View previous topic :: View next topic |
Author |
Message |
irritum n00b
Joined: 04 Feb 2013 Posts: 4
|
Posted: Mon Feb 04, 2013 7:51 am Post subject: [SOLVED] Hardened kernel and problem with ipset |
|
|
Hi for All.
I have an odd problem. I can't add my ipset set to iptables.
I have fully functional selinux (currently in permissive mode) hardened server with no loadable modules support in the kernel.
a) basic system info
Code: |
$ uname -a
Linux unknown 3.7.0-hardened #1 SMP Thu Jan XX XX:XX:XX CET XXXX x86_64 Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz GenuineIntel GNU/Linux
|
b) appropriate kernel configs:
Code: |
# CONFIG_MODULES is not set
|
but with enabled ipset:
Code: |
CONFIG_NET_EMATCH_IPSET=y
|
and also:
Code: |
CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=y
CONFIG_IP_SET_BITMAP_IPMAC=y
CONFIG_IP_SET_BITMAP_PORT=y
CONFIG_IP_SET_HASH_IP=y
CONFIG_IP_SET_HASH_IPPORT=y
CONFIG_IP_SET_HASH_IPPORTIP=y
CONFIG_IP_SET_HASH_IPPORTNET=y
CONFIG_IP_SET_HASH_NET=y
CONFIG_IP_SET_HASH_NETPORT=y
CONFIG_IP_SET_HASH_NETIFACE=y
CONFIG_IP_SET_LIST_SET=y
|
I have added ipset and iptables rules with no problem, but I can't connect them. So:
0. Tools versions:
Code: |
$ ipset --version
ipset v6.16, protocol version: 6
|
Code: |
$ iptables --version
iptables v1.4.16.3
|
1. My ipset rules:
a) Listing:
Code: |
$ ipset -t list
Name: china_cls
Type: hash:net
Revision: 2
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 87352
References: 0
Name: korea_cls
Type: hash:net
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 35192
References: 0
|
b) And here is part of the set content:
Code: |
$ ipset list china_cls
Name: china_cls
Type: hash:net
Revision: 2
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 87352
References: 0
Members:
116.69.0.0/16
208.74.175.2/31
124.160.0.0/13
...
|
2. The chain in iptables where I would like to put ipset rules:
Code: |
Chain in_bad_ip_cls (1 references)
pkts bytes target prot opt in out source destination
373 189K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type UNSPEC
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type UNREACHABLE
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BLACKHOLE
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type UNSPEC
121 13863 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type UNSPEC
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type UNREACHABLE
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BLACKHOLE
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type UNSPEC
0 0 DROP all -- !lo * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * !lo 0.0.0.0/0 127.0.0.0/8
|
3. I am typing:
Code: |
iptables -v -I in_bad_ip_cls -m conntrack --ctstate NEW -m set --match-set china_cls src -j DROP
|
which gives me:
Code: |
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW match-set china_cls src
iptables: No chain/target/match by that name.
|
4. dmesg is silent
So any clue? I mention that the above rules are working perfectly on another server (ubuntu) with the same ipset/iptables settings.
I have tried even:
Code: |
iptables -v -I in_bad_ip_cls -m conntrack --ctstate NEW -j LOG --log-prefix "IPLOG: "
|
to check if i misspelled chain or sth but it has added to iptables with no problem.
The earlier ipset syntax looks correct also. I don't known what is wrong with it... _________________ --
Greetings,
Last edited by irritum on Tue Feb 12, 2013 7:43 am; edited 1 time in total |
|
Back to top |
|
|
irritum n00b
Joined: 04 Feb 2013 Posts: 4
|
Posted: Mon Feb 11, 2013 5:49 am Post subject: Additional info |
|
|
Come on, I will provide additional info if it will be required. Below the strace of the command:
Code: |
$ strace iptables -I in_bad_ip_cls -m conntrack --ctstate NEW -m set --match-set china_cls src -j DROP
execve("/sbin/iptables", ["iptables", "-I", "in_bad_ip_cls", "-m", "conntrack", "--ctstate", "NEW", "-m", "set", "--match-set", "china_cls", "src", "-j", "DROP"], [/* 40 vars */]) = 0
brk(0) = 0x478d915340
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a066000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=50384, ...}) = 0
mmap(NULL, 50384, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2d41a059000
close(3) = 0
open("/lib64/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\33\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=31024, ...}) = 0
mmap(NULL, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419c3f000
mprotect(0x2d419c46000, 2093056, PROT_NONE) = 0
mmap(0x2d419e45000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419e45000
close(3) = 0
open("/lib64/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\35\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=31024, ...}) = 0
mmap(NULL, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419a37000
mprotect(0x2d419a3e000, 2093056, PROT_NONE) = 0
mmap(0x2d419c3d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419c3d000
close(3) = 0
open("/lib64/libxtables.so.9", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3609\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=55056, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d419a36000
mmap(NULL, 2152256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419828000
mprotect(0x2d419834000, 2097152, PROT_NONE) = 0
mmap(0x2d419a34000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x2d419a34000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360F\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1724464, ...}) = 0
mmap(NULL, 3837760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d41947f000
mprotect(0x2d41961e000, 2097152, PROT_NONE) = 0
mmap(0x2d41981e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19f000) = 0x2d41981e000
mmap(0x2d419824000, 16192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2d419824000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\17\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14392, ...}) = 0
mmap(NULL, 2109592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d41927b000
mprotect(0x2d41927d000, 2097152, PROT_NONE) = 0
mmap(0x2d41947d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x2d41947d000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a058000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a057000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a056000
arch_prctl(ARCH_SET_FS, 0x2d41a057700) = 0
mprotect(0x2d41981e000, 16384, PROT_READ) = 0
mprotect(0x2d41947d000, 4096, PROT_READ) = 0
mprotect(0x2d419a34000, 4096, PROT_READ) = 0
mprotect(0x2d419c3d000, 4096, PROT_READ) = 0
mprotect(0x2d419e45000, 4096, PROT_READ) = 0
mprotect(0x478b634000, 4096, PROT_READ) = 0
mprotect(0x2d41a068000, 4096, PROT_READ) = 0
munmap(0x2d41a059000, 50384) = 0
stat("/usr/lib64/xtables/libxt_conntrack.so", {st_mode=S_IFREG|0755, st_size=32512, ...}) = 0
brk(0) = 0x478d915340
brk(0x478d936340) = 0x478d936340
brk(0x478d937000) = 0x478d937000
open("/usr/lib64/xtables/libxt_conntrack.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\27\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=32512, ...}) = 0
mmap(NULL, 2127808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419073000
mprotect(0x2d419079000, 2097152, PROT_NONE) = 0
mmap(0x2d419279000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419279000
close(3) = 0
mprotect(0x2d419279000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
lstat("/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
statfs("/proc/net/ip_tables_names", {f_type="PROC_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0'\31\324\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\3", [30]) = 0
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0\243\31\324\2\0\0\0\0\0\0\0\0\0\0`\340G\31\1\3", [30]) = 0
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0\243\31\324\2\0\0\0\0\0\0\0\0\0\0\340\232\222\227\1\3", [30]) = 0
close(3) = 0
stat("/usr/lib64/xtables/libxt_set.so", {st_mode=S_IFREG|0755, st_size=14720, ...}) = 0
open("/usr/lib64/xtables/libxt_set.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\16\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14720, ...}) = 0
mmap(NULL, 2110016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d418e6f000
mprotect(0x2d418e72000, 2093056, PROT_NONE) = 0
mmap(0x2d419071000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x2d419071000
close(3) = 0
mprotect(0x2d419071000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929a50, 0x3ca97929a4c) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929a50, 0x3ca97929a4c) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929ac0, 0x3ca97929abc) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929ac0, 0x3ca97929abc) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x53 /* IP_??? */, "\0\1\0\0\6\0\0\0", [8]) = 0
getsockopt(3, SOL_IP, 0x53 /* IP_??? */, "\6\0\0\0\6\0\0\0\0\0ina_cls\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [40]) = 0
close(3) = 0
stat("/usr/lib64/xtables/libxt_standard.so", {st_mode=S_IFREG|0755, st_size=6104, ...}) = 0
open("/usr/lib64/xtables/libxt_standard.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\6\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=6104, ...}) = 0
mmap(NULL, 2101480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d418c6d000
mprotect(0x2d418c6e000, 2093056, PROT_NONE) = 0
mmap(0x2d418e6d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2d418e6d000
close(3) = 0
mprotect(0x2d418e6d000, 4096, PROT_READ) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [22696]) = 0
setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 23144) = -1 ENOENT (No such file or directory)
close(3) = 0
write(2, "iptables: No chain/target/match "..., 46iptables: No chain/target/match by that name.
) = 46
exit_group(1) = ?
+++ exited with 1 +++
|
Another info:
Code: |
$ equery uses ipset
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-firewall/ipset-6.16:
U I
- - modules : Build the kernel modules
|
and
Code: |
$ equery uses iptables
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-firewall/iptables-1.4.16.3:
U I
+ + ipv6 : Adds support for IP version 6
- - netlink : Build against libnfnetlink which enables the nfnl_osf util
- - static-libs : Build static libraries
|
Please, I appreciate any tips, hints or ideas _________________ --
Greetings, |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Mon Feb 11, 2013 6:39 am Post subject: |
|
|
Iptables is telling you that you need to enable the 'set' match and 'set' target (in the kernel config). _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
irritum n00b
Joined: 04 Feb 2013 Posts: 4
|
Posted: Tue Feb 12, 2013 7:42 am Post subject: Thanks |
|
|
I am frustrated, I was sure on 1000% that I have marked this option in kernel so I wasn't looking on it at all.
Really, I have all options enabled in this kernel section but NOT this one.
I don't know how this could happened.
Thank You very much for pointed me to it.
I owe You a beer . If you're ever in Poland, near to Wroclaw just let me know. _________________ --
Greetings, |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Tue Feb 12, 2013 8:31 am Post subject: |
|
|
Glad I could help. _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|