Linux Firewalls - Michael Rash [103]
resp
The resp option provided by the flexresponse and flexresponse2 Snort detection plug-ins allows Snort to actively respond to network traffic that has triggered a signature match. Available responses include sending TCP RST/ACK packets into a session in order to tear it down (recall that the flexresponse and flexresponse2 plug-ins always send RST/ACK packets instead of RST packets; see the discussion "RST vs. RST/ACK" on page 63), and generating ICMP Net, Host, or Port Unreachable packets in response to UDP traffic. The iptables REJECT target supports these functions through the arguments -j REJECT --reject-with tcp-reset for TCP connections, and -j REJECT --reject-with icmp-*-unreachable (where * can be net, host, or port) for UDP packets.
One difference in the REJECT target versus the Snort response capability is that TCP RST packets can only be sent to one side of a connection. That is, if a packet matches an iptables REJECT rule, a TCP RST packet will only be sent against the source IP address that is contained within the matching packet, and this IP address may either be the client or the server side of the connection. If the TCP stack never receives the incoming RST packet because of a local kernel-level filtering mechanism (or because an intermediate hop drops it), then the session will not be properly closed. Fortunately, however, the REJECT target also drops the matching packet, so the TCP session will not proceed any further.
Note
A future version (or a patch provided by the fwsnort project) of the REJECT extension will support sending TCP RST packets to both sides of a TCP connection. If one side misbehaves and filters the incoming RST because it is trying to continue a TCP connection regardless of whether the other side tries to close it, then the RST sent in the opposite direction will still force the connection to close (presumably only one side is being unruly).
The following iptables command combines the use of the string match extension to RST any web sessions that contain the string "/etc/passwd":
[iptablesfw]# iptables -A INPUT -p tcp --dport 80 -m string --string "/etc/passwd"
--algo bm -j REJECT --reject-with tcp-reset
Additional detail on the usage of the REJECT target in conjunction with fwsnort rulesets can be found in Chapter 11.
TEARING DOWN "/ETC/PASSWD" WEB SESSIONS
Malicious systems can filter incoming RST or RST/ACK packets generated by remote iptables firewalls, and we will discuss this in depth in " DROP vs. REJECT Targets" on page201". Here we briefly illustrate the REJECT target in action against an iptables firewall that is filtering the incoming TCP RST packet, we set up two systems (client and server) as follows: On the server system we use Netcat to run a TCP server on port 80, and on the client system we use Netcat to send the string "/etc/passwd" across to the server. On the server, iptables is configured to match the /etc/passwd string and RST the connection:
[server]# iptables -I INPUT 1 -p tcp --dport 80 -m string --string "/etc/passwd"
--algo bm -j REJECT --reject-with tcp-reset
On the client, the incoming RST packet is dropped before the local TCP stack receives it:
[client]# iptables -I INPUT 1 -p tcp --tcp-flags RST RST -j DROP
Now we fire up Netcat and tcpdump on the server system and send the /etc/passwd string across to the server from the client. The packet at ❶ is the first RST packet from iptables on the server, and the remaining packets show that even though the client has filtered in the incoming RST, the session is unable to proceed because the packet that contained the /etc/passwd string was dropped.
When the client TCP stack retransmits the /etc/passwd packet over and over, iptables on the server responds to each packet yet again with another RST (see ❷, for example):
[server]# nc -l -p 80
[client]# echo "/etc/passwd" | nc 192.168.10.1 80
[server]# tcpdump -i eth1 -l -nn port 80
01:10:24.479149 IP 192.168.10.2.32655 > 192.168.10.1.80: S 2179395558:2179395558(0)
win 5840