grsecurity forums

[madcat]

Hi. I'm trying to set up iptables 1.4.2 (from debian lenny) with stealth support but i see there are a lot of changes from grsec patch 1.4.0.
Has someone managed to change it and use it with new versions of iptables?
Cheers
Marco

[Oscon]

Maybe, it helps for you.

[madcat]

Thank you. But have you tried it? Does it work for you?
When i try to add this rule:

iptables -A INPUT -i eth1 -p tcp -m stealth -j DROP

i get oops:

BUG: unable to handle kernel paging request at 00263450
IP: [<00263400>] 0x263400
*pde = 00000000
Oops: 0000 [#1]
last sysfs file: /sys/class/net/lo/operstate

Pid: 6013, comm: iptables Not tainted (2.6.28.7-grsec #2) VT8363
EIP: 0060:[<00263400>] EFLAGS: 00010206 CPU: 0
EAX: e7bcddd4 EBX: e7bcddd4 ECX: c0c35d8c EDX: 00263400
ESI: 00000000 EDI: 00000006 EBP: e1b75904 ESP: e7bcdd7c
DS: 0068 ES: 0068 FS: 0000 GS: 0033 SS: 0068
Process iptables (pid: 6013, ti=e7bcc000 task=e79f4380 task.ti=e7bcc000)
Stack:
0022ab70 00b75906 e1b75894 00000000 e1b75894 00260d37 00000000 e1b75bb4
e60cfd80 0000000e e7bcde4c 00000094 00000005 00000010 00000070 00000000
e7bcde4c e1b75800 c0c35618 e1b75890 00000002 00000002 e7bcde4c e1b75894
Call Trace:
[<0022ab70>] 0x22ab70
[<00260d37>] 0x260d37
[<00261016>] 0x261016
[<0026099b>] 0x26099b
[<00012dd0>] 0x012dd0
[<00012d0a>] 0x012d0a
[<00007265>] 0x007265
[<002205d2>] 0x2205d2
[<00220602>] 0x220602
[<002390df>] 0x2390df
[<001f0b7d>] 0x1f0b7d
[<001ef16a>] 0x1ef16a
[<001f08be>] 0x1f08be
[<00003eb2>] 0x003eb2
Code: 8b 40 48 39 c2 77 12 89 f0 89 ea e8 7c c8 fb ff 89 f0 e8 55 3c fd ff eb 07 89 f0 e8 81 0f f9 ff 83 c4 20 31 c0 5b 5e 5f 5d c3 90 <8b> 42 50 66 83 f8 06 74 06 66 83 f8 11 75 0f f6 42 53 40 75 09
EIP: [<00263400>] SS:ESP 0068:e7bcdd7c
---[ end trace 666382065c7d423a ]---

[Oscon]

i get oops:

I'm using 2.6.27.10-grsec. It works for me it seems without kernel BUG.

Code: Select all

root@osconsfortress:~# iptables -L -v -n | grep ste
 1531 86536 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           stealth
   63 10728 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           stealth
root@osconsfortress:~# iptables -t mangle -L INPUT -v -n
root@osconsfortress:~# iptables -t mangle -L INPUT -v -n
Chain INPUT (policy ACCEPT 3777K packets, 4899M bytes)
 pkts bytes target     prot opt in     out     source               destination       
root@osconsfortress:~# iptables -t mangle -A INPUT -i eth1 -p tcp -m stealth -j DROP
root@osconsfortress:~# iptables -t mangle -A INPUT -i eth0 -p tcp -m stealth -j DROP
root@osconsfortress:~# iptables -t mangle -A INPUT -i ppp0 -p tcp -m stealth -j DROP
root@osconsfortress:~# iptables -t mangle -A INPUT -i tap0 -p tcp -m stealth -j DROP
root@osconsfortress:~# iptables -t mangle -L INPUT -v -n
Chain INPUT (policy ACCEPT 3777K packets, 4899M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           stealth
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           stealth
    1    40 DROP       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           stealth
    0     0 DROP       tcp  --  tap0   *       0.0.0.0/0            0.0.0.0/0           stealth
root@osconsfortress:~# dmesg | tail -1
Real Time Clock Driver v1.12ac
root@osconsfortress:~# uptime
 10:40:38 up 9 days, 33 min,  3 users,  load average: 0.28, 0.55, 0.42
root@osconsfortress:~#


I think your problem is with the kernel_component of iptables_stealth in 2.6.28.7.

Maybe netfilter/xtables subsystem of 2.6.28.y is changed (?). Can you try with 2.6.27.10 ? Does it work for you ?

Maybe this patch causes your problem

[madcat]

I tested 2.6.27.10 and it works if I use stealth rules in the mangle table; if I use stealth in the default table (the filter table) i get an invalid argument error.
So i believe you're right when you say netfilter/xtables subsystem is changed in 2.6.28....
Do you know if there's an easy way to fix it?
Cheers

[Oscon]

I tested 2.6.27.10 and it works if I use stealth rules in the mangle table; if I use stealth in the default table (the filter table) i get an invalid argument error.

Code: Select all

root@osconsfortress:~# iptables -A INPUT -m stealth -j DROP
iptables: Invalid argument
root@osconsfortress:~# iptables -A INPUT -p tcp -m stealth -j DROP
root@osconsfortress:~# iptables -A INPUT -p udp -m stealth -j DROP
root@osconsfortress:~# iptables -V
iptables v1.4.2

it works for me on filter table also, but stealth_extension works only with -p tcp or -p udp.
/stealth has got "result" - sorry i doesn't speak good english - with "ipproto tcp" or "ipproto udp". "default" is return with false/

[madcat]

Not the same for me...

Code: Select all

# iptables -A INPUT -m stealth -j DROP
iptables: Invalid argument
# iptables -A INPUT -p tcp -m stealth -j DROP
iptables: Invalid argument
# iptables -A INPUT -p udp -m stealth -j DROP
iptables: Invalid argument
# iptables -t mangle -A INPUT -p tcp -m stealth -j DROP
# uname -a
Linux caronte 2.6.27.10-grsec #3 Sun Mar 22 16:07:46 CET 2009 i686 GNU/Linux
caronte:~# iptables -V
iptables v1.4.2

Anyway i must say i recompiled debian package iptables adding stealth extensions, maybe there are patches from original sources that change things a bit even if I think odds are low...
If i get iptables stealth extension work with newer kernel i'll let you know...
Marco

[Oscon]

I'm using iptables 1.4.2.orig with debian patches + stealth + layer7.

precompiled binary is here.

Code: Select all

oscon@osconsfortress:/tmp$ sha256sum iptables_1.4.2-6_i386.deb
12d8815d5a170d30271e8b3226d46db51adc02fd13531e9d6a140b79234e279d  iptables_1.4.2-6_i386.deb


Source code is here.

xt_layer7.h is needed to compile for xt_layer7 extension in usr/include/linux/netfilter.

Have you got extra information in kern.log/dmesg for "invalid argument" ?
for example : "stealth: Only works on TCP and UDP for the INPUT chain."

[madcat]

Your layer7 extension it's interesting... anyway yes, anytime the iptable rule says "invalid
argument" i get an "stealth: Only works on TCP and UDP for the INPUT chain." in dmesg. No other message in system or kernel log.
The funny thing is i always get the same error even trying your binary deb package or the one build from your sources. Weird.
Here is my netfilter config (no support for modules):

Code: Select all

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
# CONFIG_NF_CT_PROTO_DCCP is not set
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_CT_NETLINK=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_DSCP=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_TARGET_RATEEST=y
CONFIG_NETFILTER_XT_TARGET_TRACE=y
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_OWNER=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
CONFIG_NETFILTER_XT_MATCH_RATEEST=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_TIME=y
CONFIG_NETFILTER_XT_MATCH_U32=y
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y

#
# IP: Netfilter Configuration
#
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_RECENT is not set
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_STEALTH=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_NF_NAT_SNMP_BASIC=y
CONFIG_NF_NAT_PROTO_UDPLITE=y
CONFIG_NF_NAT_PROTO_SCTP=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_IRC=y
CONFIG_NF_NAT_TFTP=y
# CONFIG_NF_NAT_AMANDA is not set
# CONFIG_NF_NAT_PPTP is not set
# CONFIG_NF_NAT_H323 is not set
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_SECURITY=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IP_DCCP is not set
CONFIG_IP_SCTP=y
# CONFIG_SCTP_DBG_MSG is not set
# CONFIG_SCTP_DBG_OBJCNT is not set
# CONFIG_SCTP_HMAC_NONE is not set
# CONFIG_SCTP_HMAC_SHA1 is not set
CONFIG_SCTP_HMAC_MD5=y
# CONFIG_TIPC is not set
# CONFIG_ATM is not set
# CONFIG_BRIDGE is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
CONFIG_NET_SCHED=y


If you see something strange let me know.
Thank you.

[Oscon]

The funny thing is i always get the same error even trying your binary deb package or the one build from your sources. Weird.
Here is my netfilter config (no support for modules):

an example netfilter config is here.

Your kernel is a bit strange:

Linux caronte 2.6.27.10-grsec #3

- Why three compile #3 ?
- without modules ?

Maybe a new, clear recompiled kernel ? after

Code: Select all

make-kpkg clean

or can you try with modules ?

which gcc have you got ?

Code: Select all

gcc version 4.3.2 (Debian 4.3.2-1.1)


you can delete from iptables source/extension (xt_layer7.c and xt_layer7.man). It doesn't conflict with grsec-stealth.

offtopic: layer7 is only an other "3rd netfilter extension". I found here. /offtopic

[madcat]

Sorry, it was snort-inline that didn't like new iptables stealth rules. Disabling iptables queue to snort-inline fixed the problem at least with kernel 2.6.27.10.
Still the oops with newer kernels (2.6.28) are the same.... when i'll have more time i'll try to find out what is changed and how to fix stealth module.
Thank you

[Oscon]

Sorry, it was snort-inline that didn't like new iptables stealth rules. Disabling iptables queue to snort-inline fixed the problem at least with kernel 2.6.27.10.
Still the oops with newer kernels (2.6.28) are the same.... when i'll have more time i'll try to find out what is changed and how to fix stealth module.
Thank you

There is 2.6.29-grsec patch.
It seems spender modified iptables_stealth.c.

[madcat]

Great! I backported ipt_stealth.c from 2.6.29-grsec patch into the latest 2.12 patch of 2.6.28-grsec kernel (i don't want to use 2.6.29 in production yet) and stealth match works fine with the patch of iptables you gave me.
So everything is fixed! Great job guys!
Cheers