iptables syn/fin dropping going to wrong chain
I am implementing a stateful firewall where one of the constraints is to drop all TCP packets with the SYN and FIN bit set.
our chain is as follows: Code:
iptables -N synfin Code:
iptables -A INPUT -p tcp -j synfin to test this we are using the command: hping3 192.168.0.21 -p 80 -S -F We are testing this on a separate machine in a subnet (192.168.0.20) |
Can you please post output of command "iptables_save"
Thank you. |
Sorry for the length, there is a bunch of other rules too
Code:
# Generated by iptables-save v1.4.5 on Wed Feb 3 14:55:27 2010 |
Why do you use so many
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 -A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 ? |
it's at the beginning of the script, don't worry about it.
|
Look rule 1:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 Packets go to FORWARD: -A FORWARD -j restricted Then to chain "restricted": -A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP And all of them are DROPPED. Or I've missed something? |
Quote:
Code:
$ip -N restricted |
Yes, it is I have missed something.
In your firs post you said: The script itself drops the packets but it isn't getting forwarded to the synfin chain. iptables -A FORWARD -p tcp -j synfin But I don't see it in the output of "iptables-save". |
Quote:
|
Ok, but what is your question now?
|
Quote:
What we need is for it to be sent to the FORWARD chain so that the behavior can be observed from the restricted chain's output. For example if we use another rule in the restricted chain such as drop all Telnet, netfilter would display the dropped packets when we use a display command such as: iptables -L -n -v -x -Z restricted As it is now syn/fin packets do not display in this chain because they are not being sent to FORWARD. It works for everything else such as ssh, telnet or DNS (if for some reason we wanted to) |
Quote:
All packets which enter to eth1 will be send to 192.168.1.253. |
Quote:
|
Look, according to your rules, packets can get in "restricted" chain only from FORWARD:
-A FORWARD -j restricted. But "forward" by it self will handle: packets which do not belong to interface they come in to; any packets come in eth1. So, if you want port 80 be blocked at the "restricted" FORWARD chain, you need to add rule to drop port 80 and send packets to eth1, or to the different then incoming interface IP address. In this case packets will go to FORWARD chain and hit your rule. |
All times are GMT -5. The time now is 08:05 PM. |