ip6tables with raw table(no conntrack) drop fragmented packet
/dev/rob0
rob0 at gmx.co.uk
Sat Oct 1 18:21:28 UTC 2016
On Fri, Sep 30, 2016 at 11:55:18PM -0400, Larry Larson wrote:
> I've followed instructions in this BIND Knowledge base article and
> installed ip6tables on my DNS server, using raw table with no
> conntrack for DNS:
> https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
This is mostly for authoritative servers which must be open to
queries from anywhere. Perhaps this is not a real issue, as it
sounds like you might be setting up a recursive server? Of course,
it CAN be a problem for recursive-only servers too; it just depends
how many users and concurrent queries you need to support. If your
userbase can flood your conntrack table, you need this.
> But for IPv6 it drops fragmented packets, for example this query
> fails once the ip6table is on:
> dig +dnssec isc.org any @2001:500:60::30
Can you show us how you found out that it was affecting fragments?
Is this query falling back to TCP? Do you have a pcap?
> Everything works great for IPv4 with similar rules, can someone
> help shed some light on what might be wrong:
>
> # Firewall configuration written by system-config-firewall
A minor issue, the NOTRACK target is deprecated by CT with the
--notrack option. (That's not the problem, however.)
We can test things with a few TRACE rules. Let's add rules as
follows:
> *raw
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
-A PREROUTING -s 2001:500:60::30 -j TRACE
-A PREROUTING -d 2001:500:60::30 -j TRACE
> -A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
> -A PREROUTING -p udp -m udp --sport 53 -j NOTRACK
-A OUTPUT -s 2001:500:60::30 -j TRACE
-A OUTPUT -d 2001:500:60::30 -j TRACE
> -A OUTPUT -p udp -m udp --dport 53 -j NOTRACK
> -A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
> -A INPUT -p ipv6-icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> #tcp dns
> -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 53 -j ACCEPT
> -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --sport 53 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
> -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
> COMMIT
For TRACE rules to work the LOG module must be loaded. A quick,
temporary way to do that:
# ip6tables -A INPUT -i bogus -j LOG
# ip6tables -D INPUT -i bogus -j LOG
(That adds and then removes a no-op rule using the LOG target.)
Then repeat your test,
> dig +dnssec isc.org any @2001:500:60::30
on this machine.
Then show us "ip6tables-save -c" along with all the "TRACE" lines
from dmesg. A quick way which should work for that:
# dmesg | grep TRACE
After the test, you might want to disable those TRACE rules, in case
you had other business with 2001:500:60::30 -- they can get very
noisy, very quickly.
Coincidentally, I happen to be working on this very issue, with a
different approach: shortened TTL for conntrack entries for UDP DNS.
It came up on the Netfilter mailing list recently. I'll be sure to
post here when that (a documentation patch) is completed.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list