On Fri, May 3, 2019 at 1:23 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote: > > I have a problem about using syn proxy to protect different kind of servers. > > I have a firewall that located in front of some servers. These servers > > are different kind (like linux and windows) and are not managed by me. > > Problem caused by wscale parameter of syn proxy rule. When I listen > > servers traffic, I realized they are working with different wscale > > option. > > I tried to write syn proxy rule without giving wscale parameter as > > below, but It didn't work. > > > > iptables -A PREROUTING -t raw -i eth0 -p tcp -m tcp --syn -j CT --notrack > > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state > > INVALID,UNTRACKED --sack-perm --timestamp > > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state INVALID -j DROP > > You did not show the actual -j SYNPROXY rules. > You need different SYNPROXY targets for each server anyway, so why > can't you provide the correct parameters there? Sorry. It is just a typo. Rule is like that. iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp I don't want to write rule for each server because their IP numbers and characteristics may change. That will make things harder for me. > > > I also tried to set net.ipv4.tcp_window_scaling=0 with sysctl but It > > also didn't work. > > Is there any practice to solve this issue? > > No, its not possible to do this, the syn cookie generated by SYNPROXY > target decides the window scale to be used, so it must match that of > the real server.
