0

I have the following rules in INPUT chain:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -j DROP

It is dead simple: traffic from private addreses is allowed, the rest is dropped. If I attempt a TCP connection from any public address, it is dropped, as expected. However, UDP traffic is allowed through, on any port. What am I missing here? System is Debian 9, kernel version 4.9.30-2+deb9u5.

EDIT: I was wrong, TCP traffic passes through as well (it was blocked elsewhere). So with these rules, all traffic is accepted. How is this possible?

EDIT 2: I was wrong again, my testing method was flawed. Some connections were getting through at one point, but the only logical explanation is that they were already established, which was resolved after I rebooted the machine. Thanks for the help, everybody.

Nikša Baldun
  • 141
  • 5
  • Is UDP traffic destined to this same machine (configured with these rules)? What is the source IP/net of UDP traffic? – Khaled Jan 14 '18 at 08:58
  • @Khaled Yes, UDP traffic is destined for this machine. Source IP can be any public IP, currently I am testing from 82.214.97.81. – Nikša Baldun Jan 14 '18 at 09:10
  • 2
    How are you testing this? How are you seeing the UDP traffic? Have you looked at your iptables counters to see which rule is permitting the traffic? And is this really 'all of your rules? What do you see with `iptables -nvL` – Zoredache Jan 14 '18 at 09:14
  • @Zoredache These are all the rules in INPUT chain. I am testing with tcpdump. I checked the counters, and only the counters for the first rule change, so it has to be that one. But these connections are neither related nor established. I am trying random ports with netcat. – Nikša Baldun Jan 14 '18 at 09:25
  • 3
    Are you testing this only via tcpdump because tcpdump will see all the packets, even those that are supposed to be dropped by the firewall. More information here https://serverfault.com/questions/233302/will-tcpdump-see-packets-that-are-being-dropped-by-iptables – termcap Jan 14 '18 at 09:40
  • @termcap I was able to register to SIP account on this machine, that is what prompted this. But later I only tested with tcpdump, and I obviously had a false assumption about it. I need to test again. – Nikša Baldun Jan 14 '18 at 09:51
  • Shouldn't the chain be FORWARD rather than INPUT? FORWARD covers the routing of packets. INPUT only covers packets destined to the firewall itself. I mention this because you talk about "UDP traffic is allowed through...", which indicates to me it is doing some kind of routing? – parkamark Jan 14 '18 at 09:53

0 Answers0