Upgrade from linux-3.0.76 to 3.2.63 changes iptables logic

[alex6z]

I have a local interface, eth2 which is connected to the Internet. I have a tunnel called tunY which generates GRE packets that go out eth2.

I have an iptables rule that prevents certain UID ranges from sending packets out eth2 to the local network. But these UIDs can use tunY to get Internet access.

The problem is that after upgrading to 3.2.63, the iptables rule is now matching on packets generated by tunY that were sent out by those restricted UIDs.

Here are some rules:

Chain OUTPUT (policy ACCEPT 1445M packets, 629G bytes)
pkts bytes target prot opt in out source destination

2 120 REJECT all -- * eth0 0.0.0.0/0 0.0.0.0/0 owner UID match 1001-65535 reject-with icmp-port-unreachable
0 0 REJECT all -- * eth1 0.0.0.0/0 0.0.0.0/0 owner UID match 1001-65535 reject-with icmp-port-unreachable
9842 853K REJECT all -- * eth2 0.0.0.0/0 0.0.0.0/0 owner UID match 1001-65535 reject-with icmp-port-unreachable

That last one will match packets from a matching UID going out of tunY when the kernel is 3.2.63.

Is this a bug or normal behavior?

Maybe I could do a -j ACCEPT rule on tunY to make it not match anymore?=.

[Ant P.]

You have the right idea at the end there, though whitelisting would be a bit more secure than blacklisting, e.g.:

[alex6z]

Thanks for you help.

Actually this didn't fix the problem of the packets going through the firewall twice, where the second time they get scanned is after being generated as GRE packets with the UID/GID values still attached to them somehow. So I just added this rule to make sure they get through:

iptables -I tunnelonly 1 -p gre -j RETURN