Re[1] about ip fragmentation

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re[1] about ip fragmentation
@ 2002-05-09 19:17 gregory gilbert
  0 siblings, 0 replies; only message in thread
From: gregory gilbert @ 2002-05-09 19:17 UTC (permalink / raw)
  To: Ramin Alidousti <ramin@cannon.eng.us.uu.net>; gregory gilbert,
	netfilter

[-- Attachment #1: Type: text/plain, Size: 2749 bytes --]

I use the DOS ping command. The -l option allow to specify
the length ot the icmppackets.


"iptables -A FORWARD ! -f -p icmp -j DROP" should only drop
the first fragment or the unfragmented packets

Greg

> I can confirm your finding. "iptables -A FORWARD -f -p
icmp -j DROP"
> does not drop the second and further fragments of
fragmented icmp
> packets. However, "iptables -A FORWARD ! -f -p icmp -j
DROP" does
> work as predicted. Can someone shed some light on this
behavior?
>
> Ramin
> PS. I don't know which ping implementation you're using
but on my
> machine "-l" means "ping sends that many packets as fast
as
> possible before ..." and "-s" specifies the number of
data bytes
> to be sent.
>
> On Thu, May 09, 2002 at 08:51:21AM +0000, gregory gilbert
wrote:
>
> > Hi
> >
> > i am a new user of iptables and i already have a
problem :
> > i have ton conigure a firewall with iptables command. I
> > have this first very simple rule:
> >
> > iptables -A FORWARD -f -p icmp -j DROP
> >
> > i think this rule should drop any 2nd, or 3rd and so
on ...
> > fragment of a ping command.
> > But if i ping a computer and the icmp packet goes
through
> > my firewall, i can see some fragments after the
firewall (i
> > use tcpdump). It seems this rule is not applied. The
> > fragmented packets are before and after my linux
firewall.
> > So i have a question : is there any ip defragmentation
> > before the rules of the iptables are applied by the
> > firewall? I mean, i wonder if some fragments are
received
> > by iptables, or if the defragmentation occures before
(it
> > would be strange : the -f or ! -f flags exist ... so
the
> > defragmentation should occur after the iptables rules
> > application)
> > Or is there a mistake in my command? Or did i
misunderstand
> > something with iptables?
> >
> > In fact, if i just add the following command :
> >
> > iptables -A FORWARD -p icmp -j DROP
> >
> > all the packets are dropped (the first fragment, the
second
> > and so on ...).
> > But if i just want to drop the 2nd, the 3rd ...
fragments ,
> > i don't know which iptables rule to add.
> >
> > To ensure i have fragments, i ping this way :
> > ping -l 2000 x.x.x.x
> > and i can see the fragments with tcpdump.
> >
> > I really can't understand why my firewall does not
behave
> > the way i predicted. So could you help me?
> >
> > Greg
> >
_________________________________________________________
> > Envoyez des messages musicaux sur le portable de vos
amis
> > http://mobile.lycos.fr/mobile/local/sms_musicaux/
> >
>
>
>
>
______________________________________________________
Boîte aux lettres - Caramail - http://www.caramail.com


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2002-05-09 19:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-05-09 19:17 Re[1] about ip fragmentation gregory gilbert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.