[Firehol-support] problem matching packet length

High Mobley firehol at prioritynetworks.net
Wed Oct 27 22:25:54 BST 2004 

Ummm.... Answered my own question as usual. Turns out that the iptables
rules I ws trying to use (read below for full details) worked fine. What
happened is that I was generating the test pings from a Linux box (no
Windoze available for testing), and using the -s switch to the ping
command to specify a size for the packet. Well, I knew that the -s
switch specifies the raw data size, not the overall packet size.
However, I was looking at the wrong numbers in hte output from the ping
command to check that I was sending 92-byte packets. So the command that
I used (ping -s84 A.B.C.D) was actually sending 112-byte packets. The
correct data size to generate packets of 92-byte size was 64. So my new
command is 'ping -s64 A.B.C.D'

And here are the rules that I added to my FireHOL config file to make
this work:

interface eth1 INTERIOR src ${interior_ips}
         policy reject
         server icmp drop custom "--icmp-type echo-request --match
length --length 92"
         server icmp drop custom "--icmp-type echo-reply --match length
--length 92"
         server icmp accept
         client all accept

router INTERIOR_NAT inface eth1 outface eth0
         route icmp drop custom "--icmp-type echo-request --match length
--length 92"
         route icmp drop custom "--icmp-type echo-reply --match length
--length 92"
         route all accept
         masquerade


<sigh> At least I got it figured out...



High Mobley wrote:
> We have a gateway that is doinig NAT and port forwarding. We also need 
> to add some rules to prevent the spread of Microsoft Windows worms and 
> viruses. So we need to block 92-byte ICMP echo requests and replies. 
> (Several of the worms in the wild are pinging hosts using the default 
> Windows ping packet size of 92 bytes)
> 
> I already have this running on some of my Cisco routers. Here is a 
> snippet from my router configs that shows what I'm doing:
> 
> ------------snip-------------
> access-list 199 permit icmp any any echo
> access-list 199 permit icmp any any echo-reply
> !
> route-map nachia-worm permit 10
>  match ip address 199  (This is packets matched by access-list #199)
>  match length 92 92
>  set interface Null0
> !
> ------------snip-------------
> 
> 
> 
> 
> Here is our basic FireHOL config before the length matching attempts. It 
> works fine for the basic NAT and port forwarding functions that we want:
> 
> #!/etc/rc.d/init.d/firehol
> #
> # Read in custom list of networks from separate file:
> . /etc/firehol/networks
> # Read in list of custom services from separate file:
> . /etc/firehol/services
> #
> # Services to allow to our administrative IPs whome we trust:
> Trusted_services="ssh icmp http"
> # Services to allow to the whole world:
> Public_services=""
> #
> # IP addresses behind the NAT on eth1:
> interior_ips="172.16.0.0/24"
> #
> # Forward incoming requests on port 80 of eth0 to port 80 on
> # a web server sitting behind the NAT on eth1:
> nat to-destination 172.16.0.2 proto tcp dport 80 dst 128.64.162.197
> #
> interface eth0 EXTERIOR src not "${UNROUTABLE_IPS}"
>         policy drop loglimit debrouter
>         protection strong
>         server "icmp" accept src "${ICMP_monitor}"
>         server "${Trusted_services}" accept src "${Trusted_Networks}"
>         server "${Public_services}" accept
>         client all accept
>         server all reject src "${Trusted_Networks}"
>         server ident reject with tcp-reset
> #
> interface eth1 INTERIOR src ${interior_ips}
>         policy reject
>         client all accept
> #
> router INTERIOR_NAT inface eth1 outface eth0
>         route all accept
>         masquerade
> #
> router PORT_FORWARD inface eth0 outface eth1
>         route "${Trusted_services}" accept src "${Trusted_Networks}"
>         route ident reject with tcp-reset
> 
> 
> 
> 
> So now I need to add something that finds all 92-byte long ICMP echo 
> requests and echo-replies and drops them. I have been unable to figure 
> out how to do this with plain iptables on a Linux machine without 
> FireHOL either. It seems like the following two rules should work, but I 
> still get replies back from the Linux machine when I ping it with 
> 92-byte long ICMP packets...
> 
> iptables -t filter -A INPUT --protocol icmp --icmp-type echo-request 
> --match length --length 92 -j DROP
> iptables -t filter -A INPUT --protocol icmp --icmp-type echo-reply 
> --match length --length 92 -j DROP
> 
> Does anybody have some suggestions?
> TIA,
> 
> High Mobley
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list