bugzilla-daemon at netfilter.org
2019-Nov-07 06:28 UTC
[Bug 1379] New: Rule to accept INPUT address range does not block address that are not in range specified
https://bugzilla.netfilter.org/show_bug.cgi?id=1379
Bug ID: 1379
Summary: Rule to accept INPUT address range does not block
address that are not in range specified
Product: iptables
Version: 1.4.x
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: sprakash at amiindia.co.in
After setting RULE to ACCEPT input address range, it is observed that IP
address not in range also can have access to the machine.
~ # iptables -V
iptables v1.4.21
~ # iptables -I INPUT -p all -m iprange --src-range 192.168.1.70-192.168.1.90
-j ACCEPT
~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere source IP range
192.168.1.70-192.168.1.90
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ZERO_WINDOW_RECENT (0 references)
target prot opt source destination
After setting the rule in the server, still able to access server via web and
other client tools from IP address 192.168.1.124 which is outside the range
192.168.1.70-192.168.1.90.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191107/b68b2e8f/attachment.html>
bugzilla-daemon at netfilter.org
2019-Nov-07 06:29 UTC
[Bug 1379] Rule to accept INPUT address range does not block address that are not in range specified
https://bugzilla.netfilter.org/show_bug.cgi?id=1379 --- Comment #1 from Prakash <sprakash at amiindia.co.in> --- It is also observed with version 1.6.x with kernel version: 4.15.0-66-generic -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191107/20f5ec3e/attachment.html>
bugzilla-daemon at netfilter.org
2019-Nov-08 05:44 UTC
[Bug 1379] Rule to accept INPUT address range does not block address that are not in range specified
https://bugzilla.netfilter.org/show_bug.cgi?id=1379 --- Comment #2 from Prakash <sprakash at amiindia.co.in> --- Is this expected behavior? and should a DROP rule be added for those IP address range to prevent access? Kindly reply. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191108/fba97817/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 22:28 UTC
[Bug 1379] Rule to accept INPUT address range does not block address that are not in range specified
https://bugzilla.netfilter.org/show_bug.cgi?id=1379
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
CC| |pablo at netfilter.org
Status|NEW |RESOLVED
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Your default policy should be turned to DROP, e.g.
iptables -P INPUT DROP
Otherwise, packets not matching your rule will just go through.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/edc4bca2/attachment.html>