|
Packit |
7b22a4 |
This target will process TCP three-way-handshake parallel in netfilter
|
|
Packit |
7b22a4 |
context to protect either local or backend system. This target requires
|
|
Packit |
7b22a4 |
connection tracking because sequence numbers need to be translated.
|
|
Packit |
7b22a4 |
The kernels ability to absorb SYNFLOOD was greatly improved starting with
|
|
Packit |
7b22a4 |
Linux 4.4, so this target should not be needed anymore to protect Linux servers.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-mss\fP \fImaximum segment size\fP
|
|
Packit |
7b22a4 |
Maximum segment size announced to clients. This must match the backend.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-wscale\fP \fIwindow scale\fP
|
|
Packit |
7b22a4 |
Window scale announced to clients. This must match the backend.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-sack\-perm\fP
|
|
Packit |
7b22a4 |
Pass client selective acknowledgement option to backend (will be disabled
|
|
Packit |
7b22a4 |
if not present).
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-timestamps\fP
|
|
Packit |
7b22a4 |
Pass client timestamp option to backend (will be disabled if not present,
|
|
Packit |
7b22a4 |
also needed for selective acknowledgement and window scaling).
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Example:
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Determine tcp options used by backend, from an external system
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
port 80 &
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
telnet 192.0.2.42 80
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
Flags [S.], seq 360414582, ack 788841994, win 14480,
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
options [mss 1460,sackOK,
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
TS val 1409056151 ecr 9690221,
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
nop,wscale 9],
|
|
Packit |
7b22a4 |
.br
|
|
Packit |
7b22a4 |
length 0
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
|
|
Packit |
7b22a4 |
packets as state INVALID.
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Make SYN packets untracked
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
|
|
Packit |
7b22a4 |
\-\-syn \-j CT \-\-notrack
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
|
|
Packit |
7b22a4 |
and send them to SYNPROXY. This rule will respond to SYN packets with
|
|
Packit |
7b22a4 |
SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
|
|
Packit |
7b22a4 |
packets) and drop incorrect cookies. Flags combinations not expected
|
|
Packit |
7b22a4 |
during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
|
|
Packit |
7b22a4 |
\-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
|
|
Packit |
7b22a4 |
\-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Drop invalid packets, this will be out\-of\-flow packets that were not
|
|
Packit |
7b22a4 |
matched by SYNPROXY.
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP
|