Description of problem: Backport patch to include support for NAT port randomisation.
Proposed upstream patch: 1) http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=41f4689a7c8cd76b77864461b3c58fde8f322b2c 2) http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9f593653742d1dd816c4e94c6e5154a57ccba6d1
Created attachment 314892 [details] Upstream patch for this issue
Created attachment 314893 [details] Upstream patch to apply on top of comment #2
This is not a security bug, but it is good to have NAT port randomisation. Also note that iptables probably need to include the --random option as well. In the manpages, it explicitly mentioned that this feature is only available in kernel >= 2.6.22. So, I am not sure if we will be deviating from upstream if we do this. Close the bug if the effort is not worthwhile. Thanks.
Updating PM score.
Created attachment 337289 [details] proposed patch
in kernel-2.6.18-138.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please do NOT transition this bugzilla state to VERIFIED until our QE team has sent specific instructions indicating when to do so. However feel free to provide a comment indicating that this fix has been verified.
The --random option is added to iptables from iptables-1.3.8. using 1.4.0 for test. [root@dhcp-65-130 ~]# iptables --version iptables v1.4.0 Test environment: Two machines, one machine(A) have two nics, eth0 configured to connect with internet, the other eth1 configured to be the gateway of LAN 192.168.0.0. The other machine(B) has only one NIC, is in the LAN, gateway and default route set to the first machine's eth1. Configure iptables SNAT on the machine A, machine B access through machine A using port translation. iptables NAT configuration is attached.
Created attachment 356120 [details] iptables nat configuration
run on NAT server: echo 1 > /proc/sys/net/ipv4/ip_forward iptables_nat_server.sh cat /proc/net/ip_conntrack Test result: on kernel 128: [root@dhcp-65-130 ~]# cat /proc/net/ip_conntrack udp 17 26 src=192.168.1.105 dst=10.66.127.10 sport=41696 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20005 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 25 src=192.168.1.105 dst=10.66.127.10 sport=54373 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20003 packets=1 bytes=190 mark=0 secmark=0 use=1 udp 17 26 src=192.168.1.105 dst=10.66.127.10 sport=43512 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20006 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 25 src=192.168.1.105 dst=10.66.127.10 sport=45829 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20002 packets=1 bytes=86 mark=0 secmark=0 use=1 udp 17 26 src=192.168.1.105 dst=10.66.127.10 sport=52367 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20007 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 25 src=192.168.1.105 dst=10.66.127.10 sport=46005 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20004 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 25 src=192.168.1.105 dst=10.66.127.10 sport=50760 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20000 packets=1 bytes=86 mark=0 secmark=0 use=1 udp 17 25 src=192.168.1.105 dst=10.66.127.10 sport=53789 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20001 packets=1 bytes=190 mark=0 secmark=0 use=1 tcp 6 115 TIME_WAIT src=192.168.1.105 dst=119.75.216.30 sport=47764 dport=80 packets=6 bytes=571 src=119.75.216.30 dst=10.66.65.130 sport=80 dport=10000 packets=6 bytes=2361 [ASSURED] mark=0 secmark=0 use=1 tcp 6 56 CLOSE_WAIT src=192.168.1.105 dst=64.233.189.147 sport=51048 dport=80 packets=8 bytes=736 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10000 packets=7 bytes=5691 [ASSURED] mark=0 secmark=0 use=1 the port is assigned in order from low to high. on kernel 160: without the --random option: [root@localhost ~]# cat /proc/net/ip_conntrack udp 17 19 src=192.168.1.105 dst=10.66.127.10 sport=41857 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20003 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 20 src=192.168.1.105 dst=10.66.127.10 sport=51564 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20004 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 19 src=192.168.1.105 dst=10.66.127.10 sport=36371 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20002 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 9 src=192.168.1.105 dst=10.66.127.10 sport=52045 dport=53 packets=1 bytes=70 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20000 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 19 src=192.168.1.105 dst=10.66.127.10 sport=43912 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20001 packets=1 bytes=128 mark=0 secmark=0 use=1 tcp 6 116 TIME_WAIT src=192.168.1.105 dst=64.233.189.147 sport=43417 dport=80 packets=9 bytes=812 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10000 packets=8 bytes=5779 [ASSURED] mark=0 secmark=0 use=1 [root@localhost ~]# cat /proc/net/ip_conntrack udp 17 16 src=192.168.1.105 dst=10.66.127.10 sport=50258 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20010 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 18 src=192.168.1.105 dst=10.66.127.10 sport=45116 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20016 packets=1 bytes=190 mark=0 secmark=0 use=1 udp 17 16 src=192.168.1.105 dst=10.66.127.10 sport=40072 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20012 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 16 src=192.168.1.105 dst=10.66.127.10 sport=58846 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20009 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 18 src=192.168.1.105 dst=10.66.127.10 sport=57545 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20013 packets=1 bytes=86 mark=0 secmark=0 use=1 udp 17 16 src=192.168.1.105 dst=10.66.127.10 sport=39845 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20011 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 18 src=192.168.1.105 dst=10.66.127.10 sport=35061 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20015 packets=1 bytes=86 mark=0 secmark=0 use=1 udp 17 18 src=192.168.1.105 dst=10.66.127.10 sport=34208 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20014 packets=1 bytes=190 mark=0 secmark=0 use=1 tcp 6 21 TIME_WAIT src=192.168.1.105 dst=72.14.203.103 sport=55286 dport=80 packets=26 bytes=2018 src=72.14.203.103 dst=10.66.65.130 sport=80 dport=10001 packets=25 bytes=28915 [ASSURED] mark=0 secmark=0 use=1 tcp 6 113 TIME_WAIT src=192.168.1.105 dst=64.233.189.147 sport=40607 dport=80 packets=9 bytes=800 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10002 packets=8 bytes=5743 [ASSURED] mark=0 secmark=0 use=1 tcp 6 108 TIME_WAIT src=192.168.1.105 dst=119.75.216.30 sport=60825 dport=80 packets=7 bytes=611 src=119.75.216.30 dst=10.66.65.130 sport=80 dport=10002 packets=7 bytes=2401 [ASSURED] mark=0 secmark=0 use=1 with --random option: [root@localhost ~]# cat /proc/net/ip_conntrack udp 17 12 src=192.168.1.105 dst=10.66.127.10 sport=44782 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20453 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 12 src=192.168.1.105 dst=10.66.127.10 sport=44140 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20452 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 13 src=192.168.1.105 dst=10.66.127.10 sport=53090 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20456 packets=1 bytes=86 mark=0 secmark=0 use=1 udp 17 12 src=192.168.1.105 dst=10.66.127.10 sport=39982 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20450 packets=1 bytes=128 mark=0 secmark=0 use=1 udp 17 12 src=192.168.1.105 dst=10.66.127.10 sport=34132 dport=53 packets=1 bytes=60 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20451 packets=1 bytes=224 mark=0 secmark=0 use=1 udp 17 13 src=192.168.1.105 dst=10.66.127.10 sport=57223 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20455 packets=1 bytes=190 mark=0 secmark=0 use=1 udp 17 13 src=192.168.1.105 dst=10.66.127.10 sport=49325 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20454 packets=1 bytes=86 mark=0 secmark=0 use=1 udp 17 13 src=192.168.1.105 dst=10.66.127.10 sport=58064 dport=53 packets=1 bytes=59 src=10.66.127.10 dst=10.66.65.130 sport=53 dport=20457 packets=1 bytes=190 mark=0 secmark=0 use=1 tcp 6 13 TIME_WAIT src=192.168.1.105 dst=64.233.189.147 sport=40607 dport=80 packets=9 bytes=800 src=64.233.189.147 dst=10.66.65.130 sport=80 dport=10002 packets=8 bytes=5743 [ASSURED] mark=0 secmark=0 use=1 tcp 6 8 TIME_WAIT src=192.168.1.105 dst=119.75.216.30 sport=60825 dport=80 packets=7 bytes=611 src=119.75.216.30 dst=10.66.65.130 sport=80 dport=10002 packets=7 bytes=2401 [ASSURED] mark=0 secmark=0 use=1 tcp 6 103 TIME_WAIT src=192.168.1.105 dst=119.75.213.61 sport=59136 dport=80 packets=6 bytes=571 src=119.75.213.61 dst=10.66.65.130 sport=80 dport=10157 packets=6 bytes=2361 [ASSURED] mark=0 secmark=0 use=1 tcp 6 107 TIME_WAIT src=192.168.1.105 dst=64.233.189.104 sport=42332 dport=80 packets=9 bytes=788 src=64.233.189.104 dst=10.66.65.130 sport=80 dport=10269 packets=8 bytes=5725 [ASSURED] mark=0 secmark=0 use=1 port is on selected from smallest unused port, with some random.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1243.html