Re: Fwd: iptables and networking

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

One more bit on the use of the 'recent' match against DoS.

Pascal Hambourg a écrit :
> 
> The ruleset using the 'recent' match is based only on TCP packets with
> the NEW state, i.e. the initial SYN. A single SYN packet can be easily
> forged with a spoofed source address. Fail2ban is based on
> authentication failures, which first requires a TCP connection to be
> established with the 3-way handshake. As it involves a positive reply
> from the spoofed address, this is much harder to achieve, unless the
> attacker is in a special position on the network.

The 'recent' match could be used if it was possible to detect the last
packet of the TCP 3-way handshake sent by the client, confirming the
connection is established. Unfortunately it just looks like any other
ACK packet in the stream (same TCP flags, same conntrack ctstate and
ctstatus), except that it is the first ACK (without SYN). Using
connection mark and packet mark, I guess it is possible to detect it :

By default, packet mark and connection mark are 0
If an ACK is received in the original direction and the connection mark
is 0, then set the packet mark and connection mark to 1

Translated into iptables rules :
-A INPUT -p tcp --tcp-flags SYN,ACK,RST ACK -m connmark --mark 0 \
  -m ctstate --ctstate ESTABLISHED --ctdir ORIGINAL -j MARK --set-mark 1
-A INPUT -p tcp -m mark --mark 1 -j CONNMARK --set-mark 1

It seems to work, but I have not tested it extensively.

WARNING : --ctdir is inverted in kernels older than 2.6.39 (fix not
backported in any stable/longterm release at kernel.org), so you must
use REPLY instead of ORIGINAL (or negation with !) if you use such kernel.

If your ruleset already use packet marks or connection marks for other
purposes, you may need to apply masks to divide the marks into bitfields.