job.answiz.com
  • 4
Votes
name
name Punditsdkoslkdosdkoskdo

Iptable: “-p udp --states ESTABLISHED”

let's look at these two iptables rules which are often used to allow outgoing DNS:

iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 
   -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp --sport 53 --dport 1024:65535
   -m state --state ESTABLISHED -j ACCEPT

My question is: How exactly should I understand the ESTABLISHED state in UDP? UDP is stateless.

Here is my intuition - I'd like to know, if or where this is incorrect:

The man page tells me this:

state

This module, when combined with connection tracking, allows access to the
connection tracking state for this packet.

  --state ...

So, iptables basically remembers the port number that was used for the outgoing packet (what else could it remember for a UDP packet?), and then allows the first incoming packet that is sent back within a short timeframe? An attacker would have to guess the port number (would that really be too hard?)

About avoiding conflicts:

The kernel keeps track of which ports are blocked (either by other services, or by previous outgoing UDP packets), so that these ports will not be used for new outgoing DNS packets within the timeframe? (What would happen, if I accidentally tried to start a service on that port within the timeframe - would that attempt be denied/blocked?)

Please find all errors in the above text :-) Thanks,

I haven't tested UDP but for TCP as soon as the SYN packet was sent the connection become ESTABLISHED so

client1 -SYN-> client2 NEW
client1 <-SYN-ACK- client2 ESTABLISHED

  • 0
Reply Report

The iptables developers have considered that an "ESTABLISHED" state was the situation when packets have been seen in both directions whatever the protocol between two clients.

the state extension is part of conntrack. The kernel understands the state from table

/proc/net/nf_conntrack

Example of iptable states for UDP in table nf_conntrack from sender point of view. Let's imagine you send a DNS query on UDP

udp   17 20 src=192.168.1.2 dst=192.168.1.10 sport=35237 dport=53 
 [UNREPLIED] src=192.168.1.10 dst=192.168.1.2 sport=53 
 dport=35237 use=1

A packet has been sent. It unreplied and oh, the table has the data for what is expected in return (the packet for the DNS answer).

udp   17 20 src=192.168.1.2 dst=192.168.1.10 sport=35237 dport=53 
  src=192.168.1.10 dst=192.168.1.2 sport=53 
 dport=35237 use=1

The reply is arrived, the unreplied flag is gone, it means this UDP connection is in ESTABLISHED state for a small amount of time defined in your system.

  • 0
Reply Report

So, iptables basically remembers the port number that was used for the outgoing packet (what else could it remember for a UDP packet?),

I am pretty sure for UDP the source and destination ports and addresses are stored.

If you want to inspect the state tables install conntrack and/or netstat-nat.

(What would happen, if I accidentally tried to start a service on that port within the timeframe - would that attempt be denied/blocked?)

Since you are using OUTPUT and INPUT your are talking about local services. The port is already used I don't believe your system will allow you to start up another service since something is already listening on that port. I guess you could stop the first service and start another if you really wanted to though, in that case the response would probably get to your service. What the service does with the packet depends on what the contents of the packet is, and what service it is.

  • 0
Reply Report