source-git / iptables

Clone
Source Code
GIT

Blame extensions/libxt_SYNPROXY.man

c8 c8s master
  1.   d1fe03656d4e49b73c67bdf0afb49719619ac26a
  2.   extensions
  3.   libxt_SYNPROXY.man
Blob History Raw
Packit Service d1fe03 
This target will process TCP three-way-handshake parallel in netfilter
Packit Service d1fe03 
context to protect either local or backend system. This target requires
Packit Service d1fe03 
connection tracking because sequence numbers need to be translated.
Packit Service d1fe03 
The kernels ability to absorb SYNFLOOD was greatly improved starting with
Packit Service d1fe03 
Linux 4.4, so this target should not be needed anymore to protect Linux servers.
Packit Service d1fe03 
.TP
Packit Service d1fe03 
\fB\-\-mss\fP \fImaximum segment size\fP
Packit Service d1fe03 
Maximum segment size announced to clients. This must match the backend.
Packit Service d1fe03 
.TP
Packit Service d1fe03 
\fB\-\-wscale\fP \fIwindow scale\fP
Packit Service d1fe03 
Window scale announced to clients. This must match the backend.
Packit Service d1fe03 
.TP
Packit Service d1fe03 
\fB\-\-sack\-perm\fP
Packit Service d1fe03 
Pass client selective acknowledgement option to backend (will be disabled
Packit Service d1fe03 
if not present).
Packit Service d1fe03 
.TP
Packit Service d1fe03 
\fB\-\-timestamps\fP
Packit Service d1fe03 
Pass client timestamp option to backend (will be disabled if not present,
Packit Service d1fe03 
also needed for selective acknowledgement and window scaling).
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Example:
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Determine tcp options used by backend, from an external system
Packit Service d1fe03 
.IP
Packit Service d1fe03 
tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
Packit Service d1fe03 
.br
Packit Service d1fe03 
    port 80 &
Packit Service d1fe03 
.br
Packit Service d1fe03 
telnet 192.0.2.42 80
Packit Service d1fe03 
.br
Packit Service d1fe03 
18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
Packit Service d1fe03 
.br
Packit Service d1fe03 
    Flags [S.], seq 360414582, ack 788841994, win 14480,
Packit Service d1fe03 
.br
Packit Service d1fe03 
    options [mss 1460,sackOK,
Packit Service d1fe03 
.br
Packit Service d1fe03 
    TS val 1409056151 ecr 9690221,
Packit Service d1fe03 
.br
Packit Service d1fe03 
    nop,wscale 9],
Packit Service d1fe03 
.br
Packit Service d1fe03 
    length 0
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
Packit Service d1fe03 
packets as state INVALID.
Packit Service d1fe03 
.IP
Packit Service d1fe03 
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Make SYN packets untracked
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
Packit Service d1fe03 
    \-\-syn \-j CT \-\-notrack
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
Packit Service d1fe03 
and send them to SYNPROXY. This rule will respond to SYN packets with
Packit Service d1fe03 
SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
Packit Service d1fe03 
packets) and drop incorrect cookies. Flags combinations not expected
Packit Service d1fe03 
during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
Packit Service d1fe03 
    \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
Packit Service d1fe03 
    \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Drop invalid packets, this will be out\-of\-flow packets that were not
Packit Service d1fe03 
matched by SYNPROXY.
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation