View previous topic :: View next topic |
Author |
Message |
alex6z Tux's lil' helper
Joined: 20 Jul 2005 Posts: 119
|
Posted: Mon Nov 03, 2014 10:01 pm Post subject: Upgrade from linux-3.0.76 to 3.2.63 changes iptables logic |
|
|
I have a local interface, eth2 which is connected to the Internet. I have a tunnel called tunY which generates GRE packets that go out eth2.
I have an iptables rule that prevents certain UID ranges from sending packets out eth2 to the local network. But these UIDs can use tunY to get Internet access.
The problem is that after upgrading to 3.2.63, the iptables rule is now matching on packets generated by tunY that were sent out by those restricted UIDs.
Here are some rules:
Chain OUTPUT (policy ACCEPT 1445M packets, 629G bytes)
pkts bytes target prot opt in out source destination
2 120 REJECT all -- * eth0 0.0.0.0/0 0.0.0.0/0 owner UID match 1001-65535 reject-with icmp-port-unreachable
0 0 REJECT all -- * eth1 0.0.0.0/0 0.0.0.0/0 owner UID match 1001-65535 reject-with icmp-port-unreachable
9842 853K REJECT all -- * eth2 0.0.0.0/0 0.0.0.0/0 owner UID match 1001-65535 reject-with icmp-port-unreachable
That last one will match packets from a matching UID going out of tunY when the kernel is 3.2.63.
Is this a bug or normal behavior?
Maybe I could do a -j ACCEPT rule on tunY to make it not match anymore?=. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Nov 04, 2014 2:29 am Post subject: |
|
|
You have the right idea at the end there, though whitelisting would be a bit more secure than blacklisting, e.g.:
Code: | -N tunnelonly
-A OUTPUT -m owner --uid-owner 1001-65535 -j tunnelonly
-A tunnelonly -o lo -j RETURN
-A tunnelonly -o tunY -j RETURN
-A tunnelonly -j REJECT |
That way, you don't have to worry if new ethX devices show up or the current ones get renamed. |
|
Back to top |
|
|
alex6z Tux's lil' helper
Joined: 20 Jul 2005 Posts: 119
|
Posted: Thu Feb 26, 2015 6:16 am Post subject: |
|
|
Thanks for you help.
Actually this didn't fix the problem of the packets going through the firewall twice, where the second time they get scanned is after being generated as GRE packets with the UID/GID values still attached to them somehow. So I just added this rule to make sure they get through:
iptables -I tunnelonly 1 -p gre -j RETURN |
|
Back to top |
|
|
|