iptables string module; bug?

Support for security such as Firewalls and securing linux
Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/31 05:36:56

Yes, it's still the same.

[root@VPS1 ~]# uname -r
3.10.0-514.2.2.el7.centos.plus.x86_64
[root@VPS1 ~]# uname -a
Linux VPS1 3.10.0-514.2.2.el7.centos.plus.x86_64 #1 SMP Wed Dec 7 19:10:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/31 12:57:06

What's the output from grep menuentry /boot/grub2/grub.cfg ? If you haev a UEFI system then grub.cfg is not in /boot/grub2 and you need to look under /boot/efi to find it several directories down.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/31 16:44:03

There is no grub.cfg in either location.

There is:
/boot/efi/EFI/redhat/grub.efi (which is binary)
/boot/grub/... (a bunch of stuff including several grub.conf... files.
/boot/grub2/device.map
/boot/grub2/grub.cfg.bak
/boot/grub2/grubenv

Booted to this kernel. But the string module hex vs. decimal offset issue still exists.
[root@VPS1 ~]# uname -a
Linux VPS1 3.10.0-862.11.6.el7.centos.plus.x86_64 #1 SMP Wed Aug 15 02:30:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/31 18:34:08

Booted to this kernel. But the string module hex vs. decimal offset issue still exists.
I have tested this on 7.5 (results above) and it works correctly for me. Is the rest of your system up to date too?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/08/31 19:04:05

So far as I know everything is up to date.

Webmin dashboard reports 7.5 but I don't know where it's getting that from. Other things seem to just report the major. The initial install was 7.3 about 17 months ago (Apr. '17).

Code: Select all

Webmin Dashbord:
Operating system  CentOS Linux 7.5.1804 
Kernel and CPU  Linux 3.10.0-862.11.6.el7.centos.plus.x86_64 on x86_64 

Code: Select all

[root@VPS1 ~]# hostnamectl
   Static hostname: VPS1
         Icon name: computer-vm
           Chassis: vm
        Machine ID: d95a50005420493eb46cd8b69ebd9275
           Boot ID: 1bd1ee74e76f482f8f833ad32fd8b317
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-862.11.6.el7.centos.plus.x86_64
      Architecture: x86-64

Code: Select all

[root@VPS1 ~]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Code: Select all

[root@VPS1 ~]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.oit.uci.edu
 * centosplus: mirrors.xtom.com
 * extras: repos.lax.quadranet.com
 * updates: mirrors.xtom.com
No packages marked for update

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/08/31 19:18:15

Look at the items that I posted at the start of this thread and do the same things with your data and post the results so we can see the problem. Capture the packets using tcpdump or tshark and write them to a file. Use a -j LOG line to show if it matches or not. Dump the packets using -X -s0 so that the entire thing is dumped in hex. When I did this it clearly showed that the --from and --to were in decimal and worked correctly.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/09/01 05:08:06

Pretty much already did that here:
viewtopic.php?t=62148

Using 50 does not drop DNS . ANY packets. But 32 does. The string being searched begins at offset 0x36. 50 as decimal should work, but 50 as hex would be well beyond the string offset.

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/09/01 08:28:45

So I do not know how to recreate your exact scenario there but I did check it and you are mistaken, the --from is in decimal. That's the second time I've done this and in both cases the offset in --from was the decimal offset.

I ran dig @192.168.x.6 -t any while running tcpdump to catch all udp port 53 packets on my dns server. What I got from that was a packet that looks like

Code: Select all

09:21:41.117038 IP 192.168.x.4.33237 > 192.168.x.6.53: 61795+ [1au] NS? . (28)
        0x0000:  4500 0038 5bff 0000 4011 bf5a c0a8 xx04  E..8[...@..Z..o.
        0x0010:  c0a8 xx06 81d5 0035 0024 1891 f163 0120  ..o....5.$...c..
        0x0020:  0001 0000 0000 0001 0000 0200 0100 0029  ...............)
        0x0030:  1000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000
Since the data you were looking for wasn't in that, I picked 0x01000029 from offset 0x2c in that packet and set a rule like

iptables -t nat -R PREROUTING 1 -p udp --dport 53 -m string --hex-string "|01000029|" --algo bm --from 44 --to 48 -j LOG

--from 44 --to 48 is offset 0x2c to 0x30.

Reran my dig and looked in /var/log/messages and see
Sep 1 09:22:38 dnsserver kernel: IN=enp1s0f0 OUT= MAC=00:xx:xx:xx:xx:xx:00:xx:xx:xx:xx:xx:08:00 SRC=192.168.x.4 DST=192.168.x.6 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=56867 PROTO=UDP SPT=49327 DPT=53 LEN=36
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
TrevorH
Forum Moderator
Posts: 23667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables string module; bug?

Post by TrevorH » 2018/09/01 13:09:09

What is the output from rpm -qai iptables\* ?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Al_Stu
Posts: 43
Joined: 2010/09/14 21:05:16

Re: iptables string module; bug?

Post by Al_Stu » 2018/09/01 20:21:41

Yes the offset is supposed to be in decimal. But what I'm seeing is that it is being applied as hex. If the string offset is submitted as decimal (50) the packet is not matched as 50 in hex is beyond the string. Have to submit the offset as hex (32) in order for it to be matched.
Note: The string (0000ff0001) offset is actually at 54 (0x36). So anything less should work.

To generate the packet I use nslookup and set type to ANY and set server to IPv4 address of the DNS server. Then submit a query for "." (root any).

Code: Select all

[root@VPS1 ~]# rpm -qai iptables\*
Name        : iptables
Version     : 1.4.21
Release     : 24.1.el7_5
Architecture: x86_64
Install Date: Fri 08 Jun 2018 04:05:13 AM PDT
Group       : System Environment/Base
Size        : 1555941
License     : GPLv2
Signature   : RSA/SHA256, Thu 17 May 2018 06:22:05 AM PDT, Key ID 24c6a8a7f4a80eb5
Source RPM  : iptables-1.4.21-24.1.el7_5.src.rpm
Build Date  : Wed 16 May 2018 01:13:52 AM PDT
Build Host  : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.netfilter.org/
Summary     : Tools for managing Linux kernel packet filtering capabilities
Description :
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.
Name        : iptables-services
Version     : 1.4.21
Release     : 24.1.el7_5
Architecture: x86_64
Install Date: Fri 08 Jun 2018 04:09:42 AM PDT
Group       : System Environment/Base
Size        : 26017
License     : GPLv2
Signature   : RSA/SHA256, Thu 17 May 2018 06:22:08 AM PDT, Key ID 24c6a8a7f4a80eb5
Source RPM  : iptables-1.4.21-24.1.el7_5.src.rpm
Build Date  : Wed 16 May 2018 01:13:52 AM PDT
Build Host  : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.netfilter.org/
Summary     : iptables and ip6tables services for iptables
Description :
iptables services for IPv4 and IPv6

This package provides the services iptables and ip6tables that have been split
out of the base package since they are not active by default anymore.
Name        : iptables
Version     : 1.4.21
Release     : 18.3.el7_4
Architecture: x86_64
Install Date: Wed 28 Mar 2018 09:57:49 PM PDT
Group       : System Environment/Base
Size        : 1556341
License     : GPLv2
Signature   : RSA/SHA256, Thu 08 Mar 2018 06:20:29 AM PST, Key ID 24c6a8a7f4a80eb5
Source RPM  : iptables-1.4.21-18.3.el7_4.src.rpm
Build Date  : Wed 07 Mar 2018 05:24:48 AM PST
Build Host  : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.netfilter.org/
Summary     : Tools for managing Linux kernel packet filtering capabilities
Description :
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.

Post Reply