Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Hardened kernel and problem with ipset
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
irritum
n00b
n00b


Joined: 04 Feb 2013
Posts: 4

PostPosted: Mon Feb 04, 2013 7:51 am    Post subject: [SOLVED] Hardened kernel and problem with ipset Reply with quote

Hi for All.

I have an odd problem. I can't add my ipset set to iptables.
I have fully functional selinux (currently in permissive mode) hardened server with no loadable modules support in the kernel.

a) basic system info
Code:

$ uname -a
Linux unknown 3.7.0-hardened #1 SMP Thu Jan XX XX:XX:XX CET XXXX x86_64 Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz GenuineIntel GNU/Linux


b) appropriate kernel configs:
Code:

# CONFIG_MODULES is not set

but with enabled ipset:
Code:

CONFIG_NET_EMATCH_IPSET=y


and also:
Code:

CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=y
CONFIG_IP_SET_BITMAP_IPMAC=y
CONFIG_IP_SET_BITMAP_PORT=y
CONFIG_IP_SET_HASH_IP=y
CONFIG_IP_SET_HASH_IPPORT=y
CONFIG_IP_SET_HASH_IPPORTIP=y
CONFIG_IP_SET_HASH_IPPORTNET=y
CONFIG_IP_SET_HASH_NET=y
CONFIG_IP_SET_HASH_NETPORT=y
CONFIG_IP_SET_HASH_NETIFACE=y
CONFIG_IP_SET_LIST_SET=y


I have added ipset and iptables rules with no problem, but I can't connect them. So:

0. Tools versions:
Code:

$ ipset --version
ipset v6.16, protocol version: 6


Code:

$ iptables --version
iptables v1.4.16.3


1. My ipset rules:

a) Listing:
Code:

$ ipset -t list
Name: china_cls
Type: hash:net
Revision: 2
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 87352
References: 0

Name: korea_cls
Type: hash:net
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 35192
References: 0


b) And here is part of the set content:
Code:

$ ipset list china_cls
Name: china_cls
Type: hash:net
Revision: 2
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 87352
References: 0
Members:
116.69.0.0/16
208.74.175.2/31
124.160.0.0/13
...


2. The chain in iptables where I would like to put ipset rules:
Code:

Chain in_bad_ip_cls (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  373  189K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type UNSPEC
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type MULTICAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type UNREACHABLE
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BLACKHOLE
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type UNSPEC
  121 13863 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type UNSPEC
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type UNREACHABLE
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BLACKHOLE
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type UNSPEC
    0     0 DROP       all  --  !lo    *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  *      !lo     0.0.0.0/0            127.0.0.0/8         


3. I am typing:
Code:

iptables -v -I in_bad_ip_cls -m conntrack --ctstate NEW -m set --match-set china_cls src -j DROP


which gives me:
Code:

DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW match-set china_cls src
iptables: No chain/target/match by that name.


4. dmesg is silent

So any clue? I mention that the above rules are working perfectly on another server (ubuntu) with the same ipset/iptables settings.

I have tried even:
Code:

iptables -v -I in_bad_ip_cls -m conntrack --ctstate NEW -j LOG --log-prefix "IPLOG: "


to check if i misspelled chain or sth but it has added to iptables with no problem.
The earlier ipset syntax looks correct also. I don't known what is wrong with it...
_________________
--
Greetings,


Last edited by irritum on Tue Feb 12, 2013 7:43 am; edited 1 time in total
Back to top
View user's profile Send private message
irritum
n00b
n00b


Joined: 04 Feb 2013
Posts: 4

PostPosted: Mon Feb 11, 2013 5:49 am    Post subject: Additional info Reply with quote

Come on, I will provide additional info if it will be required. Below the strace of the command:

Code:

$ strace iptables -I in_bad_ip_cls -m conntrack --ctstate NEW -m set --match-set china_cls src -j DROP

execve("/sbin/iptables", ["iptables", "-I", "in_bad_ip_cls", "-m", "conntrack", "--ctstate", "NEW", "-m", "set", "--match-set", "china_cls", "src", "-j", "DROP"], [/* 40 vars */]) = 0
brk(0)                                  = 0x478d915340
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a066000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=50384, ...}) = 0
mmap(NULL, 50384, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2d41a059000
close(3)                                = 0
open("/lib64/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\33\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=31024, ...}) = 0
mmap(NULL, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419c3f000
mprotect(0x2d419c46000, 2093056, PROT_NONE) = 0
mmap(0x2d419e45000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419e45000
close(3)                                = 0
open("/lib64/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\35\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=31024, ...}) = 0
mmap(NULL, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419a37000
mprotect(0x2d419a3e000, 2093056, PROT_NONE) = 0
mmap(0x2d419c3d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419c3d000
close(3)                                = 0
open("/lib64/libxtables.so.9", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3609\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=55056, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d419a36000
mmap(NULL, 2152256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419828000
mprotect(0x2d419834000, 2097152, PROT_NONE) = 0
mmap(0x2d419a34000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x2d419a34000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360F\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1724464, ...}) = 0
mmap(NULL, 3837760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d41947f000
mprotect(0x2d41961e000, 2097152, PROT_NONE) = 0
mmap(0x2d41981e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19f000) = 0x2d41981e000
mmap(0x2d419824000, 16192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2d419824000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\17\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14392, ...}) = 0
mmap(NULL, 2109592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d41927b000
mprotect(0x2d41927d000, 2097152, PROT_NONE) = 0
mmap(0x2d41947d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x2d41947d000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a058000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a057000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a056000
arch_prctl(ARCH_SET_FS, 0x2d41a057700)  = 0
mprotect(0x2d41981e000, 16384, PROT_READ) = 0
mprotect(0x2d41947d000, 4096, PROT_READ) = 0
mprotect(0x2d419a34000, 4096, PROT_READ) = 0
mprotect(0x2d419c3d000, 4096, PROT_READ) = 0
mprotect(0x2d419e45000, 4096, PROT_READ) = 0
mprotect(0x478b634000, 4096, PROT_READ) = 0
mprotect(0x2d41a068000, 4096, PROT_READ) = 0
munmap(0x2d41a059000, 50384)            = 0
stat("/usr/lib64/xtables/libxt_conntrack.so", {st_mode=S_IFREG|0755, st_size=32512, ...}) = 0
brk(0)                                  = 0x478d915340
brk(0x478d936340)                       = 0x478d936340
brk(0x478d937000)                       = 0x478d937000
open("/usr/lib64/xtables/libxt_conntrack.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\27\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=32512, ...}) = 0
mmap(NULL, 2127808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419073000
mprotect(0x2d419079000, 2097152, PROT_NONE) = 0
mmap(0x2d419279000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419279000
close(3)                                = 0
mprotect(0x2d419279000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
lstat("/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
statfs("/proc/net/ip_tables_names", {f_type="PROC_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0'\31\324\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\3", [30]) = 0
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0\243\31\324\2\0\0\0\0\0\0\0\0\0\0`\340G\31\1\3", [30]) = 0
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0\243\31\324\2\0\0\0\0\0\0\0\0\0\0\340\232\222\227\1\3", [30]) = 0
close(3)                                = 0
stat("/usr/lib64/xtables/libxt_set.so", {st_mode=S_IFREG|0755, st_size=14720, ...}) = 0
open("/usr/lib64/xtables/libxt_set.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\16\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14720, ...}) = 0
mmap(NULL, 2110016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d418e6f000
mprotect(0x2d418e72000, 2093056, PROT_NONE) = 0
mmap(0x2d419071000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x2d419071000
close(3)                                = 0
mprotect(0x2d419071000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929a50, 0x3ca97929a4c) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929a50, 0x3ca97929a4c) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929ac0, 0x3ca97929abc) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929ac0, 0x3ca97929abc) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x53 /* IP_??? */, "\0\1\0\0\6\0\0\0", [8]) = 0
getsockopt(3, SOL_IP, 0x53 /* IP_??? */, "\6\0\0\0\6\0\0\0\0\0ina_cls\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [40]) = 0
close(3)                                = 0
stat("/usr/lib64/xtables/libxt_standard.so", {st_mode=S_IFREG|0755, st_size=6104, ...}) = 0
open("/usr/lib64/xtables/libxt_standard.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\6\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=6104, ...}) = 0
mmap(NULL, 2101480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d418c6d000
mprotect(0x2d418c6e000, 2093056, PROT_NONE) = 0
mmap(0x2d418e6d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2d418e6d000
close(3)                                = 0
mprotect(0x2d418e6d000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [22696]) = 0
setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 23144) = -1 ENOENT (No such file or directory)
close(3)                                = 0
write(2, "iptables: No chain/target/match "..., 46iptables: No chain/target/match by that name.
) = 46
exit_group(1)                           = ?
+++ exited with 1 +++


Another info:

Code:

$ equery uses ipset

[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-firewall/ipset-6.16:
 U I
 - - modules : Build the kernel modules


and

Code:

$ equery uses iptables

[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-firewall/iptables-1.4.16.3:
 U I
 + + ipv6        : Adds support for IP version 6
 - - netlink     : Build against libnfnetlink which enables the nfnl_osf util
 - - static-libs : Build static libraries


Please, I appreciate any tips, hints or ideas :)
_________________
--
Greetings,
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Feb 11, 2013 6:39 am    Post subject: Reply with quote

Iptables is telling you that you need to enable the 'set' match and 'set' target (in the kernel config).
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
irritum
n00b
n00b


Joined: 04 Feb 2013
Posts: 4

PostPosted: Tue Feb 12, 2013 7:42 am    Post subject: Thanks Reply with quote

I am frustrated, I was sure on 1000% that I have marked this option in kernel so I wasn't looking on it at all.
Really, I have all options enabled in this kernel section but NOT this one.
I don't know how this could happened.
Thank You very much for pointed me to it.
I owe You a beer :). If you're ever in Poland, near to Wroclaw just let me know.
_________________
--
Greetings,
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Tue Feb 12, 2013 8:31 am    Post subject: Reply with quote

Glad I could help.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum