bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-23 20:18 UTC
[Bug 562] New: Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 Summary: Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug Product: iptables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P2 Component: iptables AssignedTo: laforge at netfilter.org ReportedBy: for-openvz at alicewho.com CC: for-openvz at alicewho.com # iptables --version iptables v1.4.1.1 # uname -a Linux comp112.local 2.6.26-1-amd64 #1 SMP Sat Nov 8 18:25:23 UTC 2008 x86_64 GNU/Linux # bug happens in all platform versions Hi, there is IMO a "logic-bug" in iptables rule definitions. Please consider the firewall script below. The default is to DROP all, and ACCEPT only explicitly specified rules The nature of this bug is marked below with a "BUG:" comment. Ie. if one specifies the protocol (tcp, udp, icmp) then it works, but leaving it out or using "-p all" does not work, instead the rule gets somehow internally/implicitly eliminated; ie. that rule doesn't show up in iptables -v -L, and also not when saved with iptables-save. The goal here is of course to apply the rule for all protocols on the given port. But it doesn't work with just a single rule line. I hope I could make myself clear. :-) Otherwise let me know. BTW, the script below is intended to work for all environments, ie. regardless whether it is a normal linux box, an openVZ HN or a openVZ VPS box. cu Adem ####### ... ############# /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -m state --state INVALID -j DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset /sbin/iptables -A FORWARD -m state --state INVALID -j DROP /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT /sbin/iptables -t mangle -F /sbin/iptables -t mangle -X /sbin/iptables -t mangle -Z /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -P INPUT ACCEPT /sbin/iptables -t mangle -P FORWARD ACCEPT /sbin/iptables -t mangle -P POSTROUTING ACCEPT /sbin/iptables -t nat -F /sbin/iptables -t nat -X /sbin/iptables -t nat -Z /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT if cat /proc/net/ip_tables_matches | grep "recent" &>/dev/null ; then # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them! /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP # accept client at port tcp:22 and register in WATCHLIST /sbin/iptables -A INPUT -p tcp --dport 22 --match recent --name WATCHLIST --set -j ACCEPT # accept client at port tcp:8192 (my test port) and register in WATCHLIST /sbin/iptables -A INPUT -p tcp --dport 8192 --match recent --name WATCHLIST --set -j ACCEPT # if anybody tries to connect to 139 (windows filesharing), then drop them and add them to the WATCHLIST # BUG: if "-p tcp" is left out or if instead "-p all" is used then the rule gets eliminated! /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST --set -j DROP else echo "# ipt_recent module is not loaded. Cannot use WATCHLIST feature. Ask your HN admin." fi /sbin/iptables -A INPUT -p tcp --dport 8441 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 8441 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 4643 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 119 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 563 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT /sbin/iptables -A INPUT -j DROP /sbin/iptables -A OUTPUT -j ACCEPT # on a openVZ HN we must enable FORWARD: if test -d /proc/vz && test -f /usr/sbin/vzctl ; then echo "# This is an openVZ HN: FORWARD packets will be ACCEPTed" /sbin/iptables -A FORWARD -j ACCEPT else echo "# This is not an openVZ HN: FORWARD packets will be DROPped" /sbin/iptables -A FORWARD -j DROP fi ####### ... ############# -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 15:26 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 kernel at linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kernel at linuxace.com Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #1 from kernel at linuxace.com 2008-11-25 16:26 -------> # BUG: if "-p tcp" is left out or if instead "-p all" is used then the rulegets eliminated!> /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST--set -j DROP Yes, because that is an invalid rule without "-p tcp", since you are including "--dport 139". Please ask your question about this on the netfilter user mailing list, as there is nothing wrong with iptables here, only your rules. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 18:13 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 for-openvz at alicewho.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #2 from for-openvz at alicewho.com 2008-11-25 19:13 ------- (In reply to comment #1)> > # BUG: if "-p tcp" is left out or if instead "-p all" is used then the rule > gets eliminated! > > /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST > --set -j DROP > > Yes, because that is an invalid rule without "-p tcp", since you are including > "--dport 139". > > Please ask your question about this on the netfilter user mailing list, as > there is nothing wrong with iptables here, only your rules.Hmm. I think you you got me wrong. It is a general issue, port 139 above was just a bad example. Let's replace it with say port 8191. The goal is to DROP all connect attempts to port 8191 AND put such clients to the WATCHLIST AND deny them any further contact for 20 seconds: ... # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them! /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP # if anybody tries to connect to port 8191, then drop them and add them to the WATCHLIST # BUG: if "-p XXX" is left out or if instead "-p all" is used then the rule gets eliminated! /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -j DROP ... The above isn't working. The last rule is missing in the output list. If one specifies a protocol (for example "-p tcp") then it works, but that's not the intention here because the rule shall be valid all protocols on this port 8191. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 18:49 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 kernel at linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Comment #3 from kernel at linuxace.com 2008-11-25 19:49 ------- This does not work:> /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -jDROP because IT IS NOT A VALID RULE!!! You CANNOT have a rule which includes a "--dport" without ALSO specifying a protocol. Please read the iptables documentation on this, and do not reopen this bug. It is NOT a bug in the code, but a bug in your understanding of how to create rules. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 19:31 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 for-openvz at alicewho.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #4 from for-openvz at alicewho.com 2008-11-25 20:31 ------- (In reply to comment #3)> This does not work: > > > /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -j > DROP > > because IT IS NOT A VALID RULE!!! You CANNOT have a rule which includes a > "--dport" without ALSO specifying a protocol. > > Please read the iptables documentation on this, and do not reopen this bug. It > is NOT a bug in the code, but a bug in your understanding of how to create > rules.Sorry, to say that, but you are talking bullshit, giving a cheap excuse. Here's another variation of the bug. Here "-p all" was specified. The result is: IT DOES NOT WORK! /sbin/iptables -A INPUT -p all --dport 8191 --match recent --name WATCHLIST --set -j DROP Ok, forget it you arrogant idiot! Maybe someone more intelligent than you will fix this bug. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
- Kernel oopses with gluster fuse on squeeze
- Possible SYN flooding on port 8000. Sending cookies
- Samba Wiki change suggestion
- [Bug 498] RTP packets are not hitting NAT table