Re: Synflood filtering and Conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mart Frauenlob a écrit :
> On 29.07.2010 13:21, Jan Engelhardt wrote:
>>
>> # iptables -I INPUT -p tcp --dport 23 -j DROP
>> # conntrack -E&   telnet localhost 23
>> [1] 6949
>> Trying ::1...
>> telnet: connect to address ::1: Connection refused
>
> refused? on DROP?
> my nc does show a timeout.

That's the IPv6 connection attempt. The Telnet server does not appear to
listen on  IPv6, so the connection is refused.

>> Trying 127.0.0.1...
>>      [NEW] tcp      6 120 SYN_SENT src=127.0.0.1 dst=127.0.0.1
>> sport=59734 dport=23 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=23
>> dport=59734
>>
>> ...seconds later...
>> # conntrack -L | grep =23
>> conntrack v0.9.14 (conntrack-tools): 12 flow entries have been shown.
>> tcp      6 97 SYN_SENT src=127.0.0.1 dst=127.0.0.1 sport=59734
>> dport=23 packets=1 bytes=60 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1
>> sport=23 dport=59734 packets=0 bytes=0 mark=0 secmark=0 use=2
>>
>> 2 minutes it is.

That's because it is a locally generated connection, so the conntrack
confirm takes place after POSTROUTING. Even though the packet is dropped
in INPUT after it is looped back, the conntrack entry is already
confirmed. Now try again with the DROP rule in OUTPUT, or from a remote
host.

> oh, well exactly what I did.

Probably not exactly.


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux