Hi again. I made some test regarding syn proxy. On my topology I have client, server and firewall that protect server with syn proxy. My rules as below. iptables -A PREROUTING -t raw -i eth0 -p tcp -m tcp --syn -j CT --notrack iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --mss 1460 --wscale 7 iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state INVALID -j DROP On my tests I tried to connect server via ssh, http and https. Server use wscale 7 and mss 1460 as same with the rule so that rule works well. Second case I removed wscale parameter from the rule. I observed that client set wscale to 8 on syn, firewall didn't set wscale on syn-ack to client firewall didn't set wscale on syn to server server didn't set wscale on syn-ack and connections opened and works successfully. Third case I set wscale different than server(lets say 2). I observed that client set wscale on syn, firewall set wscale to 2 on syn-ack to client firewall set wscale to 8 on syn to server server set wscale to 7 on syn-ack and connections opened and works successfully. So my question is what is the matter of that wscale(and mss) parameters? Why my tests didn't fail even if I provide wrong parameters? Can I use second case to protect different servers that have different wscale? On Fri, May 3, 2019 at 1:41 PM İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote: > > On Fri, May 3, 2019 at 1:23 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > > > İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote: > > > I have a problem about using syn proxy to protect different kind of servers. > > > I have a firewall that located in front of some servers. These servers > > > are different kind (like linux and windows) and are not managed by me. > > > Problem caused by wscale parameter of syn proxy rule. When I listen > > > servers traffic, I realized they are working with different wscale > > > option. > > > I tried to write syn proxy rule without giving wscale parameter as > > > below, but It didn't work. > > > > > > iptables -A PREROUTING -t raw -i eth0 -p tcp -m tcp --syn -j CT --notrack > > > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state > > > INVALID,UNTRACKED --sack-perm --timestamp > > > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state INVALID -j DROP > > > > You did not show the actual -j SYNPROXY rules. > > You need different SYNPROXY targets for each server anyway, so why > > can't you provide the correct parameters there? > > Sorry. It is just a typo. Rule is like that. > iptables -A FORWARD -i eth0 -p tcp -m tcp -m state --state > INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp > > I don't want to write rule for each server because their IP numbers > and characteristics may change. That will make things harder for me. > > > > > > I also tried to set net.ipv4.tcp_window_scaling=0 with sysctl but It > > > also didn't work. > > > Is there any practice to solve this issue? > > > > No, its not possible to do this, the syn cookie generated by SYNPROXY > > target decides the window scale to be used, so it must match that of > > the real server.
