Re: iptables --tcp-option ! 2

To: <debian-firewall@lists.debian.org>
Subject: Re: iptables --tcp-option ! 2
From: "Doug" <SupportList@dougtheslug.ca>
Date: Tue, 23 Aug 2005 18:26:13 -0700
Message-id: <[🔎] 01bf01c5a84a$d0d3b9b0$1800a8c0@xp2800>
References: <[🔎] 01b801c5a83c$8acd1f50$1800a8c0@xp2800> <[🔎] 20050824002536.GA21676@lina.inka.de>

go figure on the google bit.  All my queries had 'iptables' included, and I guess that sent my google hits in the wrong
direction.  Thanks for finding that!  [Why is it always something stupid preventing me from finding what I need in
google?]

moving along, an example howto that uses --tcp-option is the following:
http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html
this tutorial was linked directly off of netfilter.org, so I assumed that this tutorial had at least some credibility.
It does cover the basics fairly well, it just lacks details in some areas

given what I see so far, it looks as if I don't really need the line.  I am not setting up a paranoid firewall, and the
remainder of the tutorial covers basically all I need.

so at this point, I'm still somewhat curious about it, but am no longer interested in it for production purposes...
thanks for the quick reply!  I'm always glad that I can count on the debian support groups to help me out if I get stuck
with something.
-doug

----- Original Message -----
From: "Bernd Eckenfels" <lists@lina.inka.de>
To: "Doug" <SupportList@dougtheslug.ca>
Cc: <debian-firewall@lists.debian.org>
Sent: Tuesday, August 23, 2005 5:25 PM
Subject: Re: iptables --tcp-option ! 2


> On Tue, Aug 23, 2005 at 04:44:02PM -0700, Doug wrote:
> > I keep seeing this in firewall scripts on the net, but I am unable to find an explanation or listing/table of
> > tcp-options.
> > The command in question is the following
> >
> > iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
>
> if you google for "tcp options" the first hit is:
>
> http://www.iana.org/assignments/tcp-parameters
>
> Kind   Length   Meaning                           Reference
> ----   ------   -------------------------------   ---------
>   0        -    End of Option List                 [RFC793]
>   1        -    No-Operation                       [RFC793]
>   2        4    Maximum Segment Size               [RFC793]
>   3        3    WSOPT - Window Scale              [RFC1323]
> ...
>
> And I am not sure when the above rule makes sense. It looks inverted:
>
> The protocol reqires this option only in the SYN segments, so perhaps this
> is a missguided try to filter those? What i see in some tutorials is, that
> you accept syn packets before, and then you can reject all packets which
> have the option, because they are no SYN Segments.
>
> BTW: ipt_unclean is also filtering some option 2 missuse. But that is aimed
> at the content, not only the presence.
>
> > I'm sure it's safe, and likely a good idea to have in, given the number of
> > tutorials that have it in, but I just dislike the idea of having something
> > in my to be firewall script that I have little understanding of.
>
> Can you point us to an tutorial which has this in and does not explain it?
> Especially the one where this rule makes sense.
>
> Gruss
> Bernd
> --
>   (OO)     -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
>  ( .. )    ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
>   o--o   1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+49721151516129
> (O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
>

Reply to:

References:
- iptables --tcp-option ! 2
  - From: "Doug" <SupportList@dougtheslug.ca>
- Re: iptables --tcp-option ! 2
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: iptables --tcp-option ! 2
Next by Date: Re: iptables --tcp-option ! 2
Previous by thread: Re: iptables --tcp-option ! 2
Next by thread: Re: iptables --tcp-option ! 2
Index(es):
- Date
- Thread