iptables syn/fin dropping going to wrong chain
 

I am implementing a stateful firewall where one of the constraints is to drop all TCP packets with the SYN and FIN bit set.

our chain is as follows:

The script itself drops the packets but it isn't getting forwarded to the synfin chain. Our default policy at the start(which drops everything) is dropping the packets on the INPUT chain instead of the synfin chain. If we change the last line to:
it will start getting dropped by the proper chain.

to test this we are using the command:
hping3 192.168.0.21 -p 80 -S -F

We are testing this on a separate machine in a subnet (192.168.0.20)

Can you please post output of command "iptables_save"

Thank you.

Sorry for the length, there is a bunch of other rules too

Why do you use so many
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 ?

it's at the beginning of the script, don't worry about it.

Look rule 1:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
Packets go to FORWARD:
-A FORWARD -j restricted
Then to chain "restricted":
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
And all of them are DROPPED.

Or I've missed something?

I'm not sure why it has all those flags in there but here is the restricted chain.

Yes, it is I have missed something.

In your firs post you said:

The script itself drops the packets but it isn't getting forwarded to the synfin chain.
iptables -A FORWARD -p tcp -j synfin

But I don't see it in the output of "iptables-save".

sorry, forgot to mention that we decided to get rid of the synfin chain and just send it to the restricted one now. Either way, it still isn't working properly.

Ok, but what is your question now?

whenever we use hping3 the data is being sent to the input chain and is being dropped by the default policy.

What we need is for it to be sent to the FORWARD chain so that the behavior can be observed from the restricted chain's output.

For example if we use another rule in the restricted chain such as drop all Telnet, netfilter would display the dropped packets when we use a display command such as:

iptables -L -n -v -x -Z restricted

As it is now syn/fin packets do not display in this chain because they are not being sent to FORWARD. It works for everything else such as ssh, telnet or DNS (if for some reason we wanted to)

It only can happen if packets came in to an interface different then eth1, because you have rule: -A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253.
All packets which enter to eth1 will be send to 192.168.1.253.

ok but why do other packets such as restricted port 23 show up in the restricted chain and this doesn't? How can I fix it?

Look, according to your rules, packets can get in "restricted" chain only from FORWARD:
-A FORWARD -j restricted.

But "forward" by it self will handle: packets which do not belong to interface they come in to; any packets come in eth1.

So, if you want port 80 be blocked at the "restricted" FORWARD chain, you need to add rule to drop port 80 and send packets to eth1, or to the different then incoming interface IP address. In this case packets will go to FORWARD chain and hit your rule.