You are not logged in.

#1 2013-12-19 15:05:12

mindfuckup
Member
From: Switzerland
Registered: 2012-07-04
Posts: 8
Website

[SOLVED] iptables conntrack Problems

Hello

I like to set up a simple host firewall. I followed several tutorials but it doesn't work. I've no more ideas to try. sad

Here I simplified my iptables script and added some comments to show my problem:

  # Clear all Chains
  $IPTABLES -F INPUT
  $IPTABLES -F OUTPUT
  $IPTABLES -F FORWARD

  # Default = Drop
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
  $IPTABLES -P FORWARD DROP

  # Localhost OK
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  # Input Rules
  $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # CORRECT?; I use conntrack instead of state

  # Output Rules
  $IPTABLES -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT  # WORKS
  $IPTABLES -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT  # DON'T WORK!

Then i test the firewall this way (for example):

$ curl -v google.ch
* Rebuilt URL to: google.ch/
* Adding handle: conn: 0x25fa350
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x25fa350) send_pipe: 1, recv_pipe: 0
* About to connect() to google.ch port 80 (#0)
*   Trying 173.194.70.94...
* Connected to google.ch (173.194.70.94) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.33.0
> Host: google.ch
> Accept: */*
>

The DNS Lookup is working properly (UDP). The I can also connect to google.ch (see curl output), but i don't get a response.

It seems like the conntrack module isn't working properly with TCP? The same issue with ICMP.

I would be happy, if i got some help.

Thanks for helping.
Mindfuckup

Last edited by mindfuckup (2013-12-20 00:50:52)

Offline

#2 2013-12-19 19:34:13

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [SOLVED] iptables conntrack Problems

(edit: purged too quick wrong answer attempt.).

Last edited by Strike0 (2013-12-19 19:41:54)

Offline

#3 2013-12-19 22:14:14

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,226
Website

Re: [SOLVED] iptables conntrack Problems

You also need to accept RELATED and ESTABLISHED in the OUTPUT chain. At the moment, you're only allowing the first packet (, ie the SYN packet where the connection is NEW). The server will then send back the SYN ACK which is accepted in INPUT, but then the third packet (ACK) is not let out of OUTPUT.

This isn't an issue for the UDP 53 DNS traffic because there is no 3-way handshake, it is a single packet to the server (allowed by the NEW rule in OUTPUT) and then a single return packet from the server.

EDIT: you've got no rules to allow ICMP, so I don't know why you expect it to work.

Last edited by fukawi2 (2013-12-19 22:15:34)

Offline

#4 2013-12-20 00:46:30

mindfuckup
Member
From: Switzerland
Registered: 2012-07-04
Posts: 8
Website

Re: [SOLVED] iptables conntrack Problems

Thanks for your answer.

So i added

  $IPTABLES -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

And it works!

Your reason you described is good to see in tcpdump (i did this, but I wasn't able to figure out the OUTPUT Rule):

$ sudo tcpdump -n -i wlp2s0  port http
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:29:04.789526 IP 10.0.0.23.56038 > 173.194.35.23.80: Flags [S], seq 3833512784, win 29200, options [mss 1460,sackOK,TS val 9279760 ecr 0,nop,wscale 7], length 0
01:29:04.814428 IP 173.194.35.23.80 > 10.0.0.23.56038: Flags [S.], seq 3002075657, ack 3833512785, win 42540, options [mss 1400,sackOK,TS val 3189320424 ecr 9279760,nop,wscale 6], length 0
01:29:05.742096 IP 173.194.35.23.80 > 10.0.0.23.56038: Flags [S.], seq 3002075657, ack 3833512785, win 42540, options [mss 1400,sackOK,TS val 3189321351 ecr 9279760,nop,wscale 6], length 0
01:29:06.940678 IP 173.194.35.23.80 > 10.0.0.23.56038: Flags [S.], seq 3002075657, ack 3833512785, win 42540, options [mss 1400,sackOK,TS val 3189322551 ecr 9279760,nop,wscale 6], length 0
01:29:09.341254 IP 173.194.35.23.80 > 10.0.0.23.56038: Flags [S.], seq 3002075657, ack 3833512785, win 42540, options [mss 1400,sackOK,TS val 3189324951 ecr 9279760,nop,wscale 6], length 0
01:29:14.140630 IP 173.194.35.23.80 > 10.0.0.23.56038: Flags [S.], seq 3002075657, ack 3833512785, win 42540, options [mss 1400,sackOK,TS val 3189329751 ecr 9279760,nop,wscale 6], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

Which means:

ME → (SYN) → google.ch:80
google.ch:80 → (SYN,ACK) → ME
google.ch:80 → (SYN,ACK) → ME
google.ch:80 → (SYN,ACK) → ME
google.ch:80 → (SYN,ACK) → ME
and no ME → (ACK) → google.ch:80. This is what the new rule does allow.

ICMP: The same with ICMP, but I shrunk the example for a better overview.

So now it works.

Thanks 1k!

Mindfuckup

Last edited by mindfuckup (2013-12-20 00:50:34)

Offline

#5 2013-12-20 01:00:19

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,226
Website

Re: [SOLVED] iptables conntrack Problems

You're welcome smile

Offline

Board footer

Powered by FluxBB