iptables string module; bug?
iptables string module; bug?
Don't know if I'm not understanding or if this is a bug.
In using the iptables string module, the --from offset appears to be treated as a hex value. For instance a value of 40 will begin searching at the 65th character (decimal offset 64).
However, only decimal characters (0-9) are accepted in the value.
So there is no way to specify an offset that would contain an a-f character in the hex representation of the value. For example 3F will not be accepted, and the decimal equivalent (63) will be treated as hex. Thus the search would be at offset 99 decimal.
Example:
1) iptables-save -c >/var/iptables_counters_saved
[0:0] -A PREROUTING -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DROP
2) Change the --from value to something that includes a hex character (a-f) and it fails to load.
3) cat /var/iptables_counters_saved | iptables-restore -c
iptables-restore v1.4.21: string: bad value for option "--from", or out of range (0-65535).
In using the iptables string module, the --from offset appears to be treated as a hex value. For instance a value of 40 will begin searching at the 65th character (decimal offset 64).
However, only decimal characters (0-9) are accepted in the value.
So there is no way to specify an offset that would contain an a-f character in the hex representation of the value. For example 3F will not be accepted, and the decimal equivalent (63) will be treated as hex. Thus the search would be at offset 99 decimal.
Example:
1) iptables-save -c >/var/iptables_counters_saved
[0:0] -A PREROUTING -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DROP
2) Change the --from value to something that includes a hex character (a-f) and it fails to load.
3) cat /var/iptables_counters_saved | iptables-restore -c
iptables-restore v1.4.21: string: bad value for option "--from", or out of range (0-65535).
Re: iptables string module; bug?
I did a quick experiment and I don't see what you see. On a scratch VM I set up I removed firewald and installed iptables-services then ran lokkit --enabled -s ssh to set up a minimal set of iptables rules. I ran tcpdump -w /tmp/t.pcap -i any port 1234 then went to a different machine at did telnet test.vm 1234 so I could catch the packet and look at it. It looked like
I then ran iptables -I INPUT 5 -p tcp -m tcp --dport 1234 -m string --hex-string "|a002a564|" --from 32 --to 36 -j LOG to insert a new rule in the chain in a place where it would be reached. Now when I telnet test.vm 1234 it sees that packet and writes a syslog entry for it which looks like
32 == 0x20, 36 == 0x24 or the exact position in the tcpdumped packet that contains that hex data. Packet matches the rule and the log entry is created.
My system is 7.5 and fully up to date with yum update
Code: Select all
[root@localhost ~]# tcpdump -r /tmp/t.pcap -X -s0
reading from file /tmp/t.pcap, link-type LINUX_SLL (Linux cooked)
15:22:49.394839 IP 192.168.x.4.44120 > 192.168.x.190.1234: Flags [S], seq 2999768606, win 42340, options [mss 1460,sackOK,TS val 652947158 ecr 0,nop,wscale 11], length 0
0x0000: 4510 003c f8c8 4000 4006 e1cf c0a8 6f04 E..<..@.@.....o.
0x0010: c0a8 6fbe ab94 04d2 b2cc d61e 0000 0000 ..o.............
0x0020: a002 a564 b370 0000 0204 05b4 0402 080a ...d.p..........
0x0030: 26eb 2ed6 0000 0000 0103 030b 0000 0000 &...............
0x0040: 0000 0000 0000 0000 0000 0000 ............
Code: Select all
Aug 30 15:25:46 localhost kernel: IN=enp0s3 OUT= MAC=08:00:27:xx:xx:xx:00:0f:53:0c:yy:yy:yy:00 SRC=192.168.x.4 DST=192.168.x.190 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=27342 DF PROTO=TCP SPT=44120 DPT=1234 WINDOW=42340 RES=0x00 SYN URGP=0
My system is 7.5 and fully up to date with yum update
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables string module; bug?
Which kernel do you use? uname -a
Re: iptables string module; bug?
[root@VPS1 ~]# uname -a
Linux VPS1 3.10.0-514.2.2.el7.centos.plus.x86_64 #1 SMP Wed Dec 7 19:10:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Linux VPS1 3.10.0-514.2.2.el7.centos.plus.x86_64 #1 SMP Wed Dec 7 19:10:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Re: iptables string module; bug?
So you are quite out of date then. That kernel is nearly 2 years old. Run yum update to get up to date and then see if the problem still occurs. From my experiment, it appears to be working correctly on the latest updates.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables string module; bug?
Kernel has been updated many times via Webmin. Don't understand why it would be out of date. Maybe the VPS service is overriding the kernel?
Code: Select all
[root@VPS1 ~]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: repos-lax.psychz.net
* centosplus: mirrors.syringanetworks.net
* extras: mirror.keystealth.org
* updates: mirrors.xtom.com
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
http://download.webmin.com/download/yum/repodata/repomd.xml: [Errno 12] Timeout on http://download.webmin.com/download/yum/repodata/repomd.xml: (28, 'Connection timed out after 30001 milliseconds')
Trying other mirror.
No packages marked for update
Re: iptables string module; bug?
You are still running a 7.3 kernel and it hasn't been updated since 2016. Maybe that's because you have the 'plus' kernel installed, maybe you have a broken software RAID /boot? Or your /etc/grub2.cfg symlink is broken? Or maybe you're not pointing to current repos.
Ignore webmin, open a root command prompt and run yum update from there and see what you get. Run rpm -q kernel and see what that reports.
Ignore webmin, open a root command prompt and run yum update from there and see what you get. Run rpm -q kernel and see what that reports.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables string module; bug?
The yum update I ran earlier was from root command prompt. Was surprised to see it trying to use repos at download.webmin.com and timing out.
Here is the result of rpm -q kernel in a root command prompt. Have no idea why these are not working. Have not done anything special to these (at least not intentionally).
Appreciate your help sorting this out.
Here is the result of rpm -q kernel in a root command prompt. Have no idea why these are not working. Have not done anything special to these (at least not intentionally).
Code: Select all
[root@VPS1 ~]# rpm -q kernel
error: rpmdb: BDB0113 Thread/process 26232/140663296341824 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db5 - (-30973)
error: cannot open Packages database in /var/lib/rpm
error: rpmdb: BDB0113 Thread/process 26232/140663296341824 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages database in /var/lib/rpm
package kernel is not installed
Re: iptables string module; bug?
After rebooting the system.
Code: Select all
[root@VPS1 /]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sonic.net
* centosplus: mirrors.syringanetworks.net
* extras: mirrors.sonic.net
* updates: mirror.keystealth.org
Webmin | 1.0 kB 00:00
base | 3.6 kB 00:00
centos-sclo-rh | 3.0 kB 00:00
centos-sclo-sclo | 2.9 kB 00:00
centosplus | 3.4 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
No packages marked for update
Code: Select all
[root@VPS1 rpm]# rpm -q kernel
package kernel is not installed
Code: Select all
[root@VPS1 ~]# rpm -q kernel-plus
kernel-plus-3.10.0-514.2.2.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.6.3.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.9.1.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.11.6.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.11.6.el7.centos.plus.1.x86_64
Code: Select all
[root@VPS1 ~]# yum list installed |grep "kernel"
kernel-plus.x86_64 3.10.0-514.2.2.el7.centos.plus @centosplus
kernel-plus.x86_64 3.10.0-862.6.3.el7.centos.plus @centosplus
kernel-plus.x86_64 3.10.0-862.9.1.el7.centos.plus @centosplus
kernel-plus.x86_64 3.10.0-862.11.6.el7.centos.plus @centosplus
kernel-plus.x86_64 3.10.0-862.11.6.el7.centos.plus.1
kernel-plus-tools.x86_64 3.10.0-862.11.6.el7.centos.plus.1
kernel-plus-tools-libs.x86_64 3.10.0-862.11.6.el7.centos.plus.1
Re: iptables string module; bug?
And is your uname -r output still the same after the reboot?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke