LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-03-2010, 04:21 PM   #1
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Rep: Reputation: 0
iptables syn/fin dropping going to wrong chain


I am implementing a stateful firewall where one of the constraints is to drop all TCP packets with the SYN and FIN bit set.

our chain is as follows:

Code:
iptables -N synfin
iptables -A synfin -i eth1 -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -A FORWARD -p tcp -j synfin
The script itself drops the packets but it isn't getting forwarded to the synfin chain. Our default policy at the start(which drops everything) is dropping the packets on the INPUT chain instead of the synfin chain. If we change the last line to:
Code:
iptables -A INPUT -p tcp -j synfin
it will start getting dropped by the proper chain.

to test this we are using the command:
hping3 192.168.0.21 -p 80 -S -F

We are testing this on a separate machine in a subnet (192.168.0.20)
 
Old 02-03-2010, 04:47 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Can you please post output of command "iptables_save"

Thank you.
 
Old 02-03-2010, 04:58 PM   #3
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Original Poster
Rep: Reputation: 0
Sorry for the length, there is a bunch of other rules too
Code:
# Generated by iptables-save v1.4.5 on Wed Feb  3 14:55:27 2010
*nat
:PREROUTING ACCEPT [1040:66042]
:POSTROUTING ACCEPT [58:4404]
:OUTPUT ACCEPT [2052:132387]
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21 
COMMIT
# Completed on Wed Feb  3 14:55:27 2010
# Generated by iptables-save v1.4.5 on Wed Feb  3 14:55:27 2010
*filter
:INPUT DROP [15:600]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:dropSpoof - [0:0]
:icmpPermit - [0:0]
:restricted - [0:0]
:tcpPermit - [0:0]
:udpPermit - [0:0]
-A FORWARD -j restricted 
-A FORWARD -j dropSpoof 
-A FORWARD -j tcpPermit 
-A FORWARD -j udpPermit 
-A FORWARD -j icmpPermit 
-A FORWARD -i eth1 -p tcp -m tcp --dport 1024:65535 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -f -j ACCEPT 
-A OUTPUT ! -s 192.168.0.21/32 -j DROP 
-A dropSpoof -s 192.168.0.21/32 -i eth1 -j DROP 
-A dropSpoof -s 192.168.1.254/32 -i eth1 -j DROP 
-A dropSpoof -s 192.168.1.253/32 -i eth1 -j DROP 
-A icmpPermit -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A icmpPermit -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP 
-A restricted -i eth1 -p tcp -m multiport --dports 32768:32775,137:139 -j DROP 
-A restricted -i eth1 -p udp -m multiport --dports 32768:32775,137:139 -j DROP 
-A restricted -i eth1 -p sctp -m multiport --dports 32768:32775,137:139 -j DROP 
-A restricted -i eth1 -p tcp -m multiport --dports 111,515 -j DROP 
-A restricted -p tcp -m tcp --dport 23 -j DROP 
-A restricted -p tcp -m tcp --sport 23 -j DROP 
-A tcpPermit -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A tcpPermit -i eth1 -p tcp -m tcp --sport 22 -j ACCEPT 
-A tcpPermit -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A tcpPermit -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT 
-A tcpPermit -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT 
-A tcpPermit -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A tcpPermit -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A tcpPermit -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A udpPermit -i eth0 -p udp -m udp --dport 53 -j ACCEPT 
-A udpPermit -i eth1 -p udp -m udp --sport 53 -j ACCEPT 
-A udpPermit -i eth0 -p udp -m udp --dport 67 -j ACCEPT 
-A udpPermit -i eth1 -p udp -m udp --sport 67 -j ACCEPT 
-A udpPermit -i eth0 -p udp -m udp --dport 68 -j ACCEPT 
-A udpPermit -i eth1 -p udp -m udp --sport 68 -j ACCEPT 
-A udpPermit -i eth0 -p udp -m udp --sport 53 -j ACCEPT 
-A udpPermit -i eth1 -p udp -m udp --dport 53 -j ACCEPT 
-A udpPermit -i eth0 -p udp -m udp --sport 67 -j ACCEPT 
-A udpPermit -i eth1 -p udp -m udp --dport 67 -j ACCEPT 
-A udpPermit -i eth0 -p udp -m udp --sport 68 -j ACCEPT 
-A udpPermit -i eth1 -p udp -m udp --dport 68 -j ACCEPT 
COMMIT
# Completed on Wed Feb  3 14:55:27 2010

Last edited by b-neva; 02-03-2010 at 04:59 PM.
 
Old 02-03-2010, 05:07 PM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Why do you use so many
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.21
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253 ?
 
Old 02-03-2010, 05:10 PM   #5
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Original Poster
Rep: Reputation: 0
it's at the beginning of the script, don't worry about it.
 
Old 02-03-2010, 06:17 PM   #6
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Look rule 1:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
Packets go to FORWARD:
-A FORWARD -j restricted
Then to chain "restricted":
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
And all of them are DROPPED.

Or I've missed something?
 
Old 02-03-2010, 08:41 PM   #7
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nimnull22 View Post
Look rule 1:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253
Packets go to FORWARD:
-A FORWARD -j restricted
Then to chain "restricted":
-A restricted -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
And all of them are DROPPED.

Or I've missed something?
I'm not sure why it has all those flags in there but here is the restricted chain.

Code:
$ip -N restricted
    
    $ip -A restricted -i $outDev -p tcp --tcp-flags ALL SYN,FIN -j DROP
    #Block all external traffic directed to ports 32768  32775, 137  139, TCP ports 111 and 515.
    $ip -A restricted -i $outDev -m multiport -p tcp --dport 32768:32775,137:139 -j DROP
    $ip -A restricted -i $outDev -m multiport -p udp --dport 32768:32775,137:139 -j DROP
    $ip -A restricted -i $outDev -m multiport -p sctp --dport 32768:32775,137:139 -j DROP
    $ip -A restricted -i $outDev -m multiport -p tcp --dport 111,515 -j DROP

    #Drop ALL telnet
    $ip -A restricted -p tcp --dport 23 -j DROP
    $ip -A restricted -p tcp --sport 23 -j DROP
    
    #$ip -A restricted -m state --state INVALID -j DROP #denies flags that are impossible, for example, SYN/FIN


    
    $ip -A FORWARD -j restricted
 
Old 02-03-2010, 09:04 PM   #8
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Yes, it is I have missed something.

In your firs post you said:

The script itself drops the packets but it isn't getting forwarded to the synfin chain.
iptables -A FORWARD -p tcp -j synfin

But I don't see it in the output of "iptables-save".
 
Old 02-03-2010, 09:21 PM   #9
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nimnull22 View Post
Yes, it is I have missed something.

In your firs post you said:

The script itself drops the packets but it isn't getting forwarded to the synfin chain.
iptables -A FORWARD -p tcp -j synfin

But I don't see it in the output of "iptables-save".
sorry, forgot to mention that we decided to get rid of the synfin chain and just send it to the restricted one now. Either way, it still isn't working properly.
 
Old 02-03-2010, 09:24 PM   #10
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Ok, but what is your question now?
 
Old 02-03-2010, 09:44 PM   #11
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nimnull22 View Post
Ok, but what is your question now?
whenever we use hping3 the data is being sent to the input chain and is being dropped by the default policy.

What we need is for it to be sent to the FORWARD chain so that the behavior can be observed from the restricted chain's output.

For example if we use another rule in the restricted chain such as drop all Telnet, netfilter would display the dropped packets when we use a display command such as:

iptables -L -n -v -x -Z restricted

As it is now syn/fin packets do not display in this chain because they are not being sent to FORWARD. It works for everything else such as ssh, telnet or DNS (if for some reason we wanted to)

Last edited by b-neva; 02-03-2010 at 09:46 PM.
 
Old 02-03-2010, 10:03 PM   #12
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by b-neva View Post
whenever we use hping3 the data is being sent to the input chain and is being dropped by the default policy.
It only can happen if packets came in to an interface different then eth1, because you have rule: -A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253.
All packets which enter to eth1 will be send to 192.168.1.253.
 
Old 02-03-2010, 10:24 PM   #13
b-neva
LQ Newbie
 
Registered: May 2009
Posts: 23

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nimnull22 View Post
It only can happen if packets came in to an interface different then eth1, because you have rule: -A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.253.
All packets which enter to eth1 will be send to 192.168.1.253.
ok but why do other packets such as restricted port 23 show up in the restricted chain and this doesn't? How can I fix it?
 
Old 02-03-2010, 10:45 PM   #14
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Look, according to your rules, packets can get in "restricted" chain only from FORWARD:
-A FORWARD -j restricted.

But "forward" by it self will handle: packets which do not belong to interface they come in to; any packets come in eth1.

So, if you want port 80 be blocked at the "restricted" FORWARD chain, you need to add rule to drop port 80 and send packets to eth1, or to the different then incoming interface IP address. In this case packets will go to FORWARD chain and hit your rule.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 04:25 AM
[SOLVED] Rather huge IPtables chain, iptables: Memory allocation problem. Gangrif Linux - Networking 10 09-11-2009 03:30 PM
iptables good packet chain (instead of bad packet chain) win32sux Linux - Security 6 11-06-2008 06:02 AM
iptables - -syn yawe_frek Linux - Security 2 12-02-2006 03:26 PM
TCP packet flags (SYN, FIN, ACK, etc) and firewall rules TheLinuxDuck Linux - Security 12 04-28-2005 11:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration