Is this possible SYN Proxy bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.
I experienced some errors regarding syn proxy. I observed network
traffic and realized syn proxy doesn't set mss value correctly. Then I
did some tests and here is details of my test.

I set 3 different device. A client, firewall and server. Firewall is
where syn proxy rules located.

Before adding syn proxy rules, I observed mss and wscale values

10.0.0.215.60797 > 10.0.1.213.80: Flags [S], seq 3059817525, win
29200, options [mss 1460,sackOK,TS val 95678003 ecr 0,nop,wscale 7],
length 0
10.0.1.213.80 > 10.0.0.215.60797: Flags [S.], seq 3020500548, ack
3059817526, win 14480, options [mss 1460,sackOK,TS val 12703989 ecr
95678003,nop,wscale 2], length 0

So client sets mss 1460 wscale 7, server sets mss 1460 and wscale 2

Then I added below rules and start tests
iptables -t raw -A PREROUTING -i enp7s0f0 -p tcp -m tcp --syn -j CT --notrack
iptables -A FORWARD -i enp7s0f0 -p tcp -m tcp -m state --state
INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 2 --mss
1460
iptables -A FORWARD -i enp7s0f0 -p tcp -m tcp -m state --state INVALID -j DROP

With these values here is what I see on external and internal interface

External interface:
10.0.0.215.60800 > 10.0.1.213.80: Flags [S], seq 1609742327, win
29200, options [mss 1460,sackOK,TS val 99453267 ecr 0,nop,wscale 7],
length 0
10.0.1.213.80 > 10.0.0.215.60800: Flags [S.], seq 3294723050, ack
1609742328, win 0, options [mss 1460,sackOK,TS val 5761239 ecr
99453267,nop,wscale 2], length 0

Internal interface:
10.0.0.215.60800 > 10.0.1.213.80: Flags [S], seq 1609742327, win 229,
options [mss 1460,sackOK,TS val 99453267 ecr 5761239,nop,wscale 7],
length 0
10.0.1.213.80 > 10.0.0.215.60800: Flags [S.], seq 1301167703, ack
1609742328, win 14480, options [mss 1460,sackOK,TS val 16479252 ecr
99453267,nop,wscale 2], length 0

Until here there is nothing wrong. Now see what happen when I set
client mss value to 1260 by changing mtu.

External interface
10.0.0.215.60802 > 10.0.1.213.80: Flags [S], seq 36636545, win 25200,
options [mss 1260,sackOK,TS val 99747035 ecr 0,nop,wscale 7], length 0
10.0.1.213.80 > 10.0.0.215.60802: Flags [S.], seq 2342465663, ack
36636546, win 0, options [mss 1260,sackOK,TS val 6054999 ecr
99747035,nop,wscale 2], length 0

Internal interface
10.0.0.215.60802 > 10.0.1.213.80: Flags [S], seq 36636545, win 197,
options [mss 536,sackOK,TS val 99747035 ecr 6054999,nop,wscale 7],
length 0
10.0.1.213.80 > 10.0.0.215.60802: Flags [S.], seq 3600660781, ack
36636546, win 14480, options [mss 1460,sackOK,TS val 16773019 ecr
99747035,nop,wscale 2], length 0

As you can see syn proxy respond to client with same mss value and
open connection to back end with 536. But I suppose, It should send
1460 to client and 1260 to server.

I tried both bridged and router topology with kernel versions 5.0.13
and 4.14.21 and got same results. iptables version is 1.4.21

Regards
--
Ibrahim Ercan



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux