A second connection from rshd(server) to rsh(client) is rarely denied even though the iptables of client allow with "state NEW tcp dpts:512:1023"
Issue
- A second connection from rshd(server) to rsh(client) is rarely denied even though the iptables of client allow with "state NEW tcp dpts:512:1023"
With running "rsh remote-host command", rsh client listens on a port in the range 512-1023 for the stderr and rshd server connect to it.
RSHD(8)
3. If the number received in step 2 is non-zero, it is interpreted as the port number of a secondary stream to be used for the stderr. A second connection is then cre-
ated to the specified port on the client’s machine. The source port of this second connection is also in the range 512-1023.
Simular situation:
=== 192.168.122.5
# grep -v "^#" /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 512:1023 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# ./cli957 ==> Run cli957 after srv1020 on 192.168.122.78
# date; grep 957 /proc/net/nf_conntrack ; netstat -antp | grep 957
Thu Jul 17 00:10:08 JST 2014
ipv4 2 tcp 6 79 TIME_WAIT src=192.168.122.5 dst=192.168.122.78 sport=957 dport=1020 src=192.168.122.78 dst=192.168.122.5 sport=1020 dport=957 [ASSURED] mark=0 secmark=0 use=2
tcp 0 0 192.168.122.5:957 192.168.122.78:1020 TIME_WAIT -
# date; grep 957 /proc/net/nf_conntrack ; netstat -antp | grep 957
Thu Jul 17 00:10:28 JST 2014
ipv4 2 tcp 6 59 TIME_WAIT src=192.168.122.5 dst=192.168.122.78 sport=957 dport=1020 src=192.168.122.78 dst=192.168.122.5 sport=1020 dport=957 [ASSURED] mark=0 secmark=0 use=2
# ./srv957 ==> Run srv957 after TIME_WAIT of netstat disapears
=== 192.168.122.78
# ./srv1020 ==> Run this at first
# ./cli1020 ==> Run cli1020 after srv957 on 192.168.122.5
# tcpdump -i eth0 -S -n host 192.168.122.5
00:09:26.983145 IP 192.168.122.5.957 > 192.168.122.78.1020: S 195813323:195813323(0) win 14600 <mss 1460,sackOK,timestamp 1195778 0,nop,wscale 6>
00:09:26.983987 arp who-has 192.168.122.5 tell 192.168.122.78
00:09:26.984189 arp reply 192.168.122.5 is-at 52:54:00:cf:6e:f0
00:09:26.984198 IP 192.168.122.78.1020 > 192.168.122.5.957: S 2620903724:2620903724(0) ack 195813324 win 5792 <mss 1460,sackOK,timestamp 2419037 1195778,nop,wscale 7>
00:09:26.985636 IP 192.168.122.5.957 > 192.168.122.78.1020: . ack 2620903725 win 229 <nop,nop,timestamp 1195780 2419037>
00:09:26.985663 IP 192.168.122.5.957 > 192.168.122.78.1020: F 195813324:195813324(0) ack 2620903725 win 229 <nop,nop,timestamp 1195780 2419037>
00:09:26.985981 IP 192.168.122.78.1020 > 192.168.122.5.957: . ack 195813325 win 46 <nop,nop,timestamp 2419040 1195780>
00:09:27.988110 IP 192.168.122.78.1020 > 192.168.122.5.957: F 2620903725:2620903725(0) ack 195813325 win 46 <nop,nop,timestamp 2420042 1195780>
00:09:27.988567 IP 192.168.122.5.957 > 192.168.122.78.1020: . ack 2620903726 win 229 <nop,nop,timestamp 1196784 2420042>
00:10:39.824208 IP 192.168.122.78.1020 > 192.168.122.5.957: S 3759044536:3759044536(0) win 5840 <mss 1460,sackOK,timestamp 2491876 0,nop,wscale 7>
00:10:39.824696 IP 192.168.122.5 > 192.168.122.78: ICMP host 192.168.122.5 unreachable - admin prohibited, length 68 <==
Environment
- Red Hat Enterprise Linux 6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.