Bug 459943 - FEAT: kernel: nf_nat: backport NAT port randomisation [rhel-5.3]
FEAT: kernel: nf_nat: backport NAT port randomisation [rhel-5.3]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.3
All Linux
high Severity high
: rc
: ---
Assigned To: Thomas Graf
Red Hat Kernel QE team
:
Depends On:
Blocks: 483701
  Show dependency treegraph
 
Reported: 2008-08-24 21:47 EDT by Eugene Teo (Security Response)
Modified: 2014-06-18 04:29 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 04:36:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch for this issue (7.83 KB, patch)
2008-08-24 21:50 EDT, Eugene Teo (Security Response)
no flags Details | Diff
Upstream patch to apply on top of comment #2 (1.97 KB, patch)
2008-08-24 21:51 EDT, Eugene Teo (Security Response)
no flags Details | Diff
proposed patch (4.54 KB, patch)
2009-03-31 07:26 EDT, Thomas Graf
no flags Details | Diff
iptables nat configuration (712 bytes, application/x-sh)
2009-08-04 04:10 EDT, Hushan Jia
no flags Details

  None (edit)
Description Eugene Teo (Security Response) 2008-08-24 21:47:32 EDT
Description of problem:
Backport patch to include support for NAT port randomisation.
Comment 2 Eugene Teo (Security Response) 2008-08-24 21:50:29 EDT
Created attachment 314892 [details]
Upstream patch for this issue
Comment 3 Eugene Teo (Security Response) 2008-08-24 21:51:26 EDT
Created attachment 314893 [details]
Upstream patch to apply on top of comment #2
Comment 4 Eugene Teo (Security Response) 2008-08-24 22:01:49 EDT
This is not a security bug, but it is good to have NAT port randomisation.

Also note that iptables probably need to include the --random option as well. In the manpages, it explicitly mentioned that this feature is only available in kernel >= 2.6.22. So, I am not sure if we will be deviating from upstream if we do this. Close the bug if the effort is not worthwhile.

Thanks.
Comment 5 RHEL Product and Program Management 2009-02-16 10:26:08 EST
Updating PM score.
Comment 6 Thomas Graf 2009-03-31 07:26:36 EDT
Created attachment 337289 [details]
proposed patch
Comment 8 Don Zickus 2009-04-06 17:16:22 EDT
in kernel-2.6.18-138.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 10 Hushan Jia 2009-08-04 04:08:27 EDT
The --random option is added to iptables from iptables-1.3.8.
using 1.4.0 for test.
[root@dhcp-65-130 ~]# iptables --version
iptables v1.4.0

Test environment:
Two machines, one machine(A) have two nics, eth0 configured to connect with internet, the other eth1 configured to be the gateway of LAN 192.168.0.0.
The other machine(B) has only one NIC, is in the LAN, gateway and default route set to the first machine's eth1.

Configure iptables SNAT on the machine A, machine B access through machine A using port translation.

iptables NAT configuration is attached.
Comment 11 Hushan Jia 2009-08-04 04:10:28 EDT
Created attachment 356120 [details]
iptables nat configuration
Comment 12 Hushan Jia 2009-08-04 04:22:18 EDT
run on NAT server:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables_nat_server.sh
cat /proc/net/ip_conntrack

Test result:
on kernel 128:
[root@dhcp-65-130 ~]# cat /proc/net/ip_conntrack
udp      17 26 src=192.168.1.105 dst=10.66.127.10 sport=41696 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20005 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 25 src=192.168.1.105 dst=10.66.127.10 sport=54373 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20003 packets=1 bytes=190 mark=0 secmark=0 use=1
udp      17 26 src=192.168.1.105 dst=10.66.127.10 sport=43512 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20006 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 25 src=192.168.1.105 dst=10.66.127.10 sport=45829 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20002 packets=1 bytes=86 mark=0 secmark=0 use=1
udp      17 26 src=192.168.1.105 dst=10.66.127.10 sport=52367 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20007 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 25 src=192.168.1.105 dst=10.66.127.10 sport=46005 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20004 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 25 src=192.168.1.105 dst=10.66.127.10 sport=50760 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20000 packets=1 bytes=86 mark=0 secmark=0 use=1
udp      17 25 src=192.168.1.105 dst=10.66.127.10 sport=53789 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20001 packets=1 bytes=190 mark=0 secmark=0 use=1
tcp      6 115 TIME_WAIT src=192.168.1.105 dst=119.75.216.30 sport=47764 dport=80 packets=6 bytes=571 src=119.75.216.30 dst=10.66.65.130 sport=80 dport=10000 packets=6 bytes=2361 [ASSURED] mark=0 secmark=0 use=1
tcp      6 56 CLOSE_WAIT src=192.168.1.105 dst=64.233.189.147 sport=51048 dport=80 packets=8 bytes=736 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10000 packets=7 bytes=5691 [ASSURED] mark=0 secmark=0 use=1

the port is assigned in order from low to high.

on kernel 160:
without the --random option:
[root@localhost ~]# cat /proc/net/ip_conntrack
udp      17 19 src=192.168.1.105 dst=10.66.127.10 sport=41857 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20003 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 20 src=192.168.1.105 dst=10.66.127.10 sport=51564 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20004 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 19 src=192.168.1.105 dst=10.66.127.10 sport=36371 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20002 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 9 src=192.168.1.105 dst=10.66.127.10 sport=52045 dport=53 packets=1 bytes=70 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20000 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 19 src=192.168.1.105 dst=10.66.127.10 sport=43912 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20001 packets=1 bytes=128 mark=0 secmark=0 use=1
tcp      6 116 TIME_WAIT src=192.168.1.105 dst=64.233.189.147 sport=43417 dport=80 packets=9 bytes=812 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10000 packets=8 bytes=5779 [ASSURED] mark=0 secmark=0 use=1

[root@localhost ~]# cat /proc/net/ip_conntrack
udp      17 16 src=192.168.1.105 dst=10.66.127.10 sport=50258 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20010 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 18 src=192.168.1.105 dst=10.66.127.10 sport=45116 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20016 packets=1 bytes=190 mark=0 secmark=0 use=1
udp      17 16 src=192.168.1.105 dst=10.66.127.10 sport=40072 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20012 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 16 src=192.168.1.105 dst=10.66.127.10 sport=58846 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20009 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 18 src=192.168.1.105 dst=10.66.127.10 sport=57545 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20013 packets=1 bytes=86 mark=0 secmark=0 use=1
udp      17 16 src=192.168.1.105 dst=10.66.127.10 sport=39845 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20011 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 18 src=192.168.1.105 dst=10.66.127.10 sport=35061 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20015 packets=1 bytes=86 mark=0 secmark=0 use=1
udp      17 18 src=192.168.1.105 dst=10.66.127.10 sport=34208 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20014 packets=1 bytes=190 mark=0 secmark=0 use=1
tcp      6 21 TIME_WAIT src=192.168.1.105 dst=72.14.203.103 sport=55286 dport=80 packets=26 bytes=2018 src=72.14.203.103 dst=10.66.65.130 sport=80 dport=10001 packets=25 bytes=28915 [ASSURED] mark=0 secmark=0 use=1
tcp      6 113 TIME_WAIT src=192.168.1.105 dst=64.233.189.147 sport=40607 dport=80 packets=9 bytes=800 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10002 packets=8 bytes=5743 [ASSURED] mark=0 secmark=0 use=1
tcp      6 108 TIME_WAIT src=192.168.1.105 dst=119.75.216.30 sport=60825 dport=80 packets=7 bytes=611 src=119.75.216.30 dst=10.66.65.130 sport=80 dport=10002 packets=7 bytes=2401 [ASSURED] mark=0 secmark=0 use=1

with --random option:
[root@localhost ~]# cat /proc/net/ip_conntrack
udp      17 12 src=192.168.1.105 dst=10.66.127.10 sport=44782 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20453 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 12 src=192.168.1.105 dst=10.66.127.10 sport=44140 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20452 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 13 src=192.168.1.105 dst=10.66.127.10 sport=53090 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20456 packets=1 bytes=86 mark=0 secmark=0 use=1
udp      17 12 src=192.168.1.105 dst=10.66.127.10 sport=39982 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20450 packets=1 bytes=128 mark=0 secmark=0 use=1
udp      17 12 src=192.168.1.105 dst=10.66.127.10 sport=34132 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20451 packets=1 bytes=224 mark=0 secmark=0 use=1
udp      17 13 src=192.168.1.105 dst=10.66.127.10 sport=57223 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20455 packets=1 bytes=190 mark=0 secmark=0 use=1
udp      17 13 src=192.168.1.105 dst=10.66.127.10 sport=49325 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20454 packets=1 bytes=86 mark=0 secmark=0 use=1
udp      17 13 src=192.168.1.105 dst=10.66.127.10 sport=58064 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20457 packets=1 bytes=190 mark=0 secmark=0 use=1
tcp      6 13 TIME_WAIT src=192.168.1.105 dst=64.233.189.147 sport=40607 dport=80 packets=9 bytes=800 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10002 packets=8 bytes=5743 [ASSURED] mark=0 secmark=0 use=1
tcp      6 8 TIME_WAIT src=192.168.1.105 dst=119.75.216.30 sport=60825 dport=80 packets=7 bytes=611 src=119.75.216.30 dst=10.66.65.130 sport=80 dport=10002 packets=7 bytes=2401 [ASSURED] mark=0 secmark=0 use=1
tcp      6 103 TIME_WAIT src=192.168.1.105 dst=119.75.213.61 sport=59136 dport=80 packets=6 bytes=571 src=119.75.213.61 dst=10.66.65.130 sport=80 dport=10157 packets=6 bytes=2361 [ASSURED] mark=0 secmark=0 use=1
tcp      6 107 TIME_WAIT src=192.168.1.105 dst=64.233.189.104 sport=42332 dport=80 packets=9 bytes=788 src=64.233.189.104 dst=10.66.65.130 sport=80 dport=10269 packets=8 bytes=5725 [ASSURED] mark=0 secmark=0 use=1

port is on selected from smallest unused port, with some random.
Comment 15 errata-xmlrpc 2009-09-02 04:36:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1243.html

Note You need to log in before you can comment on or make changes to this bug.