Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

DROPping inbound packets not marked

Jason Hill
2013-02-23
2013-02-27
  • Jason Hill
    Jason Hill
    2013-02-23

    I'm not sure if what I describe below is a bug or intended behaviour, so thought I'd post as a discussion topic.

    Is the behaviour of always DROPping inbound packets that match a blocklist regardless of the REJECT setting deliberate?

    The way I read the following comment in the config file makes me think that both outbound and inbound packets should be MARKed if REJECT=1. However, this is not what is happening on my CentOS 6 system. Marks for outbound. Drops immediately for inbound.

    # Set what happens to matched packets (IP is in the blocklist).
    # 0 - DROP them directly (as in MoBlock 0.8).
    # 1 - MARK them. Further iptables rules decide what happens to them. E.g. this
    #     allows to REJECT packets to avoid the long timeout, which occurs when
    #     packets are DROPped, see below. This setting is also necessary for
    #     iptables logging to syslog, see below.
    REJECT="1"
    

    I'm using default config, specifically:

    REJECT="1"
    REJECT_MARK="10"
    REJECT_IN="DROP"
    REJECT_OUT="REJECT"
    REJECT_FWD="DROP"
    ACCEPT="1"
    ACCEPT_MARK="20"
    

    I would like to see packets marked for onward interrogation by iptables rules for both inbound and outbound traffic.

    It works perfectly for outbound traffic, packets in the blocklist are set to NF_REPEAT and show up in the marked 0xa rule (5th rule below) - I can see at glance how many packets have been dropped (652 in this case):

    # iptables -vxnL pgl_out
    Chain pgl_out (1 references)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 RETURN     all  --  *      *       0.0.0.0/0            192.168.4.0/24
          18     1147 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/24
           0        0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.254
        2623   157380 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
         652    39684 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa reject-with icmp-port-unreachable
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           destination IP range 184.73.221.81-184.73.221.81
           5      300 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           destination IP range 85.17.177.202-85.17.177.202
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           destination IP range 137.254.16.0-137.254.16.255
       63902  3836369 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92
    

    However, the marked 0xa rule for inbound traffic doesn't trigger... the rule does not match even though packets are dropped correctly (I've checked) that are in the blocklist (4th rule below):

    # iptables -vxnL pgl_in
    Chain pgl_in (1 references)
        pkts      bytes target     prot opt in     out     source               destination
          66     9300 RETURN     all  --  *      *       192.168.4.0/24       0.0.0.0/0
         225    16981 RETURN     all  --  *      *       192.168.0.0/24       0.0.0.0/0
        2584   155040 RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
           0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 184.73.221.81-184.73.221.81
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 85.17.177.202-85.17.177.202
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 137.254.16.0-137.254.16.255
       17982  1047832 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92
    

    Looked through the code and it appears inbound connections that are in the blocklist are dropped regardless of any configuration setting. Made a patch:

    --- pgld.c.orig 2012-08-05 18:45:05.000000000 +0100
    +++ pgld.c      2013-02-23 13:02:35.669073397 +0000
    @@ -425,7 +425,11 @@
             case NF_IP_LOCAL_IN:
                 found_range = blocklist_find(ntohl(ip->saddr));
                 if (found_range) {
    +              if (reject_mark) {
    +                status = nfq_set_verdict_mark(qh, id, NF_REPEAT, reject_mark, 0, NULL);
    +              } else {
                     status = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
    +              }
                     found_range->hits++;
                     setipinfo(src, dst, proto, ip, payload);
     #ifndef LOWMEM
    

    Now packets are showing up in the match 0xa rule as I would expect:

    # iptables -vxnL pgl_in
    Chain pgl_in (1 references)
        pkts      bytes target     prot opt in     out     source               destination
          66     9300 RETURN     all  --  *      *       192.168.4.0/24       0.0.0.0/0
         241    17676 RETURN     all  --  *      *       192.168.0.0/24       0.0.0.0/0
        2872   172320 RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        4569   266191 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 184.73.221.81-184.73.221.81
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 85.17.177.202-85.17.177.202
           0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           source IP range 137.254.16.0-137.254.16.255
       20018  1167221 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92
    

    This is the behaviour I would like to see.

     
    Last edit: Jason Hill 2013-02-23
  • jre-phoenix
    jre-phoenix
    2013-02-27

    Thanks, I already had applied a patch to moblock years ago, implementing this. Maybe I forgot something or it was lost.

    So applied your patch, thanks. It's already in teh git repository.

     
  • Jason Hill
    Jason Hill
    2013-02-27

    Awesome. Thanks!