Wednesday 27 January 2021

Re: iptables-legacy + iptables-nft = iptables-broken ?

OK.. I think I found the issue... sorry for the noise.

TL/DR version:

all the iptables targets working in compatibility mode (-j NFLOG, -j TRACE, etc) might face issues and not work correctly when using nf-tables by default (nft_compat -> x_tables over nftables).

Explanation:

If I execute my tool with "iptables-legacy" and have a iptables-legacy rules only firewall.. it works perfectly.... Now, if I have a iptables-nft rules only firewall and run my tool with "iptables-nft".. it does not work:

TCPv4 [ 1] src = 10.250.97.1 (port=1024) to dst = 10.250.97.143 (port=22) (confirmed)
table: mangle, chain: OUTPUT, type: rule, position: 4
table: mangle, chain: POSTROUTING, type: policy
table: filter, chain: OUTPUT, type: rule, position: 4
TCPv6 [ 0] src = fe80::da:ddff:fe1a:bcd (port=1024) to dst = fe80::5054:ff:fe8d:ad04 (port=22) (confirmed)
table: mangle, chain: OUTPUT, type: rule, position: 4
table: mangle, chain: POSTROUTING, type: policy
table: filter, chain: OUTPUT, type: rule, position: 4

versus

TCPv4 [ 1] src = 10.250.97.1 (port=1024) to dst = 10.250.97.143 (port=22) (confirmed)
table: mangle, chain: OUTPUT, type: policy
table: mangle, chain: POSTROUTING, type: policy
table: filter, chain: OUTPUT, type: policy
TCPv6 [ 5] src = fe80::da:ddff:fe1a:bcd (port=1024) to dst = fe80::5054:ff:fe8d:ad04 (port=22) (confirmed)
table: mangle, chain: OUTPUT, type: policy
table: mangle, chain: POSTROUTING, type: policy
table: filter, chain: OUTPUT, type: policy

meaning that in the later case the flow was said to be processed by:

Table: filter, chain: OUTPUT default policy

but if we look closely:

$ sudo iptables -t filter -L OUTPUT -n --line-numbers
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmpv6-- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0

So it is hard to understand if the flow was processed by:

Table: filter, chain: OUTPUT default's policy OR

Table: filter, chain: OUTPUT, rule: #4

Let's remove the rule:

$ sudo iptables -t filter -D OUTPUT -p tcp -j ACCEPT

and yes, the flow stops working.

It means that the TRACE iptables target cannot work with nf-tables (or nf-tables-compat). I'll have to use nf-tables tracing features eventually.

Cheers o/

-rafaeldtinoco

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Posted by at