libxt_SYNPROXY.man 2.06 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
This target will process TCP three-way-handshake parallel in netfilter
context to protect either local or backend system. This target requires
connection tracking because sequence numbers need to be translated.
.TP
\fB\-\-mss\fP \fImaximum segment size\fP
Maximum segment size announced to clients. This must match the backend.
.TP
\fB\-\-wscale\fP \fIwindow scale\fP
Window scale announced to clients. This must match the backend.
.TP
\fB\-\-sack\-perm\fP
Pass client selective acknowledgement option to backend (will be disabled
if not present).
.TP
\fB\-\-timestamps\fP
Pass client timestamp option to backend (will be disabled if not present,
also needed for selective acknowledgement and window scaling).
.PP
Example:
.PP
Determine tcp options used by backend, from an external system
.IP
tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
.br
    port 80 &
.br
telnet 192.0.2.42 80
.br
18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
.br
    Flags [S.], seq 360414582, ack 788841994, win 14480,
.br
    options [mss 1460,sackOK,
.br
    TS val 1409056151 ecr 9690221,
.br
    nop,wscale 9],
.br
    length 0
.PP
Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
packets as state INVALID.
.IP
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
.PP
Make SYN packets untracked
.IP
iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
    \-\-syn \-j CT \-\-notrack
.PP
Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
and send them to SYNPROXY. This rule will respond to SYN packets with
SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
packets) and drop incorrect cookies. Flags combinations not expected
during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
.IP
iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
    \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
    \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
.PP
Drop invalid packets, this will be out\-of\-flow packets that were not
matched by SYNPROXY.
.IP
iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP