From: ierdnah-ipt <ierdnah-ipt@as.ro>
To: netfilter@lists.netfilter.org
Subject: Re: how to block udp frag?
Date: Sat, 08 Jan 2005 19:33:03 +0200 [thread overview]
Message-ID: <1105205583.7108.0.camel@ierdnac> (raw)
In-Reply-To: <41E001FB.80807@dsl.pipex.com>
http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-u32
Inspecting individual bits
I'd like to look at the "More Fragments" flag - a flag which has no
existing test in iptables (-f matches 2nd and further fragments, I want
to match all fragments except the last). Byte 6 contains this, so I'll
start with offset 3 and throw away bytes 3-5. Normally this would use a
mask of 0x000000FF, but I also want to discard the other bits in that
last byte. The only bit I want to keep is the third from the top (0010
0000), so the mask I'll use is 0x00000020 . Now I have two choices; move
that bit down to the lowest position and compare, or leave it in its
current position and compare.
To move it down, we'll right shift 5 bits. The final test is:
iptables -m u32 --u32 "3&0x20>>5=1"
If I take the other approach of leaving the bit where it is, I need to
be careful about the compare value on the right. If that bit is turned
on, the compare value needs to be 0x20 as well.
iptables -m u32 --u32 "3&0x20=0x20"
Both approaches return true if the More Fragments flag is turned on.
On Sat, 2005-01-08 at 15:53 +0000, Andy Furniss wrote:
> Piszcz, Justin Michael wrote:
> > Yes, if you use NAT, you cannot block fragmented packets.
>
> Assuming my testing isn't too lame then you can drop with a policer. It
> will still let the last packet through though, as the match is on the
> more fragments flag. I suppose using the next field could do them all -
> but I don't know how to say not with u32.
>
> tc qdisc add dev eth0 handle ffff: ingress
>
> tc filter add dev eth0 parent ffff: prio 1 protocol ip u32 \
> match ip protocol 17 0xff \
> match u8 0x20 0x20 at 6 \
> police rate 1kbit burst 10 drop \
> flowid :1
>
> The rate is irrelevant here, it's the burst 10 that means that only
> packets <= 10 bytes will ever pass.
>
> To delete it do
>
> tc qdisc del dev eth0 handle ffff: ingress
>
> To see stats -
>
> tc -s qdisc ls dev eth0
>
> Andy.
>
> PS
>
> I had to remove jason from the cc as my isps mailserver threw a domain
> not found.
>
> >
> >
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Bruno Wallace
> > Sent: Monday, January 03, 2005 7:39 AM
> > To: Jason Opperisano; netfilter@lists.netfilter.org
> > Subject: Re: how to block udp frag?
> >
> > the iptables dont see this traffic..
> >
> >
> > On Sat, 1 Jan 2005 19:08:45 -0500, Jason Opperisano <opie@817west.com> wrote:
> >
> >>On Sat, Jan 01, 2005 at 09:58:41PM -0200, Bruno Wallace wrote:
> >>
> >>>hello,
> >>>how to block this?????
> >>>
> >>>20:53:44.628586 83.102.166.15 > xxx.xxx.151.35: udp (frag 1720:25@512)
> >>>(ttl 53, len 45)
> >>>0x0000 4500 002d 06b8 0040 3511 2599 5366 a60f E..-...@5.%.Sf..
> >>>0x0010 c896 9723 11ef 0035 0019 1e70 71f7 0100 ...#...5...pq...
> >>>0x0020 0001 0000 0000 0000 0000 0200 0100 ..............
> >>>20:53:47.197264 83.102.166.24 > xxx.xxx.151.34: udp (frag
> >>>48577:25@512) (ttl 53, len 45)
> >>>0x0000 4500 002d bdc1 0040 3511 6e87 5366 a618 E..-...@5.n.Sf..
> >>>0x0010 c896 9722 11ef 0035 0019 1e68 71f7 0100 ..."...5...hq...
> >>>0x0020 0001 0000 0000 0000 0000 0200 0100 ..............
> >>>20:53:49.306206 83.102.166.76 > xxx.xxx.145.115: udp (frag
> >>>21990:25@512) (ttl 53, len 45)
> >>>0x0000 4500 002d 55e6 0040 3511 dbdd 5366 a64c E..-U..@5...Sf.L
> >>>0x0010 c896 9173 11ef 0035 0019 23e3 71f7 0100 ...s...5..#.q...
> >>>0x0020 0001 0000 0000 0000 0000 0200 0100 ..............
> >>>20:53:49.529603 83.102.166.7 > xxx.xxx.146.119: udp (frag
> >>>26427:25@512) (ttl 53, len 45)
> >>>0x0000 4500 002d 673b 0040 3511 c9c9 5366 a607 E..-g;.@5...Sf..
> >>>0x0010 c896 9277 11ef 0035 0019 2324 71f7 0100 ...w...5..#$q...
> >>>0x0020 0001 0000 0000 0000 0000 0200 0100
> >>>
> >>>thanks
> >>>Bruno Wallace
> >>
> >>either (a) use a default deny policy that doesn't allow UDP traffic or
> >>(b) in your rules where you accept UDP traffic, specify "! -f" which,
> >>according to the man page:
> >>
> >> When the "!" argument precedes the "-f" flag, the rule will only match
> >> head fragments, or unfragmented packets.
> >>
> >>-j
> >>
> >>
> >
> >
> >
>
>
>
>
next prev parent reply other threads:[~2005-01-08 17:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-03 13:10 how to block udp frag? Piszcz, Justin Michael
2005-01-08 15:53 ` Andy Furniss
2005-01-08 17:33 ` ierdnah-ipt [this message]
2005-01-08 19:54 ` Andy Furniss
2005-01-08 20:17 ` Andy Furniss
2005-01-10 11:30 ` Andy Furniss
-- strict thread matches above, loose matches on Subject: below --
2005-01-01 23:58 Bruno Wallace
2005-01-02 0:08 ` Jason Opperisano
2005-01-03 12:38 ` Bruno Wallace
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1105205583.7108.0.camel@ierdnac \
--to=ierdnah-ipt@as.ro \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.