1

A program I use generates some TCP connections using raw packets mode. Let's say that I executed those two commands:

/sbin/iptables -A INPUT -s 8.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 8.0.0.0/8 -j DROP

Is it safe to assume that no packets will be sent to that network?

d33tah
  • 321
  • 5
  • 15
  • The different netfilter modules (iptables/nftables/ebtables and friends) interact with the Linux TCP/IP stack, but raw sockets more or less completely bypass that TCP/IP stack, so I'm not surprised that you can't use a host based firewall to block traffic to/from raw sockets. – Rob Apr 06 '22 at 13:42

1 Answers1

1

It appears that it unfortunately doesn't work. Here's how I checked. Let's use two servers - 1.1.1.1 and 2.2.2.2. 1.1.1.1 is going to send packets, 2.2.2.2 is going to listen.

First, let's set up sniffing on 2.2.2.2:

➜  ~ sudo tcpdump -vv 'src 1.1.1.1'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Now, let's send a packet on port 995 to that IP:

$ zmap --whitelist-file=<( echo 2.2.2.2 ) -p 995 -n 1

As expected, we're seeing traffic from 1.1.1.1 on 2.2.2.2:

11:18:49.330632 IP (tos 0x0, ttl 250, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    1.1.1.1.47495 > 2.2.2.2.pop3s: Flags [S], cksum 0x5e8a (correct), seq 4248475135, win 65535, length 0
11:18:49.331688 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    1.1.1.1.47495 > 2.2.2.2.pop3s: Flags [R], cksum 0x5e87 (correct), seq 4248475136, win 0, length 0

Now, let's try blocking that on 1.1.1.1 and repeating the probe:

$ /sbin/iptables -A OUTPUT -d 2.2.2.2  -j DROP
$ zmap --whitelist-file=<( echo 2.2.2.2 ) -p 995 -n 1

Unfortunately, we're seeing some more tcpdump data. This means that it didn't work.

I eventually resolved the issue at a different layer, by using my cloud provider's firewall functionality.

d33tah
  • 321
  • 5
  • 15