[Bug 562] New: Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Sun Nov 23 21:18:50 CET 2008
http://bugzilla.netfilter.org/show_bug.cgi?id=562
Summary: Rule gets implicitly eliminated ("optimized away") -->
But that's not ok --> A Logic Bug
Product: iptables
Version: unspecified
Platform: x86_64
OS/Version: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P2
Component: iptables
AssignedTo: laforge at netfilter.org
ReportedBy: for-openvz at alicewho.com
CC: for-openvz at alicewho.com
# iptables --version
iptables v1.4.1.1
# uname -a
Linux comp112.local 2.6.26-1-amd64 #1 SMP Sat Nov 8 18:25:23 UTC 2008 x86_64
GNU/Linux
# bug happens in all platform versions
Hi,
there is IMO a "logic-bug" in iptables rule definitions.
Please consider the firewall script below.
The default is to DROP all, and ACCEPT only explicitly specified rules
The nature of this bug is marked below with a "BUG:" comment.
Ie. if one specifies the protocol (tcp, udp, icmp) then it works,
but leaving it out or using "-p all" does not work, instead the
rule gets somehow internally/implicitly eliminated; ie. that rule
doesn't show up in iptables -v -L, and also not when saved
with iptables-save.
The goal here is of course to apply the rule for all protocols
on the given port. But it doesn't work with just a single rule line.
I hope I could make myself clear. :-)
Otherwise let me know.
BTW, the script below is intended to work for all environments,
ie. regardless whether it is a normal linux box, an openVZ HN or a openVZ VPS
box.
cu
Adem
####### ... #############
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
if cat /proc/net/ip_tables_matches | grep "recent" &>/dev/null ; then
# if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new
connect attempts then DROP them!
/sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20
-j DROP
# accept client at port tcp:22 and register in WATCHLIST
/sbin/iptables -A INPUT -p tcp --dport 22 --match recent --name WATCHLIST
--set -j ACCEPT
# accept client at port tcp:8192 (my test port) and register in WATCHLIST
/sbin/iptables -A INPUT -p tcp --dport 8192 --match recent --name WATCHLIST
--set -j ACCEPT
# if anybody tries to connect to 139 (windows filesharing), then drop them
and add them to the WATCHLIST
# BUG: if "-p tcp" is left out or if instead "-p all" is used then the rule
gets eliminated!
/sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST
--set -j DROP
else
echo "# ipt_recent module is not loaded. Cannot use WATCHLIST feature. Ask
your HN admin."
fi
/sbin/iptables -A INPUT -p tcp --dport 8441 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8441 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 4643 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 119 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 563 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j ACCEPT
# on a openVZ HN we must enable FORWARD:
if test -d /proc/vz && test -f /usr/sbin/vzctl ; then
echo "# This is an openVZ HN: FORWARD packets will be ACCEPTed"
/sbin/iptables -A FORWARD -j ACCEPT
else
echo "# This is not an openVZ HN: FORWARD packets will be DROPped"
/sbin/iptables -A FORWARD -j DROP
fi
####### ... #############
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list