Can iptables block TCP RST packets only?
in [UK Linux]
|
Prev: Compiling WiFi driver
Next: Curl RTE only runs as root
From: Mark Hobley on 21 Feb 2010 06:08 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > I suspect that the ISP are within their rights to manage and balance data > flow across their network in line with the goal of providing reasonable > service to all users. Throttling across their own network yes (or they could send a throttle control request with their own IP address in it), but send spoofed packets (with a falsified sender address) could be considered to be computer misuse. Mark. -- Mark Hobley Linux User: #370818 http://markhobley.yi.org/
From: Mark Hobley on 21 Feb 2010 07:08 Tony <tony(a)darkstorm.invalid> wrote: > What I'm not 100% sure about is whether it's an iptables -A INPUT, or > iptables -I FORWARD, I've seen various options and without going and > checking the manual myself, I'm not sure which to use. It's an INPUT. The FORWARD chain is mainly used for router and gateway applications. Mark. -- Mark Hobley Linux User: #370818 http://markhobley.yi.org/
From: Baron on 21 Feb 2010 16:09 James Taylor Inscribed thus: > Hi, > > I have discovered what I believe to be spoofed TCP reset packets being > injected into the stream to kill some large downloads I am trying to > make. I know the RST packets didn't come from the server I am > downloading from because I can see normal data-bearing packets > arriving after the RST packets and with later sequence numbers. It is > probably some half-wit attempt by the ISP to limit my downloads. > > The problem is that when my computer receives the RST packets the > connection breaks and the download stops. If I could get my computer > to ignore these RSTs then I believe the connection would continue and > my downloads would complete. > > Is there any way that I can use iptables to filter these RST packets > from a specific set of IP addresses corresponding to the servers in > question? A quick dip in the iptables man page has rather overwhelmed > me with the learning curve required, but also encouraged me when I saw > there was a --tcp-flags option. > > Can anyone help me by showing me how to form a complete iptables > command line to block the RST packets? For what its worth Talktalk / Opal Telecom do a similar thing with file sharing sites ie "Rapidshare" etc. -- Best Regards: Baron.
From: Tony on 22 Feb 2010 09:38 On 21/02/2010 12:08, Mark Hobley wrote: > Tony<tony(a)darkstorm.invalid> wrote: >> What I'm not 100% sure about is whether it's an iptables -A INPUT, or >> iptables -I FORWARD, I've seen various options and without going and >> checking the manual myself, I'm not sure which to use. > > It's an INPUT. > > The FORWARD chain is mainly used for router and gateway applications. Thanks Mark / Dave, that makes eminent sense. -- Tony Evans Saving trees and wasting electrons since 1993 blog -> http://perceptionistruth.com/ books -> http://www.bookthing.co.uk [ anything below this line wasn't written by me ]
From: James Taylor on 22 Feb 2010 12:41
Nigel Wade wrote: > James Taylor wrote: > >> If I've understood it correctly, the full command line for blocking >> RST packets coming from the download servers in my case is: >> >> # iptables -A INPUT -p tcp -s 92.123.153.0/24 --sport 1935 \ >> --tcp-flags RST RST -j DROP >> >> And I can check that the rule exists with: >> >> # iptables -n -v -L INPUT >> Chain INPUT (policy ACCEPT 436K packets, 526M bytes) >> pkts bytes target prot opt in out source destination >> 114 4560 DROP tcp -- * * 92.123.153.0/24 0.0.0.0/0 >> tcp spt:1935 flags:0x04/0x04 >> >> The above report shows 114 matching packets during the course of a >> download I tried, but unfortunately the resets are still getting through >> the firewall... well, I can still see them in Wireshark and the >> connections are still getting broken and having to be recontinued. > > Since you mention a firewall, is this rule really on a firewall? There is no separate hardware firewall. I am refering to "iptables", the software firewall on my Linux computer. I am trying to use iptables to drop some spoofed TCP RST packets that are prematurely breaking some large video downloads. I believe they are being spoofed by the ISP to prevent me from downloading so much. I am within my rights to download this legitimate media, so I want to bypass the ISPs meddling by filtering out the spoofed RST packets. Am I wrong to use iptables for this? > The INPUT chain on the firewall is used to filter packets which terminate > at the firewall itself. Yes, which is why the INPUT chain is the correct one to use in this case I think. Please correct me if that's not right. > The other point to note is that iptables rules do not work in isolation, > they are part of a chain. Packets are dealt with by the first rule they > match. You cannot just add/insert a rule into a chain without considering > the other rules which precede it. Another rule prior to the rule you've > added may be accepting the packets. Well, if you look at the iptables -n -v -L INPUT command I show above you'll see exactly what the INPUT chain contains; just one rule to drop RST packets from that particular IP range. Did I do this incorrectly? >> Can anyone tell me whether Wireshark *should* see the pre-firewall >> traffic or not? How can I use Wireshark to see only the packets that >> pass through the firewall? > > Yes, wireshark sees packets before they get to iptables module. If it's a > firewall, capture packets on the internal interface. My computer has only one Ethernet interface. How can I point Wireshark at the already filtered traffic to check that iptables is working as expected? -- James Taylor |