From: gregory gilbert <gilbertgregory@caramail.com>
To: "Ramin Alidousti <ramin@cannon.eng.us.uu.net>; gregory gilbert"
<gilbertgregory@caramail.com>, ,
netfilter@lists.samba.org
Subject: Re[1] about ip fragmentation
Date: Thu, 09 May 2002 20:17:29 GMT+1 [thread overview]
Message-ID: <1020968249025056@caramail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2749 bytes --]
I use the DOS ping command. The -l option allow to specify
the length ot the icmppackets.
"iptables -A FORWARD ! -f -p icmp -j DROP" should only drop
the first fragment or the unfragmented packets
Greg
> I can confirm your finding. "iptables -A FORWARD -f -p
icmp -j DROP"
> does not drop the second and further fragments of
fragmented icmp
> packets. However, "iptables -A FORWARD ! -f -p icmp -j
DROP" does
> work as predicted. Can someone shed some light on this
behavior?
>
> Ramin
> PS. I don't know which ping implementation you're using
but on my
> machine "-l" means "ping sends that many packets as fast
as
> possible before ..." and "-s" specifies the number of
data bytes
> to be sent.
>
> On Thu, May 09, 2002 at 08:51:21AM +0000, gregory gilbert
wrote:
>
> > Hi
> >
> > i am a new user of iptables and i already have a
problem :
> > i have ton conigure a firewall with iptables command. I
> > have this first very simple rule:
> >
> > iptables -A FORWARD -f -p icmp -j DROP
> >
> > i think this rule should drop any 2nd, or 3rd and so
on ...
> > fragment of a ping command.
> > But if i ping a computer and the icmp packet goes
through
> > my firewall, i can see some fragments after the
firewall (i
> > use tcpdump). It seems this rule is not applied. The
> > fragmented packets are before and after my linux
firewall.
> > So i have a question : is there any ip defragmentation
> > before the rules of the iptables are applied by the
> > firewall? I mean, i wonder if some fragments are
received
> > by iptables, or if the defragmentation occures before
(it
> > would be strange : the -f or ! -f flags exist ... so
the
> > defragmentation should occur after the iptables rules
> > application)
> > Or is there a mistake in my command? Or did i
misunderstand
> > something with iptables?
> >
> > In fact, if i just add the following command :
> >
> > iptables -A FORWARD -p icmp -j DROP
> >
> > all the packets are dropped (the first fragment, the
second
> > and so on ...).
> > But if i just want to drop the 2nd, the 3rd ...
fragments ,
> > i don't know which iptables rule to add.
> >
> > To ensure i have fragments, i ping this way :
> > ping -l 2000 x.x.x.x
> > and i can see the fragments with tcpdump.
> >
> > I really can't understand why my firewall does not
behave
> > the way i predicted. So could you help me?
> >
> > Greg
> >
_________________________________________________________
> > Envoyez des messages musicaux sur le portable de vos
amis
> > http://mobile.lycos.fr/mobile/local/sms_musicaux/
> >
>
>
>
>
______________________________________________________
Boîte aux lettres - Caramail - http://www.caramail.com
reply other threads:[~2002-05-09 19:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1020968249025056@caramail.com \
--to=gilbertgregory@caramail.com \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox