Do you know *that* final level boss, the one that seems impossible to beat even after hours and hours of attempts and uncountable retries? Yes, the very same that after a night spent lost in your own frustration and a day that kept you busy with some other business falls - piece of cake - at the first attempt?
Sometimes can be hard to keep track of the big picture when you are busy looking for details. All the small bits are in the end saturating your field of vision leaving you cluttered and even more confused than before.
This is exactly what I've been experiencing in the last 2 days, missing the obvious that was already in front of my eyes. This post is not meant as a technical explanation - the "solution" is way to obvious - but as a personal reminder, against the often unproductive habit to get lost in details.
Let's say that someone, for whatever reason, wants to DROP all udp fragments, and this using iptables.
No problem. Easy to write a rule for that, as long as you remember one detail: fragments are reassembled before entering the INPUT chain, and therefore would be best to do it in PREROUTING.
The rule by itself doesn't leave much space for mistakes:
iptables -t raw -A PREROUTING -p udp -j DROP
would do, and just to make sure, let's add some logging to make sure that all works as it should:
iptables -t raw -I PREROUTING -f -p udp -j LOG --log-prefix match_fragment_prerouting
A quick setup to test the whole, using elbereth as sender and mjolnir as receiver:
mjolnir:/# netcat -vv -l -u -p xxxx -s xxx.xxx.xxx.xxx.
elbereth:/# hping3 xxx.xxx.xxx.xxx. -V -2 -f -x --file /tmp/lotsofdata -d 2000 -p xxxx
And guess what? All my 2000 bytes are happily displayed and no packet matched my rule.
I will spare you all the inconclusive tests I did, and all the traces I've taken, while too blind to see what the problem really was, but please believe me, it was a lot. From doubts about the correct positioning of the rule, to datacenter's pixies and poltergeists.
This morning, I decided to reset the test environment completely and take two new traces, as clean as possible, and start again with it.
And there I finally saw captain obvious appearing from far away:
On the trace taken on mjolnir's side, I could see all the udp fragments *and * the reassembled packet.
And the captain gets closer.
A quick addition to my iptables' logging, to add an extra entry that would log not only the fragments, but any udp packet.
Run the test again, and my fear was confirmed, the rules are working, but no fragment ever reaches iptables, only reassembled packets.
Only reassembled packets I said?
And here captain obvious appeared next to me, enjoying the scene of me slapping my own head before, after and while typing
lsmod|grep conntrack
A pat on my shoulder, and he was away again, looking for someone else that missed the obvious, at least for a while.
Posts
