LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-08-2017, 01:55 PM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,008

Rep: Reputation: 75
valid packet returning to INPUT after going through INVALID chain


By default csf has a chain called INVALID that filters all sorts of... invalid packets, depending on their tcp flags, etc. But only now have I realised this chain is referenced in the INPUT chain at the beginning.
Code:
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name 22 --mask 255.255.255.255 --rsource
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 300 --hitcount 10 --name 22 --mask 255.255.255.255 --rsource -j PORTFLOOD
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
etc.
Code:
Chain INVALID (2 references)
 pkts bytes target     prot opt in     out     source               destination
  201  9184 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x05/0x05
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x18/0x08
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x30/0x20
   10  1214 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW
The INVDROP chains simply drops everything.
So now I see that if a valid packet (let's say ssh) arrives in the INPUT chain, it will be parsed in the INVALID chain, and if none of the rules match, it will continue back to the next INPUT rule. Is this how it actually works? I thought you needed to set a RETURN target or something to that effect.

Last edited by vincix; 06-08-2017 at 01:58 PM.
 
Old 06-09-2017, 12:01 AM   #2
genese
Member
 
Registered: Feb 2006
Location: belgium
Posts: 65

Rep: Reputation: 16
Quote:
So now I see that if a valid packet (let's say ssh) arrives in the INPUT chain, it will be parsed in the INVALID chain, and if none of the rules match, it will continue back to the next INPUT rule. Is this how it actually works? I thought you needed to set a RETURN target or something to that effect.
Yes, returning is automatic if the INVALID chain doesn't make a final decision (DROP, REJECT, ACCEPT).

You need the RETURN target only if you want to return before all rules have been checked.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables INVALID packet and INPUT packet died question. yozh Linux - Security 6 05-15-2016 12:08 AM
sendto() returning -1 - Invalid argument gr1980 Programming 2 09-11-2010 10:13 AM
iptables good packet chain (instead of bad packet chain) win32sux Linux - Security 6 11-06-2008 06:02 AM
dmesg Invalid packet / INPUT packet died flood H_TeXMeX_H Slackware 5 11-12-2007 02:52 PM
Bad Packet Chain (iptables) Feedback / Suggestions win32sux Linux - Security 1 09-17-2005 07:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration