[iptables] tcp handshake: ACK RST silently converted to RST ?

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [iptables] tcp handshake: ACK RST silently converted to RST ?
@ 2011-09-25 12:59 U.Mutlu
  2011-09-28 21:14 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: U.Mutlu @ 2011-09-25 12:59 UTC (permalink / raw)
  To: netfilter-devel

I made a funny observation:

   client sends a tcp SYN packet to a served port on server,
   server answers with ACK SYN,
   client sends ACK RST to abort the 3-way-handshake.

When logging these sequences with the following commands:
   iptables -A INPUT  -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN IN  "
   iptables -A OUTPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN OUT "
   iptables -A INPUT  -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST IN  "
   iptables -A OUTPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST OUT "
then one sees that the "ACK RST" gets logged only as a "RST".

Is this perhaps a bug of iptables or its log module?

OTOH server itself sends ACK RST (and it gets logged as such) to an
immediate SYN if the port is not open (ie. blocked).

So, is then ACK RST maybe not an allowed answer to an ACK SYN to abort the handshake sequence?

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [iptables] tcp handshake: ACK RST silently converted to RST ?
  2011-09-25 12:59 [iptables] tcp handshake: ACK RST silently converted to RST ? U.Mutlu
@ 2011-09-28 21:14 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2011-09-28 21:14 UTC (permalink / raw)
  To: U.Mutlu; +Cc: netfilter-devel

On Sun, Sep 25, 2011 at 02:59:15PM +0200, U.Mutlu wrote:
> I made a funny observation:
> 
>   client sends a tcp SYN packet to a served port on server,
>   server answers with ACK SYN,
>   client sends ACK RST to abort the 3-way-handshake.
> 
> When logging these sequences with the following commands:
>   iptables -A INPUT  -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN IN  "
>   iptables -A OUTPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "SYN OUT "
>   iptables -A INPUT  -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST IN  "
>   iptables -A OUTPUT -p tcp --tcp-flags RST RST -j LOG --log-prefix "RST OUT "
> then one sees that the "ACK RST" gets logged only as a "RST".

This behaviour is correct according to your rule-set.

> Is this perhaps a bug of iptables or its log module?

If you want to catch the ACK,RST case, you need to:

iptables -A OUTPUT -p tcp --tcp-flags ACK,RST RST \
          -j LOG --log-prefix "ACK, RST OUT "

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-09-28 21:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-25 12:59 [iptables] tcp handshake: ACK RST silently converted to RST ? U.Mutlu
2011-09-28 21:14 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).