Comments on: Iptables Connection Tracking - TCP

By: Jens

Jens — Thu, 06 Sep 2007 16:00:06 +0000

Hi James,

I have a problem with this iptables entry.
iptables -A INPUT -p tcp ! -–syn -m state –-state NEW -j DROP

Every packet with a syn will be let through even the synack. But how can i build a rule that only allows syn with state new (without syn+ack and state new)?

I tried this but it wont work.
iptables -A INPUT -p tcp ! -–tcp-flags SYN SYN -m state –-state NEW -j DROP

Would you help me pls?

regards
Jens

By: tarun

tarun — Thu, 19 Apr 2007 09:50:56 +0000

i need some help on network security,i also heard ab the people who cracks the pix security if u know some thing related to the topic please let me know
thanks
Tarun

By: Paul Rogers

Paul Rogers — Sun, 13 Aug 2006 05:54:11 +0000

With your ruleset I was finding at some webservers but not others my client-side FIN-ACK from Firefox-1.5.0.5 were being logged & dropped by the firewall. I am presuming the server sent the final packet in an envelope stamped “Your done, I’m outta here” (FIN-ACK), causing IP to tear the connection down and my browser’s FIN-ACK response output to no longer be from an ESTABLISHED connection. I added a rule to accept packets with those flags, and send them anyway, but it seems a bit cludgy. Comments?

By: bc

bc — Thu, 01 Jun 2006 03:07:29 +0000

I was just wondering, does anyone know the meaning of “use=1″ field visible in each and every output? For example:

tcp 6 431995 ESTABLISHED
src=140.208.5.62 dst=207.46.230.218 sport=1311 dport=80 src=207.46.230.218
dst=140.208.5.62 sport=80 dport=1311 [ASSURED] use=1

Thanks in advance for any help.

By: James Stephens

James Stephens — Tue, 21 Mar 2006 01:05:17 +0000

Matthias,

Hi. Yes I think you are right. There’s no way to do it.

Best,

James

By: Matthias Loepfe

Matthias Loepfe — Fri, 17 Mar 2006 12:49:55 +0000

Hi James

Sorry for the long delay of this answer! I was working on other projects..

No. I had tried this out before writing to you. I think it is impossible to do what I wanted, because of the way TCP/IP sessionhandling works.

The routing/redirect decission must be made on the first packet and then all the following will the handled the same way. But the first payload packet is the third tcp packet in the session, what means it would be possible to drop the connection but not to redirect the already established one.

Thaks anyway for your help

regards

Matthias

By: James Stephens

James Stephens — Tue, 28 Feb 2006 16:17:49 +0000

Matthias,

Hmmm. Tricky to examine the payload.

There’s a string match patch, detailed here:
http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-string

An example would be:
iptables -A INPUT -m string –string ‘*.exe’ -j REDIRECT

.. which redirects upon locating the string ‘.exe’ in the payload.

Will that do?

Best,
James

By: Matthias Loepfe

Matthias Loepfe — Tue, 28 Feb 2006 14:33:31 +0000

I wonder if you know of any way to redirect only the tcp connections with a given payload at the beginning of the first data packet. I try to redirect only the CONNECT calls to a webproxy.

Best regards

Matthias

By: James Stephens

James Stephens — Tue, 21 Feb 2006 17:38:52 +0000

Here’s a way to limit connections to 100, with a maximum of 10 per second. Is this what you had in mind?

The default here is to drop the extra connections but you could do something else.

iptables -N syn-flood-$iface
iptables -A INPUT -i $iface -p tcp –syn -j syn-flood-$iface
iptables -A syn-flood-$iface -m limit –limit 10/s –limit-burst 100 -j RETURN
iptables -A syn-flood-$iface -j DROP

Best,
James

By: Himanshu Nagpal

Himanshu Nagpal — Tue, 21 Feb 2006 16:59:15 +0000

i am looking for redirect TCP connection if number of connection exceed 100 is their any way i rediect packets as number of connection exceed more then 100

please reply soon

thnaks
Himanshu Nagpal
Network Administrator