall. This script accepts one of "start", "stop",
"restart" or "status"
as an argument. When the firewall is successfully started, it touches
/var/lock/subsys/firewall; when it's stopped, it removes that file.

In /etc/rc.d/rc3.d and /etc/rc.d/rc5.d I have the following links:

        K10firewall -> ../init.d/firewall
        S85firewall -> ../init.d/firewall

When the firewall is stopped, all ipchain rules are flushed from the
pre-defined chains and their policy is set to DENY, all user-defined
chains are deleted, and traffic through "lo" is enabled.

One of the first thing that happens when the firewall is started is that
spoof protection is installed (while the input chains is still empty).

Quote:

> Also how do i tell if the kernel was compiled with ALWAYS DEFRAGMENT on,
> so i know how vulnerable
> i might be to frag attacks.

In the later 2.2 kernels, cat /proc/sys/net/ipv4/ip_always_defrag

A value > 0 means that it's set.

If i DENY frags with -y won't that 'break'

Quote:> legitimate data streams ?

-y denotes a SYN packet (TCP connection request) -- has nothing to do
with fragments.

Quote:

> How does the mark switch work? I've tried -m xxxxx where xxxxx is an
> integer number but
> the log entry does not show it. Is it logged elsewhere, is it an
> accounting flag of some sort?

Can't answer that one -- I've never used it.

-Tom
--
Tom Eastep               \    Opinions expressed here

Shoreline, Washington USA  \    those of my employer


 
 
 

IP Chains rules relating to fragments and marking a packet

Post by Cowles, Stev » Thu, 28 Oct 1999 04:00:00




> > First thank you Tom Estep for your help several weeks age when I was
> > having trouble setting up
> > ipchains... could ping internet ip addresses ok but services did not
> > work. I tracked it down
> > by turning on logging on the input chain and determined that packets
> > were in fact returning
> > to the FW.  I replaced the 2 Realtek 8029 cards with 3Com 3c5009b's and
> > it worked.

> > I recommend anyone having trouble w/ipchains and masq'g use logging to
> > debug. It will help you narrow down the possibilities.

> > I am currently using manual spoof protection. I understand and have the
> > code to turn in on in ther kernel
> > but it says to install it "before any interfaces are initialized".  I
> > assume this means doing in
> > rc.local is too late. How do i execute in earlier?

> On my RedHat system, I start and stop my firewall with the script
> /etc/rc.d/init.d/firewall. This script accepts one of "start", "stop",
> "restart" or "status"
> as an argument. When the firewall is successfully started, it touches
> /var/lock/subsys/firewall; when it's stopped, it removes that file.

> In /etc/rc.d/rc3.d and /etc/rc.d/rc5.d I have the following links:

> K10firewall -> ../init.d/firewall
> S85firewall -> ../init.d/firewall

> When the firewall is stopped, all ipchain rules are flushed from the
> pre-defined chains and their policy is set to DENY, all user-defined
> chains are deleted, and traffic through "lo" is enabled.

> One of the first thing that happens when the firewall is started is that
> spoof protection is installed (while the input chains is still empty).

> > Also how do i tell if the kernel was compiled with ALWAYS DEFRAGMENT on,
> > so i know how vulnerable
> > i might be to frag attacks.

> In the later 2.2 kernels, cat /proc/sys/net/ipv4/ip_always_defrag

> A value > 0 means that it's set.

> If i DENY frags with -y won't that 'break'
> > legitimate data streams ?

> -y denotes a SYN packet (TCP connection request) -- has nothing to do
> with fragments.

> > How does the mark switch work? I've tried -m xxxxx where xxxxx is an
> > integer number but
> > the log entry does not show it. Is it logged elsewhere, is it an
> > accounting flag of some sort?

> Can't answer that one -- I've never used it.

I won't answer the questions that Tom has already answered, but if I understand your
question (for the mark switch as you call it), this is straight from the ipmasqadm man
pages. BTW: Your kernel must be compile to take advantage of this feature, also you need
to load the module ip_masq_mfw.o. I tried using the mfw module months ago and had
problems. I ended up using the "portfw" module instead.

<cut/paste from man ipmasqadm>
       Kernel must have been compiled with
       CONFIG_EXPERIMENTAL=y
       CONFIG_IP_MASQUERADE=y
       CONFIG_IP_MASQUERADE_MOD=y
       and
       CONFIG_IP_MASQUERADE_IPAUTOFW=y/m
       CONFIG_IP_MASQUERADE_IPPORTFW=y/m
       CONFIG_IP_MASQUERADE_MFW=y/m
       for respective modules.

       If  you  need  to  forward one (or more) ports to internal
       hosts, consider using mfw module.

       In short:
       Short    ipmasqadm          kernel                    kernel
       descr.   module             module                    option
       -------------------------------------------------------------------------
       Auto     autofw.so    ip_masq_autofw.o     CONFIG_IP_MASQUERADE_IPAUTOFW
       Port     portfw.so    ip_masq_portfw.o     CONFIG_IP_MASQUERADE_IPPORTFW
       Fwmark   mfw.so       ip_masq_mfw.o        CONFIG_IP_MASQUERADE_MFW

MODULE mfw - fwmark-forwarding
       This  module  allows  forwarding  to-firewall  packets  to
       internal hosts, based on fwmark matching.  See ipchains(8)
       for setting up firewall rules with fwmarking.  Also please
       note that because this module acts only  in  first  packet
       connection,  it  makes  sense to add -y ipchains switch to
       TCP fwmark rules.

   EXAMPLES
       Redirect all web traffic to  internals  hostA  and  hostB,
       where  hostB will serve 2 times hostA connections. Forward
       rules already masq internal hosts to outside (typical).

              ipchains -I input -p tcp -y -d yours.com/32 80 -m 1
              ipmasqadm mfw -I -m 1 -r hostA 80 -p 10
              ipmasqadm mfw -I -m 1 -r hostB 80 -p 20

       Redirect  ssh  traffic  from  external clientA to internal
       hostB, also show forward masq rule  to  allow  only  hostB
       incoming connections to ssh port.

              ipchains   -I  forward  -p  tcp  -d  clientA/32  -s
              hostB/32 22
              ipchains -I input -p tcp -y -s clientA/32 -d 0/0 22
              -m 2
              ipmasqadm mfw -I -m 2 -r hostB 22

       Redirect  all  traffic  from  external clientA to internal
       hostB, also show forward masq rule to allow this for hostB
       only (clean, simple ... just *grin*)

              ipchains -I forward -d clientA/32 -s hostB/32
              ipchains -I input -s clientA/32 -m 3
              ipmasqadm mfw -I -m 3 -r hostB

Steve Cowles
SWCowles at gte dot net

- Show quoted text -

> -Tom
> --
> Tom Eastep               \    Opinions expressed here

> Shoreline, Washington USA  \    those of my employer


 
 
 

1. multiple marks for a single packet, using iptables MANGLE chains.

Is it possible to issue the command:

iptables -t mangle ... -j mark --set-mark <fwmark>

multiple times, with distinct <fwmark> values OR'ed together, at
different chain location of mangle table?

I'm using mangle table mark for two different purposes:

(1). PREROUTING mangle mark for policy-based routing, and
(2). FORWARD mangle mark for tc Queue filtering.

It seems impossible to implement both using iptables MANGLE chains on
the same IP packet.

Any suggestions?

--- Jeffrey

2. Driver for Radeon 9500 pro for RH 8.0

3. Need an IP Chains rule

4. Reading other processes memory

5. A Simple IP Chains rule question.

6. Experiences in porting to NT/WIN32

7. IP does not fragment TCP packets?

8. Newbie: Post-install questions.....

9. How do I list a particular IP chain rule (by number)?

10. Sequence of IP fragment packets on the wire

11. IP chain rule syntax Question/Problem

12. Reversed fragmented packets in TCP/IP

13. IP Chains specific rule