On Thu, Nov 28, 2019 at 7:37 PM Naruto Nguyen <narutonguyen2018@xxxxxxxxx> wrote: > > Hi everyone, > > I have followed a simple SCTP server and SCTP client at > http://simplestcodings.blogspot.com/2010/08/sctp-server-client-implementation-in-c.html > > It works well. Client and server can communicate successfully. Then I > tried to set up an iptable rule to drop INIT package on server node > > iptables -A INPUT -p sctp -m conntrack --ctstate NEW -m sctp > --chunk-types any INIT -j DROP > > It can drop and connection cannot establish from client anymore. > However, when I tried to drop INIT_ACK sent from server by > > iptables -A OUTPUT -p sctp -m conntrack --ctstate NEW -m sctp > --chunk-types any INIT_ACK -j DROP I think INIT_ACK as a reply dir packet, the conntrack ctstate may not be NEW. can you pls try with others, like ESTABLISHED, RELATED or so. > > looks like it cannot drop INIT_ACK and connection from client is setup > well. Could you please tell me if SCTP conntrack can drop INIT_ACK, > COOKIE_ACK? My conntrack log does not show any INIT, INIT_ACK, > COOKIE_ACK what do you mean, show INIT and INIT_ACK, those are packet types. you can see the sctp asoc state, like COOKIE_ECHOED, ESTABLISHED. > > [NEW] sctp 132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295 > dport=62324 [UNREPLIED] src=199.569.9.51 dst=199.569.9.50 sport=62324 > dport=57295 > [UPDATE] sctp 132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295 > dport=62324 src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295 > [UPDATE] sctp 132 3 COOKIE_ECHOED src=199.569.9.50 > dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51 > dst=199.569.9.50 sport=62324 dport=57295 > [UPDATE] sctp 132 432000 ESTABLISHED src=199.569.9.50 > dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51 > dst=199.569.9.50 sport=62324 dport=57295 [ASSURED] > > Is it expected? In tcp, conntrack log can show SYN_SENT/ SYN_RECEIVED. I think so.
