Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
02-03-2010, 04:21 PM
#1
LQ Newbie
Registered: May 2009
Posts: 23
Rep:
iptables syn/fin dropping going to wrong chain
I am implementing a stateful firewall where one of the constraints is to drop all TCP packets with the SYN and FIN bit set.
our chain is as follows:
Code:
iptables -N synfin
iptables -A synfin -i eth1 -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -A FORWARD -p tcp -j synfin
The script itself drops the packets but it isn't getting forwarded to the synfin chain. Our default policy at the start(which drops everything) is dropping the packets on the INPUT chain instead of the synfin chain. If we change the last line to:
Code:
iptables -A INPUT -p tcp -j synfin
it will start getting dropped by the proper chain.
to test this we are using the command:
hping3 192.168.0.21 -p 80 -S -F
We are testing this on a separate machine in a subnet (192.168.0.20)
02-03-2010, 04:47 PM
#2
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Can you please post output of command "iptables_save"
Thank you.
02-03-2010, 04:58 PM
#3
LQ Newbie
Registered: May 2009
Posts: 23
Original Poster
Rep:
Sorry for the length, there is a bunch of other rules too
Code:
# Generated by iptables-save v1.4.5 on Wed Feb 3 14:55:27 2010
*nat
:PREROUTING ACCEPT [1040:66042]
:POSTROUTING ACCEPT [58:4404]
:OUTPUT ACCEPT [2052:132387]
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
COMMIT
# Completed on Wed Feb 3 14:55:27 2010
# Generated by iptables-save v1.4.5 on Wed Feb 3 14:55:27 2010
*filter
:INPUT DROP [15:600]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:dropSpoof - [0:0]
:icmpPermit - [0:0]
:restricted - [0:0]
:tcpPermit - [0:0]
:udpPermit - [0:0]
-A FORWARD -j restricted
-A FORWARD -j dropSpoof
-A FORWARD -j tcpPermit
-A FORWARD -j udpPermit
-A FORWARD -j icmpPermit
-A FORWARD -i eth1 -p tcp -m tcp --dport 1024:65535 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -f -j ACCEPT
-A OUTPUT ! -s 192.168.0.21/32 -j DROP
-A dropSpoof -s 192.168.0.21/32 -i eth1 -j DROP
-A dropSpoof -s 192.168.1.254/32 -i eth1 -j DROP
-A dropSpoof -s 192.168.1.253/32 -i eth1 -j DROP
-A icmpPermit -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmpPermit -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
-A restricted -i eth1 -p tcp -m multiport --dports 32768:32775,137:139 -j DROP
-A restricted -i eth1 -p udp -m multiport --dports 32768:32775,137:139 -j DROP
-A restricted -i eth1 -p sctp -m multiport --dports 32768:32775,137:139 -j DROP
-A restricted -i eth1 -p tcp -m multiport --dports 111,515 -j DROP
-A restricted -p tcp -m tcp --dport 23 -j DROP
-A restricted -p tcp -m tcp --sport 23 -j DROP
-A tcpPermit -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A tcpPermit -i eth1 -p tcp -m tcp --sport 22 -j ACCEPT
-A tcpPermit -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A tcpPermit -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT
-A tcpPermit -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A tcpPermit -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A tcpPermit -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A tcpPermit -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A udpPermit -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A udpPermit -i eth1 -p udp -m udp --sport 53 -j ACCEPT
-A udpPermit -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A udpPermit -i eth1 -p udp -m udp --sport 67 -j ACCEPT
-A udpPermit -i eth0 -p udp -m udp --dport 68 -j ACCEPT
-A udpPermit -i eth1 -p udp -m udp --sport 68 -j ACCEPT
-A udpPermit -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A udpPermit -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A udpPermit -i eth0 -p udp -m udp --sport 67 -j ACCEPT
-A udpPermit -i eth1 -p udp -m udp --dport 67 -j ACCEPT
-A udpPermit -i eth0 -p udp -m udp --sport 68 -j ACCEPT
-A udpPermit -i eth1 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Feb 3 14:55:27 2010
Last edited by b-neva; 02-03-2010 at 04:59 PM .
02-03-2010, 05:07 PM
#4
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Why do you use so many
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 ?
02-03-2010, 05:10 PM
#5
LQ Newbie
Registered: May 2009
Posts: 23
Original Poster
Rep:
it's at the beginning of the script, don't worry about it.
02-03-2010, 06:17 PM
#6
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Look rule 1:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
Packets go to FORWARD:
-A FORWARD -j restricted
Then to chain "restricted":
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
And all of them are DROPPED.
Or I've missed something?
02-03-2010, 08:41 PM
#7
LQ Newbie
Registered: May 2009
Posts: 23
Original Poster
Rep:
Quote:
Originally Posted by
nimnull22
Look rule 1:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
Packets go to FORWARD:
-A FORWARD -j restricted
Then to chain "restricted":
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
And all of them are DROPPED.
Or I've missed something?
I'm not sure why it has all those flags in there but here is the restricted chain.
Code:
$ip -N restricted
$ip -A restricted -i $outDev -p tcp --tcp-flags ALL SYN,FIN -j DROP
#Block all external traffic directed to ports 32768 – 32775, 137 – 139, TCP ports 111 and 515.
$ip -A restricted -i $outDev -m multiport -p tcp --dport 32768:32775,137:139 -j DROP
$ip -A restricted -i $outDev -m multiport -p udp --dport 32768:32775,137:139 -j DROP
$ip -A restricted -i $outDev -m multiport -p sctp --dport 32768:32775,137:139 -j DROP
$ip -A restricted -i $outDev -m multiport -p tcp --dport 111,515 -j DROP
#Drop ALL telnet
$ip -A restricted -p tcp --dport 23 -j DROP
$ip -A restricted -p tcp --sport 23 -j DROP
#$ip -A restricted -m state --state INVALID -j DROP #denies flags that are impossible, for example, SYN/FIN
$ip -A FORWARD -j restricted
02-03-2010, 09:04 PM
#8
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Yes, it is I have missed something.
In your firs post you said:
The script itself drops the packets but it isn't getting forwarded to the synfin chain.
iptables -A FORWARD -p tcp -j synfin
But I don't see it in the output of "iptables-save".
02-03-2010, 09:21 PM
#9
LQ Newbie
Registered: May 2009
Posts: 23
Original Poster
Rep:
Quote:
Originally Posted by
nimnull22
Yes, it is I have missed something.
In your firs post you said:
The script itself drops the packets but it isn't getting forwarded to the synfin chain.
iptables -A FORWARD -p tcp -j synfin
But I don't see it in the output of "iptables-save".
sorry, forgot to mention that we decided to get rid of the synfin chain and just send it to the restricted one now. Either way, it still isn't working properly.
02-03-2010, 09:24 PM
#10
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Ok, but what is your question now?
02-03-2010, 09:44 PM
#11
LQ Newbie
Registered: May 2009
Posts: 23
Original Poster
Rep:
Quote:
Originally Posted by
nimnull22
Ok, but what is your question now?
whenever we use hping3 the data is being sent to the input chain and is being dropped by the default policy.
What we need is for it to be sent to the FORWARD chain so that the behavior can be observed from the restricted chain's output.
For example if we use another rule in the restricted chain such as drop all Telnet, netfilter would display the dropped packets when we use a display command such as:
iptables -L -n -v -x -Z restricted
As it is now syn/fin packets do not display in this chain because they are not being sent to FORWARD. It works for everything else such as ssh, telnet or DNS (if for some reason we wanted to)
Last edited by b-neva; 02-03-2010 at 09:46 PM .
02-03-2010, 10:03 PM
#12
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Quote:
Originally Posted by
b-neva
whenever we use hping3 the data is being sent to the input chain and is being dropped by the default policy.
It only can happen if packets came in to an interface different then eth1, because you have rule: -A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253.
All packets which enter to eth1 will be send to 192.168.1.253.
02-03-2010, 10:24 PM
#13
LQ Newbie
Registered: May 2009
Posts: 23
Original Poster
Rep:
Quote:
Originally Posted by
nimnull22
It only can happen if packets came in to an interface different then eth1, because you have rule: -A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253.
All packets which enter to eth1 will be send to 192.168.1.253.
ok but why do other packets such as restricted port 23 show up in the restricted chain and this doesn't? How can I fix it?
02-03-2010, 10:45 PM
#14
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
Look, according to your rules, packets can get in "restricted" chain only from FORWARD:
-A FORWARD -j restricted.
But "forward" by it self will handle: packets which do not belong to interface they come in to; any packets come in eth1.
So, if you want port 80 be blocked at the "restricted" FORWARD chain, you need to add rule to drop port 80 and send packets to eth1, or to the different then incoming interface IP address. In this case packets will go to FORWARD chain and hit your rule.
All times are GMT -5. The time now is 11:46 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News