iptables string module; bug?

Support for security such as Firewalls and securing linux
Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

iptables string module; bug?

Post by Al_Stu » 2018/08/30 03:43:00

Don't know if I'm not understanding or if this is a bug.

In using the iptables string module, the --from offset appears to be treated as a hex value. For instance a value of 40 will begin searching at the 65th character (decimal offset 64).

However, only decimal characters (0-9) are accepted in the value.

So there is no way to specify an offset that would contain an a-f character in the hex representation of the value. For example 3F will not be accepted, and the decimal equivalent (63) will be treated as hex. Thus the search would be at offset 99 decimal.


Example:
1) iptables-save -c >/var/iptables_counters_saved
[0:0] -A PREROUTING -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DROP

2) Change the --from value to something that includes a hex character (a-f) and it fails to load.

3) cat /var/iptables_counters_saved | iptables-restore -c
iptables-restore v1.4.21: string: bad value for option "--from", or out of range (0-65535).

User avatar
TrevorH
Forum Moderator
Posts: 23876
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/30 14:35:49

I did a quick experiment and I don't see what you see. On a scratch VM I set up I removed firewald and installed iptables-services then ran lokkit --enabled -s ssh to set up a minimal set of iptables rules. I ran tcpdump -w /tmp/t.pcap -i any port 1234 then went to a different machine at did telnet test.vm 1234 so I could catch the packet and look at it. It looked like

Code: Select all

[root@localhost ~]# tcpdump -r /tmp/t.pcap -X -s0
reading from file /tmp/t.pcap, link-type LINUX_SLL (Linux cooked)
15:22:49.394839 IP 192.168.x.4.44120 > 192.168.x.190.1234: Flags [S], seq 2999768606, win 42340, options [mss 1460,sackOK,TS val 652947158 ecr 0,nop,wscale 11], length 0
	0x0000:  4510 003c f8c8 4000 4006 e1cf c0a8 6f04  E..<..@.@.....o.
	0x0010:  c0a8 6fbe ab94 04d2 b2cc d61e 0000 0000  ..o.............
	0x0020:  a002 a564 b370 0000 0204 05b4 0402 080a  ...d.p..........
	0x0030:  26eb 2ed6 0000 0000 0103 030b 0000 0000  &...............
	0x0040:  0000 0000 0000 0000 0000 0000            ............
I then ran iptables -I INPUT 5 -p tcp -m tcp --dport 1234 -m string --hex-string "|a002a564|" --from 32 --to 36 -j LOG to insert a new rule in the chain in a place where it would be reached. Now when I telnet test.vm 1234 it sees that packet and writes a syslog entry for it which looks like

Code: Select all

Aug 30 15:25:46 localhost kernel: IN=enp0s3 OUT= MAC=08:00:27:xx:xx:xx:00:0f:53:0c:yy:yy:yy:00 SRC=192.168.x.4 DST=192.168.x.190 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=27342 DF PROTO=TCP SPT=44120 DPT=1234 WINDOW=42340 RES=0x00 SYN URGP=0
32 == 0x20, 36 == 0x24 or the exact position in the tcpdumped packet that contains that hex data. Packet matches the rule and the log entry is created.

My system is 7.5 and fully up to date with yum update
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
avij
Forum Moderator
Posts: 2722
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: iptables string module; bug?

Post by avij » 2018/08/30 14:54:53

Which kernel do you use? uname -a

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/30 16:38:21

[root@VPS1 ~]# uname -a
Linux VPS1 3.10.0-514.2.2.el7.centos.plus.x86_64 #1 SMP Wed Dec 7 19:10:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

User avatar
TrevorH
Forum Moderator
Posts: 23876
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/30 16:54:30

So you are quite out of date then. That kernel is nearly 2 years old. Run yum update to get up to date and then see if the problem still occurs. From my experiment, it appears to be working correctly on the latest updates.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/30 18:33:44

Kernel has been updated many times via Webmin. Don't understand why it would be out of date. Maybe the VPS service is overriding the kernel?

Code: Select all

[root@VPS1 ~]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: repos-lax.psychz.net
 * centosplus: mirrors.syringanetworks.net
 * extras: mirror.keystealth.org
 * updates: mirrors.xtom.com
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
No packages marked for update

User avatar
TrevorH
Forum Moderator
Posts: 23876
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/31 01:04:08

You are still running a 7.3 kernel and it hasn't been updated since 2016. Maybe that's because you have the 'plus' kernel installed, maybe you have a broken software RAID /boot? Or your /etc/grub2.cfg symlink is broken? Or maybe you're not pointing to current repos.

Ignore webmin, open a root command prompt and run yum update from there and see what you get. Run rpm -q kernel and see what that reports.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/31 02:05:31

The yum update I ran earlier was from root command prompt. Was surprised to see it trying to use repos at download.webmin.com and timing out.

Here is the result of rpm -q kernel in a root command prompt. Have no idea why these are not working. Have not done anything special to these (at least not intentionally).

Code: Select all

[root@VPS1 ~]# rpm -q kernel
error: rpmdb: BDB0113 Thread/process 26232/140663296341824 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db5 -  (-30973)
error: cannot open Packages database in /var/lib/rpm
error: rpmdb: BDB0113 Thread/process 26232/140663296341824 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages database in /var/lib/rpm
package kernel is not installed
Appreciate your help sorting this out.

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/31 02:16:48

After rebooting the system.

Code: Select all

[root@VPS1 /]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.sonic.net
 * centosplus: mirrors.syringanetworks.net
 * extras: mirrors.sonic.net
 * updates: mirror.keystealth.org
Webmin                                                   | 1.0 kB     00:00
base                                                     | 3.6 kB     00:00
centos-sclo-rh                                           | 3.0 kB     00:00
centos-sclo-sclo                                         | 2.9 kB     00:00
centosplus                                               | 3.4 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
No packages marked for update

Code: Select all

[root@VPS1 rpm]# rpm -q kernel
package kernel is not installed

Code: Select all

[root@VPS1 ~]# rpm -q kernel-plus
kernel-plus-3.10.0-514.2.2.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.6.3.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.9.1.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.11.6.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.11.6.el7.centos.plus.1.x86_64

Code: Select all

[root@VPS1 ~]# yum list installed |grep "kernel"
kernel-plus.x86_64               3.10.0-514.2.2.el7.centos.plus  @centosplus
kernel-plus.x86_64               3.10.0-862.6.3.el7.centos.plus  @centosplus
kernel-plus.x86_64               3.10.0-862.9.1.el7.centos.plus  @centosplus
kernel-plus.x86_64               3.10.0-862.11.6.el7.centos.plus @centosplus
kernel-plus.x86_64               3.10.0-862.11.6.el7.centos.plus.1
kernel-plus-tools.x86_64         3.10.0-862.11.6.el7.centos.plus.1
kernel-plus-tools-libs.x86_64    3.10.0-862.11.6.el7.centos.plus.1

User avatar
TrevorH
Forum Moderator
Posts: 23876
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/31 04:26:42

And is your uname -r output still the same after the reboot?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply