Comments on: Secure use of iptables and connection tracking helpers

By: Ertuğrul

Ertuğrul — Wed, 04 Jan 2017 17:29:32 +0000

I am sorry for my beginner-level question. I am a debian 8.6 user. I installed linux-image-amd64 via backports and at the end of installation I have read this message:

linux-latest (75) unstable; urgency=medium

* From Linux 4.7, the iptables connection tracking system will no longer
automatically load helper modules. If your firewall configuration
depends on connection tracking helpers, you should explicitly load the
required modules. For more information, see
.

— Ben Hutchings Sat, 29 Oct 2016 01:53:18 +0100

Could you please tell me if I am still as safe as before when I enable UFW? It uses iptables for firewall but that’s all I know.

By: Litin

Litin — Sat, 17 Jan 2015 21:08:26 +0000

Hi,

I have no problem to create CT rules attaching helpers to conntrack sessions for TCP and UDP helpers/protocols:

# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CT udp — anywhere anywhere udp dpt:amanda CT helper amanda
CT tcp — anywhere anywhere tcp dpt:ftp CT helper ftp
CT udp — anywhere anywhere udp dpt:1719 CT helper RAS
CT tcp — anywhere anywhere tcp dpt:1720 CT helper Q.931
CT tcp — anywhere anywhere tcp dpt:ircd CT helper irc
CT tcp — anywhere anywhere tcp dpt:1723 CT helper pptp
CT udp — anywhere anywhere udp dpt:sip CT helper sip

And these actually works OK.

But I really miss any documentation how to attach for example GRE helpers. PPTP connection needs GRE. And it seems to me, that only loading nf_nat_proto_gre and nf_conntrack_proto_gre (in addtition to PPTP helper rules as listed above) doesn’t work:

nf_nat_proto_gre 918 1 nf_nat_pptp
…
nf_conntrack_proto_gre 3671 1 nf_conntrack_pptp

attaching GRE helper by CT target doesn’t work either:

window# iptables -t raw -A PREROUTING -p 47 -j CT –helper gre
iptables: No chain/target/match by that name.

window# iptables -t raw -A PREROUTING -p 47 -j CT –helper pptp
iptables: No chain/target/match by that name.

So what is the proper way, to attach “proto” helpers to iptables / conntrack?

Thank you.
L.

By: luk4s

luk4s — Thu, 27 Mar 2014 12:56:27 +0000

In the last exaple let’s say my $NET_ETH1 is 192.168.1.0/24.
Could you explain what $ROUTED_VIA_ETH1 is?

By: Regit

Regit — Sat, 31 Aug 2013 12:40:57 +0000

Hello Egarc,

in PREROUTING raw, CT target is used to assign signaling trafic to helper. In forward, nothing change but it is recommended to filter RELATED trafic with caution.

By: Egarc

Egarc — Sat, 31 Aug 2013 05:26:33 +0000

This article although informative, is still a bit confusing.
Do we use both prerouting forward and the CT, or just CT?

By: Jamie

Jamie — Wed, 12 Jun 2013 14:43:30 +0000

@sigxcpu: There’s no need for all the TCP flag checks, because conntrack already checks TCP flags. See tcp_valid_flags in https://github.com/torvalds/linux/blob/master/net/netfilter/nf_conntrack_proto_tcp.c . You can see from the rest of the file, the checking is more thorough than flags (sequence numbers etc are also checked).

So the –state INVALID rule should be enough.

As far as I can tell, the only one of your combinations that conntrack wouldn’t reject is FIN,PSH,URG, which is legitimate TCP so shouldn’t be dropped. Also your 2nd and 4th rules are redundant, they can be combined into one which ignores PSH.

By: sigxcpu

sigxcpu — Fri, 16 Nov 2012 14:24:23 +0000

I would suggest you to implement also a little protection against several types of scans and uncommon usage of the TCP protocol:

-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp –tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -m state –state INVALID -j DROP

http://www.hideandhack.com | the privacy experts.

By: Regit

Regit — Sun, 21 Oct 2012 19:34:33 +0000

Hello Joe. You could process differently: load the helpers and activate them. You can then log all RELATED packets (and block them if you don’t want to take a risk). Doing this you will now what is the usage of helpers in your network.

By: Joe 12-pack

Joe 12-pack — Sat, 20 Oct 2012 20:05:06 +0000

Thanks for his info. Since I am lazy I began thinking about how to record when a help would be needed. Maybe using a pcap file or something. What do you think? Then take the info gleaned from the pcap file to derive what helpers might be needed.

By: Playing with Network Layers to Bypass Firewalls’ Filtering Policy » To Linux and beyond !

Fri, 09 Mar 2012 22:43:55 +0000

[…] required counter-measures are described in the Secure use of iptables and connection tracking helpers […]