Re: Interesting iptables

To: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: Interesting iptables
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Sun, 27 Apr 2003 00:51:33 -0700
Message-id: <[🔎] 20030427075133.GC12940@doorstop.net>
Mail-followup-to: List - Debian Security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 3EA1685A.2090406@hanaden.com>
References: <[🔎] 3EA1685A.2090406@hanaden.com>

* Hanasaki JiJi (hanasaki@hanaden.com) [030419 08:40]:
> The below two sets of rules seem to provide the same functionality, with 
> the excpetion that the second ruleset results in a timeout from the 
> 192.168.1.2 timing out on connections to some, only some, external hosts 
> on port 25.  What could cause this?  How can it be fixed?  What is the 
> difference between the two approaches?

Even before looking at the rules, I'd say the answer is ident on port
113.  You're probably DROPping the inbound ident request, so the other
side tries a few resends before it times out.  Many recommend REJECTing
at least inbound tcp port 113; personally, I prefer to REJECT all
unwanted inbound tcp traffic with a TCP RST, and all unwanted inbound
UDP packets with an icmp-port-unreach.  (... and all other protocols
with icmp-proto-unreach.)  It just seems like the sane thing to do, to
me, but others have their own preferences.

> 
> 	kernel = 2.4.20
> 	firewall = 192.168.1.1
> 
> firewall ruleset1
> ==========
> $PROG -t nat -A POSTROUTING -p tcp -o $NIC_EXTERNAL \
>        --dport 25 -s 192.168.1.2 -j MASQUERADE

What, that's it?  What are your chain policies?  I believe the default
is all ACCEPTs, so this must be what you're using.  So in this case, the
inbound tcp/113 request is accepted.  If you're not running an ident
server, your hose immediately send sback an RST, and the other host
continues, allowing you to use its SMTP service while noting that you're
not running ident.  (If you are running ident, the ident requets
completes, and the other host notes the response in its logs and allows
you to continue your smtp transaction.)

> 
> firewall ruleset2
> ==========
> $PROG -t nat -A POSTROUTING -p tcp \
>         -o $NIC_EXTERNAL \
>         --dport smtp -s 192.168.1.2 \
>         -j SNAT --to-source $IP:25

Well here you're changing the source port to 25.  Is that what you want?

> 
> $PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
>         -s 0/0 --dport smtp \
>         -j DNAT --to-destination 192.168.1.2:25
> $PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
>         -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \
>         -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $PROG -t mangle -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \
>         -o $NIC_EXTERNAL -d 0/0 -p tcp \
>         -m state --state ESTABLISHED,RELATED -j ACCEPT

Hmm.  Again, no policies defined.  And why is this using the mangle
table?  What does your filter table look like?  I'd say that these rules
alone also allow the inbound ident request, but that you must have some
filtering in place that is DROPping it, and that's why you see the
delay.  SMTP delays on connect are almost always because of this.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
						--Nick Moffitt
A: No.
Q: Should I include quotations after my reply?

Attachment: pgp8jUxFnROu8.pgp
Description: PGP signature

Reply to:

References:
- Interesting iptables
  - From: Hanasaki JiJi <hanasaki@hanaden.com>

Prev by Date: Re: [OT] Re: unsubscribe - Procmail Rule
Next by Date: Re: Snort signature download script
Previous by thread: Interesting iptables
Next by thread: chkrootkit output questions
Index(es):
- Date
- Thread