gmane.comp.security.firewalls.netfilter.general

[ANNOUNCE] iptables 1.4.14 release

Pablo Neira Ayuso — 2012-05-26T18:15:22

Hi!

The Netfilter project proudly presents:

        iptables 1.4.14

This release several bugfixes and support for the new cttimeout
infrastructure. This allows you to attach specific timeout policies to
flow via iptables CT target.

The following example shows the usage of this new infrastructure in a
couple of steps:

1) Create a timeout policy with name `custom-tcp-policy1':

 nfct timeout add custom-tcp-policy1 inet tcp established 200

2) Attach it to traffic going from 1.1.1.1 to 2.2.2.2

iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p tcp \
        -j CT --timeout custom-tcp-policy1

The new nfct resides in the conntrack-tools tree. By now, this new
utility only supports the cttimeout. In the long run, the plan is to
replace the conntrack utility with it.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/conntrack-tools/downloads.html
ftp://ftp.netfilter.org/pub/conntrack-tools/

Have fun!
Florian Westphal (3):

xfrm decode / SA matching

Steffen Heil (Mailinglisten — 2012-05-25T09:01:14

Hi

I have several SAs with the same networks and gateways on both sides but
different xmarks (1 vs 2) and those work correctly.

Therefor I need iptable rules like the following (in raw/PREROUTING):

-p esp -m esp --espspi 0xc270c557 -j MARK --set-mark 1
-p esp -m esp --espspi 0xcaa7e5c8 -j MARK --set-mark 2

Then netfilter selects the correct SA.

However, as the esp packets contain the spi value, I also expected them to
work correctly if they have the same xmark (both 1):

-p esp -m esp --espspi 0xc270c557 -j MARK --set-mark 1
-p esp -m esp --espspi 0xcaa7e5c8 -j MARK --set-mark 1

Yet, this does not work.
I get the feeling that the selection of the correct SA is not based on the
spi but on the ip and xmark only.

This this true?
If so, why? Isn't the SPI especially there for that reason?

Can this be archived somehow?

Best regards,
  Steffen

'swap table' feature

Neal Murphy — 2012-05-23T21:25:58

I knew I'd eventually remember why I subscribed to this list....

While working on enhancing my firewall, it occurred to me that it'd be real 
nice to have a 'swap chain' feature in iptables that is equivalent to the 
'swap set' feature in ipset.

Such a feature would minimize the amount of time that rules are unavailable 
when adding, changing or deleting them. At present, all the rules in the chain 
being modified are deleted, then the new rules are added. So there is a period 
of time, albeit brief, that rules are not available in that chain.

Were there a 'swap chain' command, one could build a new chain of the changed 
rules, swap the new and old chains, then flush and delete the new (now old) 
chain. This would all but guarantee that no packets 'slip by' (are 
overlooked).

Thanks,
N
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

connlimit and rejected connections staying in conntrack table

Eric Petit — 2012-05-23T15:29:46

Hello,

I am trying to limit the total number of concurrent connections that may be established on a given port. I need additional connection attempts to be explicitly rejected, so I went for something like:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 512 --connlimit-mask 0 -j REJECT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

My problem is, when the limit is reached and new connections are rejected, those stay in the conntrack table in a SYN_SENT / UNREPLIED state, and are only cleaned up after 120 seconds (ip_conntrack_tcp_timeout_syn_sent). As such, they are accounted for as active connections by connlimit, and new connections keep being rejected even though the number of established connections is, in fact, lower than the limit that I set. If connections keep coming in at a fast pace, it may just never accept a connection again. I've tried "--reject-with tcp-reset" and the behavior was the s

Packet dropped without reason

Steffen Heil (Mailinglisten — 2012-05-19T19:12:22

Hi

I follow a ping through my gateway with log-commands at the end of each
chain:


Receiving a echo request on eth1 and forwarding it encrypted to a gateway on
eth0 works as expected:
(Although nat_OUTPUT is missing between step 9 and 10 and nat_POSTROUTING is
missing after step 11 compared to http://inai.de/images/nf-packet-flow.png,
but I expect this to be correct, as I do not use nat.)

1. May 19 18:58:11 vpn-a kernel: [ 4396.217687] raw_PREROUTING: IN=eth1 OUT=
MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1

2. May 19 18:58:11 vpn-a kernel: [ 4396.217702] mangle_PREROUTING: IN=eth1
OUT= MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1 MARK=0x1

3. May 19 18:58:11 vpn-a kernel: [ 4396.217710] nat_PREROUTING: IN=eth1 OUT=
MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=8

ebtables queue/nfqueue target

JieYue Ma — 2012-05-18T16:44:07

hi guys,

has anyone ever tried queue/nfqueue target in ebtables? I'm not sure
if it has been implemented in ebtables, though it has in iptables. Or
does community plan to implement it in the future?

thank you very much

BRs
jerry
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ANNOUNCE] libnetfilter_conntrack 1.0.1 release

Pablo Neira Ayuso — 2012-05-18T00:35:47

Hi!

The Netfilter project proudly presents:

        libnetfilter_conntrack 1.0.1

libnetfilter_conntrack is a userspace library providing a programming
interface (API) to the in-kernel connection tracking state table.
This library is currently used by conntrack-tools among many other
applications.

This release includes important improvements for the expectation
support.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/libnetfilter_conntrack/downloads.html
ftp://ftp.netfilter.org/pub/libnetfilter_conntrack/

Have fun!
Kelvie Wong (1):
      expect: support NFCT_Q_CREATE_UPDATE in nfexp_query

Pablo Neira Ayuso (15):
      expect: add XML support for nfexp_snprintf()
      expect: add class support
      expect: add NAT support
      expect: add expectfn support
      expect: CTA_EXPECT_HELP_NAME must be NULL-terminated
      expect: fix comparison of expectation class and flags
      expect: fix missing whitespace after expecta

SNAT/MASQ on a single subnet

Andrew — 2012-05-17T16:18:26

Hi I'm trying to work out what I guess might not be possible
with iptables or is simple and I"m just missing something

I have 3 devices on the same subnet

192.168.0.1 ADSL Router
192.168.0.240 Linux Server
192.168.0.100 Windows PC

The Linux server has no rules and ACCEPT on all

What would the minimum necessary rule(s) to get the Linux Server
to forward (with SNAT or MASQUERADE) packets through the Router
from 192.168.0.100 and also send the replies back?

The Linux Server has 192.168.0.1 as it's gateway and also
has ip forwarding enabled

I set the gateway on the windows PC to 192.168.0.240

I tried a few simple single rules and failed.
(Just the single rule and deleted it after)
2 examples were:

iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 ! -d
192.168.0.0/24 -j SNAT --to 192.168.0.240

iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 -j SNAT --to
192.168.0.240

Single ping shows:
192.168.0.100 -> 74.125.237.113
192.168.0.240 -> 74.125.237.113
74.125.237.113 -> 192.168.0.240

but no "

iptable stop hung

Unni — 2012-05-17T13:30:35

Hi,

"iptable stop" got hung in the server, so I killed that process. But 
still there is a modprobe process running there, that I can't kill.

oot     13834 99.8  0.0   3884   596 ?        R    11:15 132:39 
/sbin/modprobe -q -r ipt_state ip_nat_ftp iptable_nat xt_NOTRACK 
ip_conntrack_ftp ip_conntrack_netbios_ns xt_connlimit ip_conntrack 
ipt_recent

This is what I can see in dmesg

http://pastebin.com/BxEsyByC

--Unni
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Need info about how to run nfqnl_test.c !!

Sudheer — 2012-05-16T06:45:40

Hi ,

    I am new to the concept of netfilters so i have downloaded the
"nfqnl_test.c"  from the website and compiled it. Could you please let
me know how to run this code and check the output.  Do we need to
execute any others commands before running this code ??

  It will be very useful for me if you let me know the procedure to
use the "nfqnl_test.c" code.

How to mark packet by reqid?

Steffen Heil (Mailinglisten — 2012-05-15T22:44:56

Hi

I have the following problem. I have SAs that use firewall marks. So only
packets that have that mark get encoded and decoded.
I managed to set the mark for packets that shall be encoded but I cannot get
the other side working.

I have incoming packets that need to be decrypted and I need to set the
correct mark for those.
I CAN actually set the mark using the following command:

  iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1

BUT that rule matches ALL incoming esp packets. Yet I will have multiple SAs
and I need to set different marks.
I tried to use select by reqid or by spi, but as soon as I try that, the
rule does not match anything any more.

Can someone help me to get that iptables command right?

Best regards,
  Steffen



root< at >vpn-b:~# setkey -D
10.5.0.2 10.5.0.1
        esp mode=tunnel spi=3296784692(0xc480f134) reqid=1(0x00000001)
        E: aes-cbc  c5eb72ab 906d5717 67e405f5 cfe73f7a
        A: hmac-sha1  6935290e e51f0965 06577876 0d6237d6 45a0083d
        seq=0x00000000

WAIT YOUR URGENT REPLY

dominick — 2012-05-15T21:05:58

Am really sorry i wrote so late about my inquiry i actually traveled to china to meet with some suppliers and i just came back into town few days ago. I was able to meet with some companies and also got to see what they have for me but i was surprised because the prices are much.


We saw a similar product on Alibaba Shopping/Business page so please confirm to us if you/your company can make provision of the exact product as shown on Alibaba Shopping/Business page which you can view by clicking the link below and login with you email address together with your password to download the attachment page to view the product. 

Bellow is the link.



http://dolbyltd.ucoz.com/plasltd.html


We will await your response with details, date of delivery and send quotation for large qty urgently prize and quantity that can be made available.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordo

Are limit and hashlimit "limited"?

Klaubert Herr da Silveira — 2012-05-14T22:30:31

Hi,

I'm playing with match modules limit and hashlimit, and they appear to
be limited to match a maximun 100/sec. If I use hashlimit with no
"--hashlimit-mode" I get the same, a max of 100/sec, even if I set for
exemple to 250/sec. My command setting the 250/sec is accepted, with
no error, but test show only 100 match/sec.

Is this a hard limit of this modules, or I can go above this in some way?

Best regards,

Klaubert
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Clusterip and NAT rules.

Michele De Candia — 2012-05-14T16:09:04

Hi all,
I need to set rules for port forwarding/NAT on a clusterip-enabled node.

I have this configuration:

internal machine (A) -> CLUSTER -> external machine (B)

I need to reach an UDP/TCP service on the external machine from an
internal one (A).

Is this feasible? Considering that clusterip nodes share a multicast
mac address,
seems that port forwarding can't be enabled due to impossibile
multicast packet forwarding.

I'm testing that setting one of the real IP of the cluster as gateway
for node A, I'm able to reach node B;
otherwise, using the clusterip address (associated with the multicast
MAC) as gateway for the node A, node B is unreachable.

Is there a way to to NAT through clusterip?

Thank you,
Michele De Candia
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(unknown)

Michele De Candia — 2012-05-14T16:07:23

  auth fedc299e subscribe netfilter mdecandia< at >gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

iptables v1.4.12. TCP connections are cut by my Linux_router NAT after a few packets.

Paul K — 2012-05-14T08:25:49

Hallo newsgroup members.

my configuration is: <= internet => eth0 [Linux Router NAT] eth1 <=>
network behind the NAT: 192.168.10.0/24

Experience of end user sitting behind the NAT is that his browser
after sending the request, waits on and on and page is never loaded.

notebook_behind_the_NAT$ elinks www.bmw.com #just to remind: elinks is
text browser.

Linux_router$ sudo tcpdump -nN port 80 -i eth1 #eth1 - interface from nat side.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
08:56:23.281011 IP 192.168.10.130.57196 > 23.61.248.65.80: Flags [S],
seq 2777447089, win 5840, options [mss 1460,sackOK,TS val 25390 ecr
0,nop,wscale 6], length 0
08:56:23.291543 IP 23.61.248.65.80 > 192.168.10.130.57196: Flags [S.],
seq 3924108416, ack 2777447090, win 14480, options [mss 1460,sackOK,TS
val 650310770 ecr 25390,nop,wscale 2], length 0
08:56:23.291656 IP 192.168.10.130.57196 > 23.61.248.65.80: Flags [.],
ack 1, win 92

WAIT YOUR URGENT REPLY

Tomm Frank — 2012-05-14T08:17:34

Am really sorry i wrote so late about my inquiry i actually traveled to china to meet with some suppliers and i just came back into town few days ago. I was able to meet with some companies and also got to see what they have for me but i was surprised because the prices are much.


We saw a similar product on Alibaba Shopping/Business page so please confirm to us if you/your company can make provision of the exact product as shown on Alibaba Shopping/Business page which you can view by clicking the link below and login with you email address together with your password to download the attachment page to view the product. 

Bellow is the link.

http://sollanicsltd.ucoz.com/plasltd.html


We will await your response with details, date of delivery and send quotation for large qty urgently prize and quantity that can be made available.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majord

WAIT YOUR URGENT REPLY

Tomm Frank — 2012-05-13T23:06:02

WAIT YOUR URGENT REPLY



Am really sorry i wrote so late about my inquiry i 

actually traveled to china to meet with some 

suppliers and i just came back into town few days 

ago. I was able to meet with some companies and also 

got to see what they have for me but i was surprised 

because the prices are much.


We saw a similar product on Alibaba 

Shopping/Business page so please confirm to us if 

you/your company can make provision of the exact 

product as shown on Alibaba Shopping/Business page 

which you can view by clicking the link below and 

login with you email address together with your 

password to download the attachment page to view the 

product. 

Bellow is the link.

http://sollanicsltd.ucoz.com/plasltd.html


We will await your response with details, date of 

delivery and send quotation for large qty urgently 

prize and quantity that can be made available.



Bestregard
 Tonny Frank
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message t

haalloo,

abi — 2012-05-12T17:06:50

haalloo,
how are you doing,i hope you are fine,my name is miss abi okom i got your
contact and want us to be a good friend,
please try and write back to me so that i will give you my pictures and tell
you more about me,
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Problems with a forward rule

C. L. Martinez — 2012-05-11T15:04:51

Hi all,

 I have setup the following rules in a centos6 gateway:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    6   300 TCPFLAGS   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0
    6   300 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
224.0.0.0/4
    0     0 DROP       all  --  *      *       240.0.0.0/5
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
10.196.129.255
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW icmp type 8 limit: avg 1/sec burst 1
    0     0 SSH        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22 state NEW
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4 prefix `IPT

[ANNOUNCE] ipset 6.12.1 released

Jozsef Kadlecsik — 2012-05-10T20:19:50

Hi,

In order to fix the build issue introduced in 6.12, a new ipset 
package version is released.

Userspace changes:
 - Enable silent (kernel style) compile messages
 - Fix build failed on --disable-dependency-tracking
   (Neutron Soutmun)
 - Add tarball target to Makefile

You can download the source code of ipset from:
        http://ipset.netfilter.org
        ftp://ftp.netfilter.org/pub/ipset/
        git://git.netfilter.org/ipset.git

Best regards,
Jozsef
-
E-mail  : kadlec< at >blackhole.kfki.hu, kadlecsik.jozsef< at >wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html