Re: Iptables Reject with TCP Reset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This doesn't make much sense. A RELATED packet is the first packet of
a new conn that a helper has determined is related to an existing conn
(e.g., the data conn of an FTP control session). Once a RELATED packet
is replied to, the resulting conn is an ordinary, vanilla ESTABLISHED
conn; specifically, the RELATED 'tag' is discarded. When a packet
matches a "REJECT with TCP-Reset" rule, netfilter immediately sends a
TCP RESET to the end that sent the packet.
Sounds nice in theory, but reality bites back. RELATED also applies to the TCP Reset packets to SYN packets. 

I just tried this at home to confirm my findings.
Please review the below firewall script. It does not send the TCP RST packets unless you make one minor change: To add 'RELATED,' to the line underneath '#General State Matching'
Please note that it has the single state matching lines as recommended by various others on this list. 






It almost sounds like you built a nearly stateless firewall.


It's more or less like the below but duplicates ESTABLISHED everywhere

------------------------------

A='/sbin/iptables'
EXIF='ppp0'
LANIF='eth1'

#Clear
$A -F
$A -F INPUT
$A -F OUTPUT
$A -F FORWARD
$A -F -t mangle
$A -F -t nat
$A -X

#Setup policies
$A -P INPUT DROP
$A -P OUTPUT DROP
$A -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

# Some basics
# Accept loopback interface
$A -A INPUT -i lo -j ACCEPT
A='/sbin/iptables'
EXIF='ppp0'
LANIF='eth1'

#Clear
$A -F
$A -F INPUT
$A -F OUTPUT
$A -F FORWARD
$A -F -t mangle
$A -F -t nat
$A -X

#Setup policies
$A -P INPUT DROP
$A -P OUTPUT DROP
$A -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

# Some basics
# Accept loopback interface
$A -A INPUT -i lo -j ACCEPT
$A -A OUTPUT -o lo -j ACCEPT

# SSH from LAN
$A -A INPUT -i $LANIF -p tcp --dport 22 -j ACCEPT

#general NAT
$A -t nat -A POSTROUTING -o $EXIF -j MASQUERADE

#General State Matching
$A -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
$A -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allowed HTTP/HTTPS Sites
#bbc
$A -A FORWARD -i $LANIF -o $EXIF -d 212.58.244.22 -p tcp -m multiport --dports '80,443' -j ACCEPT 

#Send RST to LAN for all other 80/443 connections
$A -A FORWARD -i $LANIF -p tcp -m multiport --dports '80,443' -j REJECT --reject-with tcp-reset 


--------------------



Matt



--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux