Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Iptables owner mode causes applications which open many tcp connections to hang #180

Open
R4z0R7 opened this issue Nov 12, 2023 · 0 comments

Comments

@R4z0R7
Copy link

R4z0R7 commented Nov 12, 2023

Hello,

If we make a given port available only to a particular user, using iptables and the owner module, that user is not able to make many tcp connections to the specified port in a short period of time, causing applications which rapidly open and close a large number of connections to hang.

Environment:
AlmaLinux release 8.8 (Sapphire Caracal)
4.18.0-477.15.1.el8_8.x86_64
iptables v1.8.4 (nf_tables)
Ncat: Version 7.91 ( https://nmap.org/ncat )

Steps to reproduce:

  1. Make a tcp port (12355 in the example) available only to user web1:
iptables -I OUTPUT -s 127.0.0.1 -d 0.0.0.0/0 -p tcp --dport 12355 -m owner --gid-owner web1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 0.0.0.0/0 -p tcp --dport 12355 -j DROP
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:12355 owner GID match 1001
DROP       tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:12355
  1. Start a Ncat process listening on that port:

nc -l -k 12355
3. Login as user web1 and run this command:

for i in {1..10000}; do echo "date " ; echo "$i \n" && echo 1 | telnet 127.0.0.1 12355 2>&1 > /dev/null; done

At some point, way before the 10000th iteration, the cycle will hang. It doesn't usually stop on the exact same connection. It could stop after 500, or 2000, etc. There are no errors or warnings in dmesg or /var/log/messages.

If we remove the corresponding firewall rules and run the for cycle, the process doesn't hang. There is no such issue in CentOS 7.

While the process is stuck and we cannot make a connection to port 12355 from localhost, if the port is open to the world we can still make a connection from outside our system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant