Linux Gentoo 3.13.6-hardened-r3 #1 SMP Sat Apr 12 09:17:25 EDT 2014 x86_64 Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz GenuineIntel GNU/Linux 经过 grsecurity 和 selinux 强化,在强制模式下采用严格策略
这些问题存在于 Slackware 64 14.0 上,我转移到 gentoo 是因为 Slackware 不支持许多安全功能,例如 selinux、app armor、grsecurity 等。
内部盒子是Windows 7。
我对 UDP 和 NAT 有疑问,特别是 MAQUERADING 和 FORWARDING。每当我有到特定端口的 UDP 流量时,如果我关闭服务或在重新启动服务时关闭端口太久,就会有大量连接进入端口 >=1024,而不是服务运行的端口。一个数据包从伪装的 IP 发出原始端口,并从外部 IP 上的另一个端口返回,但该数据包也会以某种方式路由到伪装 IP 上的正确端口。
原始服务端口和 >=1024 端口上都有来自 Windows 7 的 udp 连接,但这可能是因为来自 Linux 机器的错误连接/配置毒害了 Windows 机器上的服务。因此,我阻止了端口 1024/1025 上来自 Windows 机器上服务的所有传出流量,因为大部分流量都位于该端口。
但问题仍然存在。我已经尝试解决这个问题一个多月了。我把这个问题发布在了 serverfault.com 上,我的问题可能在那里得到了解答。但他们把它转到了 superuser.com,但一直没有得到答复。
https://superuser.com/questions/718860/why-does-iptables-suddenly-stop-properly-forwarding-packets
然后 tcpdump 报告说这些连接是从我的外部 IP 端口 >=1024 发送的,而这些连接本应从原始端口发送。但是,一些到不同 IP 的连接却从正确的端口发送出去。我只能猜测这些正常工作的 IP 是服务重新启动后新建立的连接。
这些是相关的 iptables 规则:
$IPT -t nat -A PREROUTING -i $EXTIF -p udp -m udp --dport 5555 -j DNAT --to-destination $WIN_IP:5555
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPT -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -j DEFAULT_FWD_OUT
$IPT -A FORWARD -i $EXTIF -o $INTIF -j DEFAULT_FWD_IN
# To and from my internal masqueraded ip
$IPT -A DEFAULT_FWD_IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPT -A DEFAULT_FWD_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPT -A DEFAULT_FWD_IN -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
$IPT -A DEFAULT_FWD_IN -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
$IPT -A DEFAULT_FWD_IN -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
$IPT -A DEFAULT_FWD_IN -p udp -m udp --dport 5555 -j ACCEPT
$IPT -A DEFAULT_FWD_OUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPT -A DEFAULT_FWD_OUT -p tcp -m tcp -m multiport --dports 21,80,8080,443,143,993,110,995,25,465 -j ACCEPT
$IPT -A DEFAULT_FWD_OUT -p udp -m udp -m multiport --sports 5555,123,53 -j ACCEPT
# To and from my external ip
$IPT -A DEFAULT_IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPT -A DEFAULT_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPT -A DEFAULT_IN -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
$IPT -A DEFAULT_IN -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
$IPT -A DEFAULT_IN -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
$IPT -A DEFAULT_OUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPT -A DEFAULT_OUT -p tcp -m tcp -m multiport --dports 21,80,443,143,993,110,995,25,465 -j ACCEPT
$IPT -A DEFAULT_OUT -p udp -m udp -m multiport --dports 53,123 -j ACCEPT
Conntrack 显示传出源端口为端口 5555,并预计它在端口 1025 上返回。
[UPDATE] udp 17 30 src=MASQUERADED_INTERNAL_IP dst=EXTERNAL_DST_IP sport=5555 dport=39363 src=EXTERNAL_DST_IP dst=MY_EXTERNAL_IP sport=39363 dport=1025
[UPDATE] udp 17 180 src=MASQUERADED_INTERNAL_IP dst=EXTERNAL_DST_IP sport=5555 dport=39363 src=EXTERNAL_DST_IP dst=MY_EXTERNAL_IP sport=39363 dport=1025 [ASSURED]
Tcpdump 确认有来自我的 IP 的传出连接,源是 1025,而源应该是端口 1640。因此,可以理解远程 IP 想要在端口 1025 上进行通信。
21:13:49.191821 IP (tos 0x0, ttl 63, id 4600, offset 0, flags [none], proto UDP (17), length 230)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 202
21:13:51.726037 IP (tos 0x0, ttl 63, id 4679, offset 0, flags [none], proto UDP (17), length 354)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 326
21:13:51.930653 IP (tos 0x0, ttl 63, id 4686, offset 0, flags [none], proto UDP (17), length 538)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 510
21:13:52.193349 IP (tos 0x0, ttl 63, id 4694, offset 0, flags [none], proto UDP (17), length 515)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 487
21:13:53.415424 IP (tos 0x0, ttl 63, id 4724, offset 0, flags [none], proto UDP (17), length 539)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 511
21:13:53.686204 IP (tos 0x0, ttl 63, id 4793, offset 0, flags [none], proto UDP (17), length 106)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 78
21:13:56.713590 IP (tos 0x0, ttl 63, id 4847, offset 0, flags [none], proto UDP (17), length 105)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 77
21:13:58.097788 IP (tos 0x0, ttl 63, id 4935, offset 0, flags [none], proto UDP (17), length 107)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 79
21:13:59.754290 IP (tos 0x0, ttl 63, id 4992, offset 0, flags [none], proto UDP (17), length 210)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 182
21:14:01.644835 IP (tos 0x0, ttl 63, id 5024, offset 0, flags [none], proto UDP (17), length 97)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 69
21:14:01.860478 IP (tos 0x0, ttl 63, id 5062, offset 0, flags [none], proto UDP (17), length 104)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 76
21:14:05.633698 IP (tos 0x0, ttl 63, id 5154, offset 0, flags [none], proto UDP (17), length 111)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 83
21:14:14.950748 IP (tos 0x0, ttl 63, id 5309, offset 0, flags [none], proto UDP (17), length 100)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 72
21:14:16.370384 IP (tos 0x0, ttl 63, id 5377, offset 0, flags [none], proto UDP (17), length 115)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 87
21:14:20.720215 IP (tos 0x0, ttl 63, id 5542, offset 0, flags [none], proto UDP (17), length 111)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 83
21:14:24.528689 IP (tos 0x0, ttl 63, id 5624, offset 0, flags [none], proto UDP (17), length 174)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 146
21:14:28.783134 IP (tos 0x0, ttl 63, id 5760, offset 0, flags [none], proto UDP (17), length 123)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 95
21:14:30.276222 IP (tos 0x0, ttl 63, id 5823, offset 0, flags [none], proto UDP (17), length 108)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 80
21:14:33.646507 IP (tos 0x0, ttl 63, id 5989, offset 0, flags [none], proto UDP (17), length 106)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 78
21:14:34.826793 IP (tos 0x0, ttl 63, id 6024, offset 0, flags [none], proto UDP (17), length 95)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 67
21:14:36.203849 IP (tos 0x0, ttl 63, id 6039, offset 0, flags [none], proto UDP (17), length 239)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 211
21:14:37.693874 IP (tos 0x0, ttl 63, id 6073, offset 0, flags [none], proto UDP (17), length 207)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 179
21:14:37.935895 IP (tos 0x0, ttl 63, id 6086, offset 0, flags [none], proto UDP (17), length 103)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 75
21:14:39.445114 IP (tos 0x0, ttl 63, id 6100, offset 0, flags [none], proto UDP (17), length 95)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 67
21:14:39.554406 IP (tos 0x0, ttl 63, id 6114, offset 0, flags [none], proto UDP (17), length 123)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 95
21:14:39.778376 IP (tos 0x0, ttl 63, id 6132, offset 0, flags [none], proto UDP (17), length 97)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 69
21:14:46.593156 IP (tos 0x0, ttl 63, id 6329, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:46.595169 IP (tos 0x0, ttl 63, id 6330, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:46.597708 IP (tos 0x0, ttl 63, id 6331, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:46.600152 IP (tos 0x0, ttl 63, id 6332, offset 0, flags [none], proto UDP (17), length 969)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 941
21:14:48.049739 IP (tos 0x0, ttl 63, id 6375, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.052057 IP (tos 0x0, ttl 63, id 6376, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.054117 IP (tos 0x0, ttl 63, id 6377, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.056132 IP (tos 0x0, ttl 63, id 6378, offset 0, flags [none], proto UDP (17), length 866)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 838
21:14:48.239566 IP (tos 0x0, ttl 63, id 6400, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.241738 IP (tos 0x0, ttl 63, id 6401, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.244361 IP (tos 0x0, ttl 63, id 6402, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.247134 IP (tos 0x0, ttl 63, id 6403, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:48.249168 IP (tos 0x0, ttl 63, id 6404, offset 0, flags [none], proto UDP (17), length 737)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 709
21:14:48.258415 IP (tos 0x0, ttl 63, id 6405, offset 0, flags [none], proto UDP (17), length 158)
21:14:49.816682 IP (tos 0x0, ttl 63, id 6429, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:49.819281 IP (tos 0x0, ttl 63, id 6430, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:49.821505 IP (tos 0x0, ttl 63, id 6431, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:49.823571 IP (tos 0x0, ttl 63, id 6432, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:49.825720 IP (tos 0x0, ttl 63, id 6433, offset 0, flags [none], proto UDP (17), length 737)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 709
21:14:50.214646 IP (tos 0x0, ttl 63, id 6458, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:50.217102 IP (tos 0x0, ttl 63, id 6459, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:50.219476 IP (tos 0x0, ttl 63, id 6460, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:50.222532 IP (tos 0x0, ttl 63, id 6461, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:50.224647 IP (tos 0x0, ttl 63, id 6462, offset 0, flags [none], proto UDP (17), length 749)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 721
21:14:51.629383 IP (tos 0x0, ttl 63, id 6485, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:51.631733 IP (tos 0x0, ttl 63, id 6486, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:51.634302 IP (tos 0x0, ttl 63, id 6487, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:51.638055 IP (tos 0x0, ttl 63, id 6488, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:51.640863 IP (tos 0x0, ttl 63, id 6489, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:51.643918 IP (tos 0x0, ttl 63, id 6490, offset 0, flags [none], proto UDP (17), length 631)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 603
21:14:51.998529 IP (tos 0x0, ttl 63, id 6515, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:53.796813 IP (tos 0x0, ttl 63, id 6601, offset 0, flags [none], proto UDP (17), length 1212)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 1184
21:14:56.770203 IP (tos 0x0, ttl 63, id 6714, offset 0, flags [none], proto UDP (17), length 994)
MY_EXTERNAL_IP.1025 > EXTERNAL_DST_IP.39363: [udp sum ok] UDP, length 966
我在 conntrack 中收到“很多”未回复的消息
~# contrack -E
[DESTROY] udp 17 src=MASQUERADED_INTERNAL_IP dst=EXTERNAL_DST_IP sport=5555 dport=41575 [UNREPLIED] src=EXTERNAL_DST_IP dst=MY_EXTERNAL_IP sport=41575 dport=1025
[DESTROY] udp 17 src=EXTERNAL_DST_IP dst=MY_EXTERNAL_IP sport=16942 dport=5555 [UNREPLIED] src=MASQUERADED_INTERNAL_IP dst=EXTERNAL_DST_IP sport=5555 dport=1026
伪装 IP 的端口在发送数据包的端口和预期回复的端口中应该相同。在本例中,端口是 5555,但连接在端口 >=1024 上返回
我在 Windows 和 Linux 上都将 mtu 设置为 1300。但这并没有阻止它。
我原本以为这是 iptables 或 netfilter 处理 NAT 和伪装方式的内部工作原理,iptables 或 netfilter 忘记了如何路由连接。但在谷歌上搜索了数千次后,这两个网站让我相信 conntrack 是罪魁祸首。
http://www.linksysinfo.org/index.php?threads/vpn-build-with-web-gui.27511/page-21#post-131548
http://permalink.gmane.org/gmane.comp.file-systems.openafs.general/30256
此页面似乎证实了需要调整 UDP 超时的建议:
http://en.it-usenet.org/thread/11955/543/
但我尝试改变 UDP 超时:
~ # cat /proc/sys/net/netfilter/nf_conntrack_udp_timeout
30
~ # cat /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream
180
sysctl net.netfilter.nf_conntrack_udp_timeout_stream=28800
sysctl net.netfilter.nf_conntrack_udp_timeout=28800
此链接表明,如果 udp 超时小于 keepalive,keepalive 也可能是部分原因,则连接就会出现问题。
http://www.linksysinfo.org/index.php?threads/vpn-build-with-web-gui.27511/page-21
我还没有在 keepalive 上发现任何东西,但我怀疑 conntrack 表可能已经脏了,所以我刷新了 conntrack 表
conntrack -F
并重新启动。这阻止了对端口 1024/1025 的大量连接,但连接已断开。因此,在让一切恢复正常后,问题再次出现。唯一能阻止 iptables 或 conntrack 或任何处理传出连接的程序将原始端口转换为端口 >=1024 的方法就是不断刷新 conntrack 表,并重新启动所有网络接口,因为在 Gentoo 上,重新启动 eth0 会导致 eth1 出现故障。我必须多次这样做,以防万一在一次重新启动中一切都会正常。此外,在 Gentoo 上,
ifconfig eth0 down
ifconfig eth0 up
显然破坏了我无法追踪的其他服务的功能。我猜在 Gentoo 上它会触发 dhcp 关闭。在 Gentoo 上重新启动接口的正确方法是运行一个脚本,看过之后我没心情去解读它。
/etc/init.d/net.eth0 restart
由于上述脚本中的某些依赖关系,这迫使我的许多服务(其中一些需要很长时间才能启动)停止。由于该脚本,或者我应该说,由于依赖于该脚本的服务(如 snort 和 barnyard2),这两项服务都需要很长时间才能停止和启动,因此排除此故障非常耗时。
在 Slackware 上,我只需执行 ifdown eth0、ifup eth0 即可。无需重新启动 eth1 或重新启动 PC,也无需重新启动 snort 或 barnyard。
虽然我解决了自己的问题,但当我决定再次运行 utorrent 时,问题又会再次出现。我停止运行 utorrent 是因为我试图解决以下问题:
http://www.bleepingcomputer.com/forums/t/526523/linux-pc-is-under-some-kind-of-whois-dos-attack/
http://www.bleepingcomputer.com/forums/t/526524/utorrent-seems-to-be-vulnerable-to-dos-attacks/
基本上,当我在 Windows PC 上运行它时,会尝试连接到 IANA 地址。在停止 utorrent 一段时间后,会尝试进入端口 1024/1025 等,整个互联网世界似乎都认为 bittorrent 协议或软件使用了该端口。虽然这可能是真的,但“还有”连接应该转到 bittorrent 服务运行的端口,而重新启动 bittorrent 以恢复连接时,应该开始将连接路由回所需端口,只有新连接才会路由到该端口,所有旧连接都卡在 NAT 黑洞中。
要么是我的设置有问题,要么是 NAT/Conntrack 有问题。我猜两者都有问题。更不用说我一直被大量无法到达的目标所困扰。也许这有关系。有人能看出我在 iptables 上做错了什么吗?也许打开所有 icmp 可以解决问题,或者打开特定的类型和代码?