On Fri, Nov 05, 2004 at 03:10:00PM +0000, Baruch Even wrote: > On Fri, 2004-11-05 at 12:49, Jan Minar wrote: > > --- iptables-1.2.6a.ORIG/iptables.8 Fri Nov 5 12:28:43 2004 > > +++ iptables-1.2.6a-local.0/iptables.8 Fri Nov 5 12:47:14 2004 > > @@ -521,7 +521,12 @@ > > supporting this feature) > > .SS state > > This module, when combined with connection tracking, allows access to > > -the connection tracking state for this packet. > > +the connection tracking state for this packet. Note that no > > +.I validity > > +check is performed, so for example \fB--state NEW\fP will match SYN,FIN packets. > > +Some TCP stacks assign special meanings to such packets, and this actually might > > +be what you want. For a more stringent filtering, see the \fB--tcp-flags\fP and > > +\fB--syn\fP options.. > > .TP > > .BI "--state " "state" > > Where state is a comma separated list of the connection states to > > I disagree with this description, the --state NEW case should be > described for what it is, there should be no expectation of a validity > check for it, but the ESTABLISHED and RELATED cases do check for > validity. The term INVALID is somewhat unfortunate, and the Woody's manpage really enforces the confusion. The wording of the NEW explanation is obviously misleading. The following should clean the mess: After some questions and answers on #iptables @ freenode, and some RTFMing, here goes the second version of the patch. It's against the iptables in Sarge. When the dust settles, it should be backported to Woody, as usually. The problem with the conntrack mechanism vs. flagwise filtering maybe requires someone who understands the inner workings. --- iptables.8.ORIG 2004-11-05 23:16:40.000000000 +0100 +++ iptables.8 2004-11-06 00:25:53.000000000 +0100 @@ -470,7 +470,10 @@ .B RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, -or an ICMP error. +or an ICMP error. If you want to track complex application layer +protocols such as FTP, IRC, or SNMP-ALG, you will need a protocol +helper, either compiled in the kernel, or as a module. Without one, +tracking RELATED packets will not work fully (or even at all). .B SNAT A virtual state, matching if the original source address differs from the reply destination. @@ -831,7 +834,11 @@ Matches a given realm number (and optionally mask). .SS state This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. +the connection tracking state for this packet. Note that the tracking isn't +\" XXX ``isn't really stateful'' -- so what *is* it? +really stateful. If you need real stateful filtering that requires correct +connection initiation and tracks sequence numbers, you may want to apply the +tcp-window-tracking patch from patch-o-matic. .TP .BI "--state " "state" Where state is a comma separated list of the connection states to @@ -834,21 +841,44 @@ .B INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don't correspond to any -known connection, +known connection. Note that malformed packets not necessarily are INVALID. +In particular, non-compliant combination of TCP flags does not make that +particular packet INVALID. (The term INVALID is somewhat unfortunate.) +See \fB--tcp-flags\fR if you need to match packets according to their TCP +flags. Note however, that because of the intrinsic limitations of the +connection tracking mechanism, flagwise filtering in combination with this +module may result in dropping legitimate connections prematurely, +\" +\" This is what I'm ^^talking^^ about: +\" +\" iptables -A INPUT -p tcp ! --tcp-flags SYN SYN,ACK,RST -m state --state \ +\" NEW -j DROP +\" +\" Note that doing this will prevent idle sessions from continuing once they +\" have expired from the conntrack table. In the normal "relaxed" view such +\" connections initiated from the correct direction (i.e. the direction you +\" allow NEW packets through) can normally continue even if expired from +\" conntrack, provided that the first data/ack packet that resumes the +\" connection comes from the correct direction. +\" +\" Shamelessly stolen on 2004-11-05 from: +\" http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html .B ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, +\" XXX When exactly is a connection ESTABLISHED? .B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both +meaning that the packet is attempting to start a new connection, or is +otherwise associated with a connection which has not seen packets in both directions, and + .B RELATED -meaning that the packet is starting a new connection, but is +meaning that the packet is attempting to start a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .SS tcp @@ -1408,8 +1438,13 @@ not in the standard distribution, and the netfilter-hacking-HOWTO details the netfilter internals. .br +.br See -.BR "http://www.netfilter.org/" . +.BR "http://www.netfilter.org/" , +.\" Remove the next line when You remove the above reference to `patch-o-matic' +.BR "http://www.netfilter.org/patch-o-matic/" , +connection tracking protocol helpers: +.BR "/lib/modules/<kernel_version>/kernel/net/ipv4/netfilter/ip_conntrack*" . .SH AUTHORS Rusty Russell wrote iptables, in early consultation with Michael Neuling. -- Jan
Attachment:
pgppsJnLYjxSI.pgp
Description: PGP signature