| gabriel rosenkoetter on Thu, 16 May 2002 02:20:11 +0200 |
|
I've got a host using IP Tables just to limit access on each of two
interfaces (one faces a network that touches our internal one, one
faces a T1 dedicated for this and one other host's use, both
interfaces have universally routeable addresses and there's no kind
of NAT going on). So I've firewalled off access to anything besides
the services that should be available on each using IP Tables/Netfilter.
As near as I can tell, I've done the right things to make these
rules stateful... and yet, weirdly, ssh's X forwarding just doesn't
work.
In (Darren Reed's) IPF, I'd just do this:
pass in on if0 proto tcp from any to any port = 22 flags S/SA keep state
pass in on if0 proto udp from any to any port = 22 keep state
... and I'd be done. (See, state actually *works* in IPF.)
Since I'm already jumping through hoops just to tell IP Tables to
maintain state, I'm hoping there's a hoop I haven't figured out yet.
(A rant: I should NOT have to define a separate rule to "accept
connections with a state we know"; in fact, that's a bad idea,
because it leaves one open to spoofing. Rather, it is appropriate
to define with a given rule whether or not state should be maintained.
At the least, it saves a lot of effort. And I'm pretty sure it
protects you marginally from spoofed IP and OS fingerprinting
attacks, though I'd have to go reread my TCP Illustrated to
state that with assurance.)
Output of iptables -L -v on the host with trouble:
Chain INPUT (policy DROP 4 packets, 198 bytes)
pkts bytes target prot opt in out source destination
68 8348 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 78 ACCEPT icmp -- any any anywhere anywhere state NEW
0 0 ACCEPT all -- lo0 any anywhere anywhere
4 186 external all -- eth0 any anywhere anywhere
1 529 internal all -- eth1 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
56 11982 ACCEPT all -- any any anywhere anywhere state NEW,RELATED,ESTABLISHED
Chain external (1 references)
pkts bytes target prot opt in out source destination
1 48 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:https
Chain internal (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3 flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:pop3
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:pop3s
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:20031 flags:SYN,RST,ACK/SYN
1 529 ACCEPT udp -- any any anywhere anywhere udp dpt:20031
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:20032 flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:20032
Is IP Tables simply more broken than I thought (and yes, it's quite
broken in other ways that hamper security already), and it just
can't do this at all? I wouldn't be shocked, though it's one more
reason not to bother with Linux for firewalls.
--
gabriel rosenkoetter
gr@eclipsed.net
Attachment:
pgpU1gZg0fQ3B.pgp
|
|