iptables SYNPROXY extension not working?

Pigi_102 · 11-05-2019, 02:25 PM

Hello !

I'm having a hard time getting SYNPROXY working on my ( iptables based ) firewall.

It's quite some time I've noticed that may servers ( in DMZ ) are under SYN flood attack and readed almost every link I've found to make this target working with no chance.

Code:

         |
         | Internet ( eth0 ) 
         |
    +---------+
    |         +----- br0 (bridge for openvpn tun )
    |         |
    |  Fw     +----- DMZ ( eth1 )
    |         |
    +---------+
         |
         | Internal net ( eth2 ) 
         |

Easy setup, as you can see.

I have a bunch of rule ( INPUT OUTPUT FORWARD and NAT ) that are currently working, but I can't get in any way this three rules to work:

Code:

/usr/sbin/iptables -t raw -I PREROUTING -i br0 -p tcp -m tcp --syn --dport 81 -j CT --notrack
/usr/sbin/iptables -A INPUT -i br0  -p tcp -m tcp -m conntrack --dport 81 --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1323 
/usr/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

If I enable them, I can see the SYN packet ( from the br0 interface ) that enter the interface, but no SYN+ACK reply exiting:

Code:

root@firewall:~# iptables -t raw -L -v -n
Chain PREROUTING (policy ACCEPT 418 packets, 67307 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81 flags:0x17/0x02 CT notrack

root@firewall:~# iptables  -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   17  1776 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 SYNPROXY   tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81 ctstate INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1323 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID

other_host# telnet 10.0.1.51 81
Trying 10.0.1.51...
telnet: connect to address 10.0.1.51: Connection timed out

The SYNPROXY get triggered:

Code:

root@firewall:~# iptables -t raw -L -v -n
Chain PREROUTING (policy ACCEPT 1453 packets, 360K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   240 CT         tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81 flags:0x17/0x02 CT notrack

root@firewall:~# iptables  -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  247  164K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  587  219K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    3   180 SYNPROXY   tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81 ctstate INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1323 
   22  1000 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID

but also tcpdump confirm no SYN+ACK exit to the client:

Code:

root@firewall:~# tcpdump -n -i br0 port 81
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes


14:39:32.755800 IP 10.0.1.18.32886 > 10.0.1.51.81: Flags [S], seq 521240151, win 29200, options [mss 1323,sackOK,TS val 2209244648 ecr 0,nop,wscale 7], length 0
14:39:33.784981 IP 10.0.1.18.32886 > 10.0.1.51.81: Flags [S], seq 521240151, win 29200, options [mss 1323,sackOK,TS val 2209245678 ecr 0,nop,wscale 7], length 0

Values for the SYNPROXY are derived from tcpdump:

Code:

root@firewall:~# tcpdump -pni br0 port 81 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:46:49.704573 IP 10.0.1.18.32922 > 10.0.1.51.81: Flags [S], seq 60519528, win 29200, options [mss 1323,sackOK,TS val 2209681605 ecr 0,nop,wscale 7], length 0
14:46:50.704828 IP 10.0.1.18.32922 > 10.0.1.51.81: Flags [S], seq 60519528, win 29200, options [mss 1323,sackOK,TS val 2209682606 ecr 0,nop,wscale 7], length 0
^C

The same thing happen on every interface I'm trying ( eth0 eth1 eth2 ) so it's not a problem on bridged interface

If I remove the SYNPROXY rules, everything works:

Code:

other_host# telnet 10.0.1.51 81
Trying 10.0.1.51...
Connected to 10.0.1.51.
Escape character is '^]'.
^]
telnet> c
Connection closed.

root@firewall:~# tcpdump -n -i br0 port 81
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:49:00.998297 IP 10.0.1.18.32934 > 10.0.1.51.81: Flags [S], seq 1887031231, win 29200, options [mss 1323,sackOK,TS val 2209812901 ecr 0,nop,wscale 7], length 0
14:49:00.998517 IP 10.0.1.51.81 > 10.0.1.18.32934: Flags [S.], seq 3980734030, ack 1887031232, win 28960, options [mss 1460,sackOK,TS val 288190452 ecr 2209812901,nop,wscale 7], length 0
14:49:01.006907 IP 10.0.1.18.32934 > 10.0.1.51.81: Flags [.], ack 1, win 229, options [nop,nop,TS val 2209812910 ecr 288190452], length 0

sysctl stuffs should be fine:

Code:

net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.conf.default.rp_filter = 1

Does someone has some ideas on what to check and why it is not working ?

Distro is a slackware 14.2+ ( current ) and kernel is ( almost ) new one

Code:

root@firewall:~# uname -a
Linux firewall.frumar.it 4.19.81-v7+ #1 SMP Sat Nov 2 00:21:44 CET 2019 armv7l BCM2835 GNU/Linux

ipt_SYNPROXY is loaded:

Code:

root@firewall:~# lsmod | grep SYN
ipt_SYNPROXY           16384  0
nf_synproxy_core       16384  1 ipt_SYNPROXY
x_tables               32768  16 xt_state,xt_LOG,xt_multiport,xt_owner,xt_nat,ipt_SYNPROXY,iptable_mangle,ip_tables,iptable_filter,xt_string,xt_tcpudp,iptable_raw,xt_recent,xt_connlimit,xt_CT,xt_conntrack
nf_conntrack          135168  12 xt_state,nf_conncount,xt_nat,ipt_SYNPROXY,nf_conntrack_ftp,nf_nat_ftp,xt_connlimit,xt_CT,xt_conntrack,nf_synproxy_core,nf_nat_ipv4,nf_nat

I'm really banging my head to wall

Thx, and apologize for my bad english.

Pierluigi

Chuck56 · 11-05-2019, 04:56 PM

I fought off a SYN Flood this weekend and I couldn't get SYNPROXY working either. I gave up and used the following iptables commands:

Code:

iptables -N SSHBRUTE
iptables -N HTTPBRUTE
iptables -N SMTPBRUTE

iptables -A SSHBRUTE -p tcp --dport 22 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP
iptables -A SSHBRUTE -p tcp --dport 22 -m state --state NEW -m recent --set


iptables -A HTTPBRUTE -p tcp -m multiport --dport 80,443 -m state --state NEW -m recent  --update --seconds 60 --hitcount 30 -j DROP
iptables -A HTTPBRUTE -p tcp -m multiport --dport 80,443 -m state --state NEW -m recent --set


iptables -A SMTPBRUTE -p tcp --dport 25 -m state --state NEW -m recent  --update --seconds 60 --hitcount 8 -j DROP
iptables -A SMTPBRUTE -p tcp --dport 25 -m state --state NEW -m recent --set

iptables -A INPUT -j SSHBRUTE
iptables -A INPUT -j HTTPBRUTE
iptables -A INPUT -j SMTPBRUTE

Since a SYN Flood usually is sending multiple connection requests per second these rules easily dropped any packets that exceed the --hitcount 30 over --seconds 60. Maybe this will help until you figure out the SYNPROXY issue.

Pigi_102 · 11-06-2019, 09:07 AM

That's an elegant solution I will surelly study.
Nedd to understand if it applies to FORWARD and NAT chains but I got the idea.

In any case I really intend to understand why SYNPROXY don't work, as seems the way to go in case of SYN floods.

Thanks !

Pigi

Pigi_102 · 11-07-2019, 09:30 AM

I did some more study on the problem, but it seems to be worst every time I look at it.
I've activated the TRACE:

Code:

/usr/sbin/iptables -t raw -I PREROUTING -i br0 -p tcp --dport 82 -j TRACE

to see where the packet is going but is seems to disappear.

Here the rules:

Code:

root@firewall# iptables -t raw -L -v -n
Chain PREROUTING (policy ACCEPT 915 packets, 358K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   120 TRACE      tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82
2        2   120 CT         tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82 flags:0x17/0x02 CT notrack

Chain OUTPUT (policy ACCEPT 407 packets, 259K bytes)
num   pkts bytes target     prot opt in     out     source               destination         


root@firewall# iptables -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       78 81472 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2      358  103K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED 
3        2   120 SYNPROXY   tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82 state INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460 
4       11   452 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5        0     0 ACCEPT     tcp  --  *      *       10.0.1.18            10.0.1.51            tcp dpt:82  /* Ntp da dmz 
...
...
...

and the trace output ( cleaned a bit )

Code:

raw:PREROUTING:rule:2      IN=br0 OUT= SRC=10.0.1.18 DST=10.0.1.51 ID=36524 DF PROTO=TCP SPT=53404 DPT=82 SEQ=3633093572 ACK=0 WINDOW=29200 RES=0x00
raw:PREROUTING:policy:3    IN=br0 OUT= SRC=10.0.1.18 DST=10.0.1.51 ID=36524 DF PROTO=TCP SPT=53404 DPT=82 SEQ=3633093572 ACK=0 WINDOW=29200 RES=0x00
mangle:PREROUTING:policy:1 IN=br0 OUT= SRC=10.0.1.18 DST=10.0.1.51 ID=36524 DF PROTO=TCP SPT=53404 DPT=82 SEQ=3633093572 ACK=0 WINDOW=29200 RES=0x00
mangle:INPUT:policy:1      IN=br0 OUT= SRC=10.0.1.18 DST=10.0.1.51 ID=36524 DF PROTO=TCP SPT=53404 DPT=82 SEQ=3633093572 ACK=0 WINDOW=29200 RES=0x00
filter:INPUT:rule:3        IN=br0 OUT= SRC=10.0.1.18 DST=10.0.1.51 ID=36524 DF PROTO=TCP SPT=53404 DPT=82 SEQ=3633093572 ACK=0 WINDOW=29200 RES=0x00

( this get repeated for every try )

As you can see, the packet get caught in rule 2 of raw table, PREEROUTING chain:

Code:

2        2   120 CT         tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82 flags:0x17/0x02 CT

then from rule 3 of the filter table, INPUT chain

Code:

3        2   120 SYNPROXY   tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82 state INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460

but then it get lost.

No hint on this ?