Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
iptables-save bug with tcp-reset ?
  • From: Karsten Schell <efbiei@xxxxxx>
  • Date: Thu, 24 Jan 2002 16:21:30 +0100
  • Message-id: <200201241516.QAA09620@xxxxxxxxxxxxxxxxxxxxxxxxx>
Hi people!

I am using Susefirewall2. In the customary rules I added the 2 lines
iptables -A input_ext -j LOG -p tcp --dport 113
iptables -A input_ext -j REJECT -p tcp --reject-with tcp-reset --dport 113
to secure the identd port.

When I check the rules with SuSEfirewall2 status i looks alright:
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 flags:0x16/0x02 reject-with tcp-reset

but with
iptables-save|more
I find

-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j REJECT
--reject-with reject-with
^^^^^^^^^^^^^^^^^^^^^^here
You see that tcp-reset is replaced by reject-with

Since this rule seems to be working alright ,is this a bug in iptables-save
???


here the interesting part.
fw_custom_before_port_handling() { # could also be named
"after_antispoofing()"
# these rules will be loaded after the anti-spoofing and icmp handling
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.

#example: always filter backorifice/netbus trojan connect requests and log
them.
iptables -A input_ext -j LOG -p tcp --dport 113
iptables -A input_ext -j REJECT -p tcp --reject-with tcp-reset --dport 113
for target in LOG DROP; do
for chain in input_ext input_dmz input_int forward_int forward_ext
forward_dmz; do
iptables -A $chain -j $target -p tcp --dport 31337
iptables -A $chain -j $target -p udp --dport 31337
iptables -A $chain -j $target -p tcp --dport 12345:12346
iptables -A $chain -j $target -p udp --dport 12345:12346
done
done

true
}

< Previous Next >
This Thread
  • No further messages