What are the definitions of addrtype in iptables

iptables

I am keen to use addrtype in combination with -src as a rule in one of my filter chain like so to drop some bogon ips:

-A INPUT -p tcp --dport 80 -m addrtype --src-type UNICAST ! -s 127.0.0.0/8 -j WEB

The man page says the following

addrtype
This module matches packets based on their address type. Address types are used within the kernel networking stack and
categorize addresses into various groups. The exact definition of that
group depends on the specific layer three protocol.

The following address types are possible:

UNSPEC an unspecified address (i.e. 0.0.0.0)

UNICAST an unicast address

LOCAL a local address

BROADCAST a broadcast address

ANYCAST an anycast packet

MULTICAST a multicast address

BLACKHOLE a blackhole address

UNREACHABLE an unreachable address

PROHIBIT a prohibited address

THROW FIXME

NAT FIXME

XRESOLVE

It is not clear on what are the exact definitions and says it depends on the specific layer 3 protocol. This is what I think:

UNICAST (!BROADCAST, !MULTICAST, !ANYCAST)
LOCAL (127.0.0.0/8)
BROADCAST (*.*.*.255)
ANYCAST (*.*.*.*)
MULTICAST (224.0.0.0/4)

Does anyone has a clear idea what that means and how it is implemented by iptables (for example, how it knows where the hell is BLACKHOLE)?

Best Answer

I think it depends on you to make the kernel knows which is blackhole address type.

From xt_addrtype.h file in iptables source code, you can see:

/* rtn_type enum values from rtnetlink.h, but shifted */                        
enum {                                                                          
    XT_ADDRTYPE_UNSPEC = 1 << 0,                                                
    XT_ADDRTYPE_UNICAST = 1 << 1,   /* 1 << RTN_UNICAST */                      
    XT_ADDRTYPE_LOCAL  = 1 << 2,    /* 1 << RTN_LOCAL, etc */                   
    XT_ADDRTYPE_BROADCAST = 1 << 3,                                             
    XT_ADDRTYPE_ANYCAST = 1 << 4,                                               
    XT_ADDRTYPE_MULTICAST = 1 << 5,                                             
    XT_ADDRTYPE_BLACKHOLE = 1 << 6,                                             
    XT_ADDRTYPE_UNREACHABLE = 1 << 7,                                           
    XT_ADDRTYPE_PROHIBIT = 1 << 8,                                              
    XT_ADDRTYPE_THROW = 1 << 9,                                                 
    XT_ADDRTYPE_NAT = 1 << 10,                                                  
    XT_ADDRTYPE_XRESOLVE = 1 << 11,                                             
};

And in rtnetlink.h, you will see the same definition:

enum {                                                                          
    RTN_UNSPEC,                                                                 
    RTN_UNICAST,        /* Gateway or direct route  */                          
    RTN_LOCAL,      /* Accept locally       */                                  
    RTN_BROADCAST,      /* Accept locally as broadcast,                         
                   send as broadcast */                                         
    RTN_ANYCAST,        /* Accept locally as broadcast,                         
                   but send as unicast */                                       
    RTN_MULTICAST,      /* Multicast route      */                              
    RTN_BLACKHOLE,      /* Drop             */                                  
    RTN_UNREACHABLE,    /* Destination is unreachable   */                      
    RTN_PROHIBIT,       /* Administratively prohibited  */                      
    RTN_THROW,      /* Not in this table        */                              
    RTN_NAT,        /* Translate this address   */                              
    RTN_XRESOLVE,       /* Use external resolver    */                          
    __RTN_MAX                                                                   
};

You can see iptables use the same definition of address type with kernel tcp networking stack.

Then from man ip:

Route types:

      unicast - the route entry describes real paths to the destinations covered by the route prefix.

      unreachable  - these destinations are unreachable.  Packets are discarded and the ICMP message host unreachable is generated.
               The local senders get an EHOSTUNREACH error.

      blackhole - these destinations are unreachable.  Packets are discarded silently.  The local senders get an EINVAL error.

      prohibit - these destinations are unreachable.  Packets are discarded and the  ICMP  message  communication  administratively
               prohibited is generated.  The local senders get an EACCES error.

      local - the destinations are assigned to this host.  The packets are looped back and delivered locally.

      broadcast - the destinations are broadcast addresses.  The packets are sent as link broadcasts.

      throw  - a special control route used together with policy rules. If such a route is selected, lookup in this table is termi‐
               nated pretending that no route was found.  Without policy routing it is equivalent to the absence of the route in the routing
               table.   The  packets  are  dropped  and the ICMP message net unreachable is generated.  The local senders get an ENETUNREACH
               error.

      nat - a special NAT route.  Destinations covered by the prefix are considered to  be  dummy  (or  external)  addresses  which
               require  translation  to  real  (or  internal)  ones  before forwarding.  The addresses to translate to are selected with the
               attribute Warning: Route NAT is no longer supported in Linux 2.6.

               via.

      anycast - not implemented the destinations are anycast addresses assigned to this host.  They are mainly equivalent to  local
               with one difference: such addresses are invalid when used as the source address of any packet.

      multicast - a special type used for multicast routing.  It is not present in normal routing tables.

So when you define a route to a network by ip command and mark it as a blackhole route, the kernel now make this network address blackhole type:

ip route add blackhole X.X.X.X/24

Related Solutions

UDP to Broadcast – How to Transform a UDP Unicast Packet

socat is a killer utility. Put this somewhere in your init scripts:

socat -u -T1 UDP-LISTEN:1234,fork,range=<ip address of source>/32 UDP-DATAGRAM:255.255.255.255:5678,broadcast

Some users have problems with UDP-LISTEN, so using UDP-RECV seems better (warning: could send the broadcast packets in an endless loop):

socat -u UDP-RECV:1234 UDP-DATAGRAM:255.255.255.255:5678,broadcast

fork allows socat to keep listening for next packets.
T1 limits the life of forked subprocesses to 1 second.
range makes socat listen only to packets coming from this source. Assuming this is another computer than the one where socat is running, this helps that socat does not listen to its own broadcast packets which would result in an endless loop.
255.255.255.255 is more general than 192.168.0.255. Allowing you to just copy-paste without thinking about your current network structure. Caveat: this probably sends the broadcasted packets to every interface.

As you, I noticed WOL works with whatever port. I wonder if this is reliable. Lots of documents only talk about ports 0, 7 and 9.
This allow to use a non-pivileged port, so you can run socat with user nobody.

Thanks to @lgeorget @Hauke Laging and @Gregory MOUSSAT to have participated to this answer.

Linux – What are the essential iptables rules for IPv6 to work properly

The essential rules will depend on the network as a network might instead use SLAAC instead of DHCPv6, or there can be other complications depending on tunnels, ICMP handling, etc.

-A INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT

is suitable for a DHCPv6 client. DHCP clients should not accept server port 547 traffic as presumably they are not also a DHCP server. Packets will come from the DHCP server from port 547 to port 546 on the client; connection tracking will not apply as the client broadcasts (or really multicasts under IPv6) and the server replies from an address unrelated to where the client broadcasted to.

This is fairly safe as root is necessary to listen on ports <1024 so random users on the client system should not be able to start a malicious service there by default (maybe they could DoS network access?). fe80 is link-local traffic so remote malicious users on some other subnet should not be able to route traffic to that port (if you have malicious users on your subnet you probably have other more important problems to deal with, such as the use of network gear that prevents rogue DHCP servers).

ICMPv6 can get very complicated depending on what you want to permit or deny, though probably can be handled with the connection tracking defaults for a simple IPv6 client. See RFC 4443 and RFC 4890 for more details.

Best Answer

Related Solutions

UDP to Broadcast – How to Transform a UDP Unicast Packet

Linux – What are the essential iptables rules for IPv6 to work properly

Related Question