grsecurity forums


https://forums.grsecurity.net./

iptables stealth on kernel 2.6

https://forums.grsecurity.net./viewtopic.php?f=1&t=1717

Page 1 of 1

iptables stealth on kernel 2.6

PostPosted: Thu Apr 26, 2007 3:20 am
by vik
Hello,

I build a kernel 2.6.20.7 with grsecurity-2.1.10-2.6.20.7-200704241759.patch and iptables 1.3.7 with grsecurity-iptables-1.3.5.patch.

With no iptables rules at all, after:

Code: Select all
 iptables -A INPUT -p tcp -m stealth -j REJECT


I get "Connection refused" on all tcp open ports. Already estabilshed connections work ok.
The same thing with udp, no answer from the dns server after:

Code: Select all
 iptables -A INPUT -p udp -m stealth -j REJECT


In kernel config, stealth match support is enabled as built in.

Thanks in advance,
Victor

same on 2.6.21

PostPosted: Mon May 14, 2007 9:33 am
by vik
The same on 2.6.21.1-grsec (grsecurity-2.1.10-2.6.21-200705071727.patch).

These two rules used to work for many years as the first ones in INPUT:

Code: Select all
iptables -A INPUT -p tcp -m stealth -j DROP
iptables -A INPUT -p udp -m stealth -j DROP


They still work on some servers, the newest one with a 2.6.17.11-grsec. I don't know when they started to consider all ports stealth, even some software listens there.

Is this a bug or is there something changed and I should use it in some other way?

Thanks,
Victor

200706042125 patch

PostPosted: Fri Jun 15, 2007 2:33 am
by vik
I feel like talking to myself here...

I have just installed a 64bit system with kernel 2.6.21.5-grsec (grsecurity-2.1.10-2.6.21.3-200706042125.patch). Stealth matches any new packet.

PostPosted: Mon Jun 18, 2007 8:18 pm
by spender
Hi vik,

The latest test patch should resolve this issue. Let me know if you still have problems with it.

-Brad

Works now

PostPosted: Tue Jun 19, 2007 3:36 am
by vik
Hello,

it is working now on 32bit, I can't test it on 64bit yet. Thanks.

Victor
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/