Re: packet matching problem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: narendra prabhu <naren@deeproot.co.in>
To: "P.Srihari" <srihari.par@wipro.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: packet matching problem
Date: Mon, 12 May 2003 21:12:54 +0530	[thread overview]
Message-ID: <3EBFC0FE.6080101@deeproot.co.in> (raw)
In-Reply-To: <3EBFAFB7.3D78BFDE@wipro.com>

Hi,

>iptables -I FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
>1/s --limit-burst 1024 -j ACCEPT
>iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j LOG
>--log-prefix "SYN ATTACK"
>iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN  -j DROP
>iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j
>ACCEPT
>

I am not quiet sure about the seqence of the rules. Usaully, we place 
the "-m state
--state RELATED,ESTABLISHED"( the connection tracking stuff) is in the 
top of the list of
rules.... I guess instead of -A  it should have been -I..  Read about 
connection tracking .. might help you.

>now i started an FTP session from the host to an FTP server. in this
>session, i turn off the prompt and do an mget * ( multiple files ).
>the files are in order of about 4 MB or so. as soon as the first file
>is completed, it prints the message SYN ATTACK - with the SRC port as
>ftp-data port (20) - no other traffic is coming into the firewall host. 
>TCPDUMP on the firewall machine shows that about 8 or 9 SYN packets 
>having been received by the firewall host. 
>
FTP is one of those peculiar protocols, Again, read about connection 
tracking. For the protocols  like these
the connection tracking modules have more work to do. However , this is 
not very relavent to your problem.
The solution for your problem possilbly is the ordering of the rules, or 
the sequence.

There is a link from netfilter.org..(docs section).

Hope this helps ...

Narendra.

--------------------------
Narendra Prabhu. B
DeepRoot Linux Pvt Ltd.,Bangalore.
http://www.deeproot.co.in

     prev parent reply	other threads:[~2003-05-12 15:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-12 14:29 packet matching problem P.Srihari
2003-05-12 15:42 ` narendra prabhu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3EBFC0FE.6080101@deeproot.co.in \
    --to=naren@deeproot.co.in \
    --cc=netfilter@lists.netfilter.org \
    --cc=srihari.par@wipro.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.