Dear All
Why NAT rules stays valid even if I flush nat anf table chains??
I have:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT
iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\
--dport 1234 -j DNAT --to-destination SOME_BCP_5_IP
The conection is established and the data is flowing normaly.
Suddenly I decide to not authorize this data flow anymore. So I
iptables -t nat -F PREROUTING
iptables -F FORWARD
For my surprise the data flow (observed with tcpdump) is still there!
It is like the state machine does not let go this data flow.
What to do to block this data flow??
Is there any way to flush the conntrack database?
Regards
--
Ethy H. Brito /"\
InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil / \
Doesn''t the policy change to ACCEPT after you flush the rules? Try an
iptables -L -v -n after doing iptables -F and see what the default
policy says.
- Greg Scott
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito
Sent: Thursday, January 26, 2006 8:09 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] nat table remenbering nat''s
Dear All
Why NAT rules stays valid even if I flush nat anf table chains??
I have:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT
iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\
--dport 1234 -j DNAT --to-destination SOME_BCP_5_IP
The conection is established and the data is flowing normaly.
Suddenly I decide to not authorize this data flow anymore. So I
iptables -t nat -F PREROUTING
iptables -F FORWARD
For my surprise the data flow (observed with tcpdump) is still there!
It is like the state machine does not let go this data flow.
What to do to block this data flow??
Is there any way to flush the conntrack database?
Regards
--
Ethy H. Brito /"\
InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil / \
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Thu, 26 Jan 2006 08:22:51 -0600 "Greg Scott" <GregScott@InfraSupportEtc.com> wrote:> Doesn''t the policy change to ACCEPT after you flush the rules? Try an > iptables -L -v -n after doing iptables -F and see what the default > policy says.Yes it does. It changes to ACCEPT in all chains. So you are saying that I cannot stop the pre-established data flow because it will keep flowing because the default policy changed to ACCEPT updating the timout timer? But I flushed nat table. This should kill all conntrack entries related to the rules on this table. Ethy> > - Greg Scott > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito > Sent: Thursday, January 26, 2006 8:09 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] nat table remenbering nat''s > > > Dear All > > Why NAT rules stays valid even if I flush nat anf table chains?? > > I have: > > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT > iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ > --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP > > The conection is established and the data is flowing normaly. > Suddenly I decide to not authorize this data flow anymore. So I > > iptables -t nat -F PREROUTING > iptables -F FORWARD > > For my surprise the data flow (observed with tcpdump) is still there! > It is like the state machine does not let go this data flow. > > What to do to block this data flow?? > Is there any way to flush the conntrack database? > > Regards > > -- > > Ethy H. Brito /"\ > InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML > +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL > S.J.Campos - Brasil / \ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \
No, it just flushes the rules and changes the policy to ACCEPT. The connections are still connected. I do this all the time with firewalls up and running. If flushing the rules killed all the active connections, it would be super disruptive. I suppose if you want to stop connections, flush the rules and then set the policy to DROP - do 2 commands instead of just flushing. Take what I say for what it''s worth. I am not a netfilter developer, just a long-time user. - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 8:51 AM Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] nat table remenbering nat''s On Thu, 26 Jan 2006 08:22:51 -0600 "Greg Scott" <GregScott@InfraSupportEtc.com> wrote:> Doesn''t the policy change to ACCEPT after you flush the rules? Try an> iptables -L -v -n after doing iptables -F and see what the default > policy says.Yes it does. It changes to ACCEPT in all chains. So you are saying that I cannot stop the pre-established data flow because it will keep flowing because the default policy changed to ACCEPT updating the timout timer? But I flushed nat table. This should kill all conntrack entries related to the rules on this table. Ethy> > - Greg Scott > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito > Sent: Thursday, January 26, 2006 8:09 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] nat table remenbering nat''s > > > Dear All > > Why NAT rules stays valid even if I flush nat anf table chains?? > > I have: > > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT> iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ > --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP > > The conection is established and the data is flowing normaly. > Suddenly I decide to not authorize this data flow anymore. So I > > iptables -t nat -F PREROUTING > iptables -F FORWARD > > For my surprise the data flow (observed with tcpdump) is still there! > It is like the state machine does not let go this data flow. > > What to do to block this data flow?? > Is there any way to flush the conntrack database? > > Regards > > -- > > Ethy H. Brito /"\ > InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML > +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL > S.J.Campos - Brasil / \ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Thu, 26 Jan 2006 08:58:34 -0600 "Greg Scott" <GregScott@InfraSupportEtc.com> wrote:> No, it just flushes the rules and changes the policy to ACCEPT. The > connections are still connected. I do this all the time with firewalls > up and running. If flushing the rules killed all the active > connections, it would be super disruptive.Well, at least the coneections belonging to NAT should be destroyed because there is no authorization to these data flow anymore. Don''t you agree?> > I suppose if you want to stop connections, flush the rules and then set > the policy to DROP - do 2 commands instead of just flushing.I did this. Stoped (flushed) all (I really mean all) rules and started them again with a diferent source adderss for NAT rules. My surprise was that that old NAT connection continued to flow despite the fact there was no rule at NAT filter for it. I suppose this old connection is still flowing because conntrack database state it as ESTABLISHED and it is grabbed by "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear? I suppose that once a data flow is establisehd its conntrack database entry is only deleted if you or the other party kills the applications tha holds the connetions alive. BTW rebooting the machine stops the old data flow and only accepts the second (new) one. (unnecessary to say that rebooting clears the conntrack database, of course).> > Take what I say for what it''s worth. I am not a netfilter developer, > just a long-time user.And so am I. Just a long-time user since ipfwadm. (Any developer reading this could please shed some like on this?) Ethy
> Well, at least the coneections belonging to NAT should be destroyed > because there is no authorization to these data flow anymore. > Don''t you agree?Don''t know. The Netfilter developers would have to answer that one. The netfilter guys have a userspace conntrack program that (I think) lets look at the conntrack database. And I think there are some data structures in the /proc filesystem. But I haven''t dug into them. - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 9:16 AM Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] nat table remenbering nat''s On Thu, 26 Jan 2006 08:58:34 -0600 "Greg Scott" <GregScott@InfraSupportEtc.com> wrote:> No, it just flushes the rules and changes the policy to ACCEPT. The > connections are still connected. I do this all the time with > firewalls up and running. If flushing the rules killed all the active> connections, it would be super disruptive.Well, at least the coneections belonging to NAT should be destroyed because there is no authorization to these data flow anymore. Don''t you agree?> > I suppose if you want to stop connections, flush the rules and then > set the policy to DROP - do 2 commands instead of just flushing.I did this. Stoped (flushed) all (I really mean all) rules and started them again with a diferent source adderss for NAT rules. My surprise was that that old NAT connection continued to flow despite the fact there was no rule at NAT filter for it. I suppose this old connection is still flowing because conntrack database state it as ESTABLISHED and it is grabbed by "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear? I suppose that once a data flow is establisehd its conntrack database entry is only deleted if you or the other party kills the applications tha holds the connetions alive. BTW rebooting the machine stops the old data flow and only accepts the second (new) one. (unnecessary to say that rebooting clears the conntrack database, of course).> > Take what I say for what it''s worth. I am not a netfilter developer, > just a long-time user.And so am I. Just a long-time user since ipfwadm. (Any developer reading this could please shed some like on this?) Ethy _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
To clear things up:
Connection which was up was not blocked in FORWARD?
You only changed rule in PREROUTING ("...different source adress...")?
If so, "old" connection just didn''t hit prerouting as its
already been there,
and forward isn''t dropping its packets.
To me it seems to behave as expected.
On Thursday 26 January 2006 17:15, Ethy H. Brito wrote:> On Thu, 26 Jan 2006 08:58:34 -0600
> I did this. Stoped (flushed) all (I really mean all) rules and started them
> again with a diferent source adderss for NAT rules. My surprise was that
> that old NAT connection continued to flow despite the fact there was no
> rule at NAT filter for it. I suppose this old connection is still flowing
> because conntrack database state it as ESTABLISHED and it is grabbed by
> "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear?
On Thu, 26 Jan 2006 21:10:00 +0200 Tomas Simonaitis <haden@homelan.lt> wrote:> To clear things up: > Connection which was up was not blocked in FORWARD?No, they are not. I have a ESTABLISHED -j ACCEPT rule as first rule.> You only changed rule in PREROUTING ("...different source adress...")?That is correct.> If so, "old" connection just didn''t hit prerouting as its already been there, > and forward isn''t dropping its packets. > To me it seems to behave as expected.Questionable. I flushed NAT. I assume that a flushed table must forget each and every previous authorizations. The way you put it, the only way to stop old stream is to reboot the machine which is unacceptable from my point of view. Suppose you have a partnership and want to drop those privileges. While your late partner does not close the connction(s) (s)he will still have granted access to your intranet. Did you think of that? Ethy
You might want to take a look at cutter (http://www.lowth.com/cutter/) (maybe as temporary solution, at least you wouldn''t need to reboot). On Thursday 26 January 2006 21:20, Ethy H. Brito wrote:> Questionable. I flushed NAT. I assume that a flushed table must forget > each and every previous authorizations. The way you put it, the only way > to stop old stream is to reboot the machine which is unacceptable from > my point of view. > > Suppose you have a partnership and want to drop those privileges. While > your late partner does not close the connction(s) (s)he will still have > granted access to your intranet. Did you think of that? > > Ethy