Bug 141173

Summary: iptables recent module broken
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Michael Schwartzkopff <misch>
Component: KernelAssignee: Jiri Bohac <jbohac>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Stable GCC Snapshot1   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Michael Schwartzkopff 2006-01-02 11:34:28 UTC 
Hi,

basically I have the follwing firewall rules:
iptables ... ESTABLISHED,RELATED -j ACCEPT
iptables -m recent --recent update ... -j DROP
iptables ... -s dmz --some services --some dst -j ACCEPT
iptables ... -s internal -j ACCEPT
iptables ... -d non_existing_IP -m recent --recent set -j DROP
iptables ... -j DROP

If I send out a packet from a host in the DMZ to a non-allowed service or IP I get an entry in the /proc/net/ipt_recent/DEFAULT and all further communication from this host, even the allowed, is blocked. This should NOT happen.

In the logfile I see that the last rule (DROP ALL) was hit. Anyway I get an entry in the recent table, which I have to remove manually. Very strange. Further testing is possible, if needed.
Comment 1 Olaf Kirch 2006-01-02 11:52:24 UTC 
Jiri, could you look into this one, please? Thanks!
Comment 2 Jiri Bohac 2006-01-10 15:51:41 UTC 
This IS the way it is supposed to work. Refer to the documentation, e.g. on http://www.stearns.org/pomlist/0.2.2-output/pom-combined.html#recent

The "--recent update" rule will return TRUE, because the IP is on the list (
/proc/net/ipt_recent/DEFAULT), will update the info about the IP on the list, and will DROP the packet. It does what it's been designed for -- it blocks all packets from bad guys who tried to scan your network recently.

You may want to put the "-s dmz" rule before the "--recent update" rule, or modify your rules in other ways to prevent IPs from your DMZ to be blacklisted this way.