A second connection from rshd(server) to rsh(client) is rarely denied even though the iptables of client allow with "state NEW tcp dpts:512:1023"

Solution Unverified - Updated -

Issue

  • A second connection from rshd(server) to rsh(client) is rarely denied even though the iptables of client allow with "state NEW tcp dpts:512:1023"
    With running "rsh remote-host command", rsh client listens on a port in the range 512-1023 for the stderr and rshd server connect to it.
RSHD(8) 

     3.   If the number received in step 2 is non-zero, it is interpreted as the port number of a secondary stream to be used for the stderr.  A second connection is then cre-
          ated to the specified port on the client’s machine.  The source port of this second connection is also in the range 512-1023.

Simular situation:

=== 192.168.122.5
# grep -v "^#" /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 512:1023 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# ./cli957      ==> Run cli957 after srv1020 on 192.168.122.78
# date; grep 957 /proc/net/nf_conntrack ; netstat -antp | grep 957
Thu Jul 17 00:10:08 JST 2014
ipv4     2 tcp      6 79 TIME_WAIT src=192.168.122.5 dst=192.168.122.78 sport=957 dport=1020 src=192.168.122.78 dst=192.168.122.5 sport=1020 dport=957 [ASSURED] mark=0 secmark=0 use=2
tcp        0      0 192.168.122.5:957           192.168.122.78:1020         TIME_WAIT   -                   
# date; grep 957 /proc/net/nf_conntrack ; netstat -antp | grep 957
Thu Jul 17 00:10:28 JST 2014
ipv4     2 tcp      6 59 TIME_WAIT src=192.168.122.5 dst=192.168.122.78 sport=957 dport=1020 src=192.168.122.78 dst=192.168.122.5 sport=1020 dport=957 [ASSURED] mark=0 secmark=0 use=2
# ./srv957      ==> Run srv957 after TIME_WAIT of netstat disapears


=== 192.168.122.78
# ./srv1020         ==> Run this at first

# ./cli1020         ==> Run cli1020 after srv957 on 192.168.122.5

# tcpdump -i eth0 -S -n host 192.168.122.5
00:09:26.983145 IP 192.168.122.5.957 > 192.168.122.78.1020: S 195813323:195813323(0) win 14600 <mss 1460,sackOK,timestamp 1195778 0,nop,wscale 6>
00:09:26.983987 arp who-has 192.168.122.5 tell 192.168.122.78
00:09:26.984189 arp reply 192.168.122.5 is-at 52:54:00:cf:6e:f0
00:09:26.984198 IP 192.168.122.78.1020 > 192.168.122.5.957: S 2620903724:2620903724(0) ack 195813324 win 5792 <mss 1460,sackOK,timestamp 2419037 1195778,nop,wscale 7>
00:09:26.985636 IP 192.168.122.5.957 > 192.168.122.78.1020: . ack 2620903725 win 229 <nop,nop,timestamp 1195780 2419037>
00:09:26.985663 IP 192.168.122.5.957 > 192.168.122.78.1020: F 195813324:195813324(0) ack 2620903725 win 229 <nop,nop,timestamp 1195780 2419037>
00:09:26.985981 IP 192.168.122.78.1020 > 192.168.122.5.957: . ack 195813325 win 46 <nop,nop,timestamp 2419040 1195780>
00:09:27.988110 IP 192.168.122.78.1020 > 192.168.122.5.957: F 2620903725:2620903725(0) ack 195813325 win 46 <nop,nop,timestamp 2420042 1195780>
00:09:27.988567 IP 192.168.122.5.957 > 192.168.122.78.1020: . ack 2620903726 win 229 <nop,nop,timestamp 1196784 2420042>
00:10:39.824208 IP 192.168.122.78.1020 > 192.168.122.5.957: S 3759044536:3759044536(0) win 5840 <mss 1460,sackOK,timestamp 2491876 0,nop,wscale 7>
00:10:39.824696 IP 192.168.122.5 > 192.168.122.78: ICMP host 192.168.122.5 unreachable - admin prohibited, length 68        <==

Environment

  • Red Hat Enterprise Linux 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content