You are not logged in.

#1 2017-03-29 17:42:31

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

[Solved] nf_conntrack default automatic helper assignment

I have noticed this message in the logs

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.

I know what it means and why it is shown. conntrack helpers are not loaded automatically anymore (there has been a warning about this behavior becoming the default for a long while now) and the admin needs to set firewall rules for all needed connection tracking.

What I would like to know is how to figure out which connection tracker was trying to be loaded or which program is triggering this. Nothing seems to be broken connectivity wise and it happens long after I have all programs running, which makes this a guessing game.

I've tried googling this but all I find is the mails with the patches that will emit the warning, does anyone know any tricks to get more information?

Edit:
Solved, see https://bbs.archlinux.org/viewtopic.php … 2#p1703852

Last edited by R00KIE (2017-04-12 18:30:08)


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#2 2017-03-29 21:59:17

fukawi2
Administrator
From: .vic.au
Registered: 2007-09-28
Posts: 6,131
Website

Re: [Solved] nf_conntrack default automatic helper assignment

I've seen this with just from loading iptabes ruleset.  You need to replace any rules using the 'old' style `-m state --state` with the 'new' style `-m conntrack --ctstate` instead:

-A FORWARD -i eth0 -m conntrack --ctstate NEW -j ACCEPT

I'm not sure why the 'state' module was replaced with the 'conntrack' module.  Never bothered to look it up lol

Last edited by fukawi2 (2017-03-29 21:59:33)

Offline

#3 2017-03-29 22:45:47

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [Solved] nf_conntrack default automatic helper assignment

I don't have any "-m state --state" rules in my ruleset so I suppose that cant be it. That message shows up a long time after the system is running, the timestamp on my current boot is 11902.333560, if it was from loading the iptables ruleset the timestamp would be a few seconds since boot.

For completeness here are my rules, maybe someone will spot something that might help.

# Generated by iptables-save v1.6.0 on Wed Mar 29 23:36:49 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3066082:808507497]
:OPEN - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT ! -i brkvm -m recent --update --seconds 60 --name PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j OPEN
-A INPUT -p udp -m conntrack --ctstate NEW -j OPEN
-A INPUT -m recent --set --name PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i brkvm -j ACCEPT
-A FORWARD -s 10.10.1.1/32 -d 192.168.56.10/32 -i tunipt -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT ! -d 127.0.0.1/32 -m owner --uid-owner 1009 -j REJECT --reject-with icmp-port-unreachable
-A OPEN -p tcp -m tcp --dport 25000 -j ACCEPT
-A OPEN -p udp -m udp --dport 25000 -j ACCEPT
-A OPEN -i brkvm -p tcp -m multiport --dports 139,445 -j ACCEPT
-A OPEN -i brkvm -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Mar 29 23:36:49 2017
# Generated by iptables-save v1.6.0 on Wed Mar 29 23:36:49 2017
*nat
:PREROUTING ACCEPT [2211:245096]
:INPUT ACCEPT [697:42848]
:OUTPUT ACCEPT [21382:1502798]
:POSTROUTING ACCEPT [21373:1502051]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Mar 29 23:36:49 2017
# Generated by iptables-save v1.6.0 on Wed Mar 29 23:36:49 2017
*mangle
:PREROUTING ACCEPT [3386231:2543067436]
:INPUT ACCEPT [3386224:2543066269]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3066082:808507497]
:POSTROUTING ACCEPT [3066098:808508469]
COMMIT
# Completed on Wed Mar 29 23:36:49 2017
# Generated by iptables-save v1.6.0 on Wed Mar 29 23:36:49 2017
*raw
:PREROUTING ACCEPT [3386231:2543067436]
:OUTPUT ACCEPT [3066082:808507497]
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
COMMIT
# Completed on Wed Mar 29 23:36:49 2017

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#4 2017-03-30 08:06:18

edacval
Member
From: .LT
Registered: 2008-10-23
Posts: 78

Re: [Solved] nf_conntrack default automatic helper assignment

R00KIE wrote:

What I would like to know is how to figure out which connection tracker was trying to be loaded or which program is triggering this.

Just prepend -J LOG rule for each rule with conntrack module. For example:
replace

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

with

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j LOG  --log-prefix "INPUT_REL_EST " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

As this warning is shown only on first occurrence, you will need to reboot machine.

Offline

#5 2017-03-30 10:05:01

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [Solved] nf_conntrack default automatic helper assignment

edacval wrote:

Just prepend -J LOG rule for each rule with conntrack module. For example:
replace

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

with

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j LOG  --log-prefix "INPUT_REL_EST " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

As this warning is shown only on first occurrence, you will need to reboot machine.

Isn't automatic conntrack module loading triggered by outgoing packets, otherwise how can a related packet be known to be related if not being tracked already? If this is correct shouldn't the monitoring be done in the OUTPUT chain instead of the INPUT one?

How can I catch those related connections if the helper was not loaded and the kernel does not know that the packet is related? Also logging all established connections is going to generate a lot of log lines to sift through, and hints on how to do that to find what I want?


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#6 2017-03-30 12:25:42

edacval
Member
From: .LT
Registered: 2008-10-23
Posts: 78

Re: [Solved] nf_conntrack default automatic helper assignment

R00KIE wrote:

Isn't automatic conntrack module loading triggered by outgoing packets, otherwise how can a related packet be known to be related if not being tracked already? If this is correct shouldn't the monitoring be done in the OUTPUT chain instead of the INPUT one?

As i know, conntrack module creates records when packet traverses PREROUTING chain. So if not sure, log both INPUT and OUTPUT smile

R00KIE wrote:

Also logging all established connections is going to generate a lot of log lines to sift through

Journalctl -b -k --no-pager | grep -C 12 " helper " | less
R00KIE wrote:

and hints on how to do that to find what I want?

I would look to proto/port numbers near to to kernel message about helper and try to guest (port 5060 - SIP helper and so on..)

Offline

#7 2017-03-30 18:21:42

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [Solved] nf_conntrack default automatic helper assignment

I've gone with edacval's idea with some changes, I have decided to start by logging only the stuff already drop and reject. The rationale for this is the following, since conntrack helpers are not loaded automatically the related connections should be unknown and will be blocked by the rules in place.

These are my current rules:

# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*raw
:PREROUTING ACCEPT [1966992:2478673000]
:OUTPUT ACCEPT [1800432:1415256718]
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
COMMIT
# Completed on Thu Mar 30 19:14:06 2017
# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*mangle
:PREROUTING ACCEPT [1966992:2478673000]
:INPUT ACCEPT [1966987:2478672437]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1800432:1415256718]
:POSTROUTING ACCEPT [1800432:1415256718]
COMMIT
# Completed on Thu Mar 30 19:14:06 2017
# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*nat
:PREROUTING ACCEPT [1439:579351]
:INPUT ACCEPT [222:14336]
:OUTPUT ACCEPT [7900:563525]
:POSTROUTING ACCEPT [7900:563525]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Mar 30 19:14:06 2017
# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1800432:1415256718]
:OPEN - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IN DROP "
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT ! -i brkvm -m recent --update --seconds 60 --name PORTSCAN --mask 255.255.255.255 --rsource -j LOG --log-prefix "IN PS1 "
-A INPUT ! -i brkvm -m recent --update --seconds 60 --name PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j OPEN
-A INPUT -p udp -m conntrack --ctstate NEW -j OPEN
-A INPUT ! -i brkvm -m recent --set --name PORTSCAN --mask 255.255.255.255 --rsource -j LOG --log-prefix "IN PS2 "
-A INPUT -m recent --set --name PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i brkvm -j ACCEPT
-A FORWARD -s 10.10.1.1/32 -d 192.168.56.10/32 -i tunipt -j ACCEPT
-A FORWARD -j LOG --log-prefix "FW "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT ! -d 127.0.0.1/32 -m owner --uid-owner 1009 -j REJECT --reject-with icmp-port-unreachable
-A OPEN -p tcp -m tcp --dport 25000 -j ACCEPT
-A OPEN -p udp -m udp --dport 25000 -j ACCEPT
-A OPEN -i brkvm -p tcp -m multiport --dports 139,445 -j ACCEPT
-A OPEN -i brkvm -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Thu Mar 30 19:14:06 2017

I have caught another message, 'dmesg | grep -C 20 CT-based' gives:

[13820.041649] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=181.51.212.157 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=46 ID=40659 PROTO=TCP SPT=64420 DPT=23 WINDOW=41460 RES=0x00 SYN URGP=0 
[13883.330332] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=79.173.252.243 DST=192.168.10.100 LEN=44 TOS=0x00 PREC=0x20 TTL=239 ID=5794 PROTO=TCP SPT=4421 DPT=5358 WINDOW=14600 RES=0x00 SYN URGP=0 
[14012.861734] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=92.114.232.99 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=245 ID=24366 PROTO=TCP SPT=35525 DPT=7547 WINDOW=14600 RES=0x00 SYN URGP=0 
[14053.514760] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=14.188.197.60 DST=192.168.10.100 LEN=44 TOS=0x00 PREC=0x20 TTL=45 ID=25610 PROTO=TCP SPT=24052 DPT=23 WINDOW=25292 RES=0x00 SYN URGP=0 
[14095.261320] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=104.236.184.243 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=238 ID=54321 PROTO=TCP SPT=32972 DPT=2095 WINDOW=65535 RES=0x00 SYN URGP=0 
[14254.019671] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=169.54.233.118 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=244 ID=11303 PROTO=TCP SPT=23347 DPT=2121 WINDOW=1024 RES=0x00 SYN URGP=0 
[14353.854891] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=163.172.99.61 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=54321 PROTO=TCP SPT=36472 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 
[14408.537020] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=39.45.188.247 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=236 ID=20711 PROTO=TCP SPT=62511 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
[14419.289285] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=209.58.135.75 DST=192.168.10.100 LEN=149 TOS=0x08 PREC=0x20 TTL=233 ID=54321 PROTO=UDP SPT=38512 DPT=53413 LEN=129 
[14462.809021] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=81.214.56.45 DST=192.168.10.100 LEN=44 TOS=0x00 PREC=0x20 TTL=49 ID=51151 PROTO=TCP SPT=54942 DPT=23 WINDOW=22637 RES=0x00 SYN URGP=0 
[14465.881314] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=191.96.249.97 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=249 ID=26950 PROTO=TCP SPT=47157 DPT=8080 WINDOW=1024 RES=0x00 SYN URGP=0 
[14469.669913] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=93.87.23.30 DST=192.168.10.100 LEN=44 TOS=0x00 PREC=0x20 TTL=239 ID=32051 PROTO=TCP SPT=6432 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
[14509.606473] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=198.7.62.136 DST=192.168.10.100 LEN=149 TOS=0x08 PREC=0x20 TTL=240 ID=54321 PROTO=UDP SPT=36523 DPT=53413 LEN=129 
[14556.607753] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=114.34.160.19 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=240 ID=36350 PROTO=TCP SPT=48950 DPT=5358 WINDOW=14600 RES=0x00 SYN URGP=0 
[14615.898041] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=95.70.194.55 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=237 ID=45974 PROTO=TCP SPT=4735 DPT=7547 WINDOW=14600 RES=0x00 SYN URGP=0 
[14667.917462] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=116.107.190.100 DST=192.168.10.100 LEN=44 TOS=0x00 PREC=0x20 TTL=237 ID=11481 PROTO=TCP SPT=8964 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
[14685.940723] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=213.207.50.174 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=239 ID=12243 PROTO=TCP SPT=1071 DPT=7547 WINDOW=14600 RES=0x00 SYN URGP=0 
[14753.221426] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=79.17.184.114 DST=192.168.10.100 LEN=44 TOS=0x08 PREC=0x20 TTL=47 ID=29966 PROTO=TCP SPT=58421 DPT=23 WINDOW=65325 RES=0x00 SYN URGP=0 
[14810.981754] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=201.233.114.70 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=10021 PROTO=TCP SPT=15345 DPT=5358 WINDOW=14600 RES=0x00 SYN URGP=0 
[14843.738764] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=168.205.84.92 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=51 ID=39239 PROTO=TCP SPT=46207 DPT=22 WINDOW=21923 RES=0x00 SYN URGP=0 
[14856.026529] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[14856.026597] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=139.162.104.208 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=240 ID=54321 PROTO=TCP SPT=37812 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 
[14861.072653] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=89.163.146.223 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=248 ID=63274 DF PROTO=TCP SPT=14107 DPT=86 WINDOW=512 RES=0x00 SYN URGP=0 
[14994.574127] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=179.41.202.117 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=40 ID=44762 PROTO=TCP SPT=60398 DPT=22 WINDOW=48052 RES=0x00 SYN URGP=0 
[15011.777621] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=94.102.49.193 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=122 ID=34774 PROTO=TCP SPT=34680 DPT=2082 WINDOW=40833 RES=0x00 SYN URGP=0 
[15014.030939] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=201.178.56.108 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=48 ID=51533 PROTO=TCP SPT=49986 DPT=2222 WINDOW=56302 RES=0x00 SYN URGP=0 
[15023.042013] IN DROP IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=193.124.189.79 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=57 ID=35498 DF PROTO=TCP SPT=80 DPT=59018 WINDOW=0 RES=0x00 RST URGP=0 
[15060.964825] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=220.70.171.204 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=226 ID=53679 PROTO=TCP SPT=21898 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
[15081.307854] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=91.197.234.79 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=247 ID=19285 PROTO=TCP SPT=59358 DPT=3364 WINDOW=1024 RES=0x00 SYN URGP=0 
[15087.247049] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=5.141.214.189 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=51 ID=27444 PROTO=TCP SPT=36154 DPT=22 WINDOW=20941 RES=0x00 SYN URGP=0 
[15090.114083] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=95.232.75.217 DST=192.168.10.100 LEN=40 TOS=0x08 PREC=0x20 TTL=239 ID=12243 PROTO=TCP SPT=1071 DPT=7547 WINDOW=14600 RES=0x00 SYN URGP=0 
[15103.425707] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=5.200.84.167 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=44 ID=54957 PROTO=TCP SPT=50021 DPT=2323 WINDOW=11669 RES=0x00 SYN URGP=0 
[15186.780306] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=213.202.253.20 DST=192.168.10.100 LEN=442 TOS=0x00 PREC=0x20 TTL=57 ID=0 DF PROTO=UDP SPT=5323 DPT=5060 LEN=422 
[15195.381509] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=104.236.178.208 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=239 ID=54321 PROTO=TCP SPT=37065 DPT=2095 WINDOW=65535 RES=0x00 SYN URGP=0 
[15263.477682] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=104.236.178.31 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=237 ID=54321 PROTO=TCP SPT=33572 DPT=2362 WINDOW=65535 RES=0x00 SYN URGP=0 
[15274.741605] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=118.69.24.46 DST=192.168.10.100 LEN=44 TOS=0x08 PREC=0x20 TTL=225 ID=6275 PROTO=TCP SPT=58573 DPT=5358 WINDOW=14600 RES=0x00 SYN URGP=0 
[15294.814468] IN DROP IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=216.58.205.170 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=53 ID=22055 PROTO=TCP SPT=443 DPT=39224 WINDOW=0 RES=0x00 RST URGP=0 
[15331.369391] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=114.34.212.72 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=49 ID=44376 PROTO=TCP SPT=31656 DPT=23 WINDOW=27064 RES=0x00 SYN URGP=0 
[15434.389205] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=190.178.94.185 DST=192.168.10.100 LEN=48 TOS=0x00 PREC=0x20 TTL=111 ID=13287 DF PROTO=TCP SPT=2577 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
[15437.460737] IN PS1 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=190.178.94.185 DST=192.168.10.100 LEN=48 TOS=0x00 PREC=0x20 TTL=111 ID=13429 DF PROTO=TCP SPT=2577 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
[15441.842974] IN PS2 IN=wlan0 OUT= MAC=e0:94:67:ee:c8:2f:00:24:01:55:41:e5:08:00 SRC=179.36.173.188 DST=192.168.10.100 LEN=40 TOS=0x00 PREC=0x20 TTL=50 ID=49662 PROTO=TCP SPT=9322 DPT=23 WINDOW=3143 RES=0x00 SYN URGP=0

I would be inclined to look only for what comes after the message, maybe my reasoning is wrong but I suppose the message is generated when an (new?) outgoing packet would trigger an helper automatic loading so any reply on different ports would arrive after the message.

Now for what to look for, I already have ftp and pptp helpers explicitly specified so I can exclude those as well as gre that is loaded when using pptp, searching for all nf_conntrack results in

> find /usr/lib/modules/4.10.6-1-ARCH/kernel/ | grep nf_conntrack_ | egrep -v "ftp|pptp|gre"
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_irc.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_broadcast.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_sip.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_snmp.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_h323.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_sane.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_amanda.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_netbios_ns.ko.gz
/usr/lib/modules/4.10.6-1-ARCH/kernel/net/netfilter/nf_conntrack_netlink.ko.gz

Now I have to find info on all these protocols and see if any of the overlap with the ports I see on the logs.

Any comments or other ideas?

Edit:
I've had an idea, which might work or not, at least I guess it will help me narrow down which ports to fully log (input and output) later on. I have activated automatic helper loading _and_ I've created a file at '/etc/modprobe.d' with the following:

install nf_conntrack_irc /bin/echo nf_conntrack_irc > /dev/kmsg
install nf_conntrack_broadcast /bin/echo nf_conntrack_broadcast > /dev/kmsg
install nf_conntrack_sip /bin/echo nf_conntrack_sip > /dev/kmsg
install nf_conntrack_snmp /bin/echo nf_conntrack_snmp > /dev/kmsg
install nf_conntrack_h323 /bin/echo nf_conntrack_h323 > /dev/kmsg
install nf_conntrack_sane /bin/echo nf_conntrack_sane > /dev/kmsg
install nf_conntrack_amanda /bin/echo nf_conntrack_amanda > /dev/kmsg
install nf_conntrack_netbios_ns /bin/echo nf_conntrack_netbios_ns > /dev/kmsg
install nf_conntrack_netlink /bin/echo nf_conntrack_netlink > /dev/kmsg

This should at least help narrow down what would be loaded and since the module doesn't get loaded it shouldn't impact security.

Last edited by R00KIE (2017-03-30 19:57:30)


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#8 2017-04-12 18:29:24

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [Solved] nf_conntrack default automatic helper assignment

I have finally figured this one out. The short story is the message was shown the first time after boot a tcp packet with destination port 21 or 1723 was received by my machine.

Long story (what I could make of it):
- Automatic connection tracking helper assignment is now disabled by default (we already knew this).
- I have assigned helpers for ftp and pptp for _outgoing_ connections, this in turn caused the helper modules nc_conntrack_{ftp,pptp,proto_gre} to be loaded (we also knew this already).
- Given that I have not assigned any helpers for _incoming_ packets and the helper modules are loaded, when receiving packets with the default destination ports (which would trigger automatic helper assignment) the message is issued (this is what I overlooked, I always assumed it would work for outgoing connections only).

After figuring this one out I have been able to trigger it on demand by performing a targeted scan with nmap from another machine. Mystery solved smile


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Board footer

Powered by FluxBB