Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: problems with iptables

  1. #11
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,701

    Re: problems with iptables

    Quote Originally Posted by georgschmidt View Post
    Yes, that works. But why? I thought that with "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" I allow incoming traffic if it is a response to an outgoing one. Since I don't specify an interface, isn't that rule also valid for the lo interface. So the local host can send the response back.
    Or is it, because the local host is basically my machine as well, it doesn't receive the first request, because it is blocked by the INPUT rule. Is my understanding correct that if I send sth to local host, I basically send it to myself and it goes through the OUTPUT (because it comes from my machine) and INPUT channel (because my machine also receives it). So for anything to LO, both INPUT AND OUTPUT policy / rules are valid?
    Thank you very much
    I think the issue is really that the rules apply to the packets without knowledge of the overall topology. It doesn't make the association between the outgoing request and the incoming request.
    There's an outgoing request sent to lo e.g. (127.0.0.1:50001 -> 127.0.0.53:53).
    The matching response (ESTABLISHED,RELATED) would be (127.0.0.53:53 -> 127.0.0.1:50001) so a rule for that is entered into the connection tracking table for that.
    Then an incoming request arrives on lo (127.0.0.1:50001 -> 127.0.0.53:53). That's not the expected response, that's a brand new incoming request, from a different IP and port number. And there's no rule for allowing such incoming requests, so it gets dropped.

    Here's an interesting test: Open 3 terminal sessions. On the first, open a listening port with the command:
    Code:
    netcat -lv -s 127.42.123.66 -p 9999
    Leave that listening and on the second terminal, connect to it (you can type messages between the two):
    Code:
    netcat -v 127.42.123.66 9999
    On the third terminal, look at current tcp connections:
    Code:
    ss -ntp
    You will see two entries for port 9999, one for each end. They have different remote addresses. In this case you're looking in a mirror and talking to yourself (because network 127), but the firewall rules don't know that.

  2. #12
    Join Date
    Feb 2022
    Beans
    6

    Re: problems with iptables

    Thanks, The Cog. Interesting test you posted.

    I explained it to me with the following analogy. I have iptables protecting my house. Any person entering will go through the input lane, any person going out through the output lane. Whether someone is coming or going is quite clear when this person is coming or going from outside. Locahost is a bit strange, because I am accessing my computer from my computer. In my analogy this would be like walking from one room into another in the same house. Now whether I am coming or leaving is not so clear anymore. I am doing both, so I would go through the output lane and then immediately through the input lane. As you said the firewall, as no idea of the topology, it just sees going out and coming in.
    So the first package with the DNS request is NEW request for the input chain, not the response to an established one, hence it gets blocked.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •