[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables blocking eth0 .. why ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bernd Eckenfels wrote:
| On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote:
|
|>| iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
|>| iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
|>| SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
|>| iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
|>| -j DROP
|
| the NEW Syn,Ack is most likely used to make sure netfiter will not
| (re)establich sessions  from intermediate packets belonging to a established
| session. I think the "! --syn" has more or less the same function (besides
| RST)
|
|
| Greetings
| Bernd
|
|

I see what you mean! I found an explanation for these rules here:

http://www.faqs.org/docs/iptables/newnotsyn.html
http://www.faqs.org/docs/iptables/synackandnew.html

It seems like the third rule does make sense[1].  I incorrectly believed
that a NEW match for TCP always implied SYN.  Learn something every day :)

A note on the second rule though: in order for this rule to work as intended,
it should come BEFORE the rule which drops INVALID packets.

A glance at ip_conntrack_proto_tcp.c (from 2.6.9) leads me to believe that any "new"
TCP SYN+ACK will be state INVALID.  The RST (which the OP theoretically wants) will
never be sent because of the preceding rule.

Thanks,

~    Blair.

[1] But it means that if you reboot your firewall, all the TCP connections through
it must be re-established.... whereas without it some of them might survive...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3ihuvJfDavdnqDgRAge7AJ96jdeSqXSxjQADmMeEEiD5swL9/gCfTbcT
M7XmPpIZrE2MpfUXet6maw0=
=yILY
-----END PGP SIGNATURE-----
Reply to: