is it possible to block ip packets that contains experimental tcp options ?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* is it possible to block ip packets that contains experimental tcp options ?
@ 2007-05-16  9:23 Glenn Terjesen
  0 siblings, 0 replies; 8+ messages in thread
From: Glenn Terjesen @ 2007-05-16  9:23 UTC (permalink / raw)
  To: netfilter

Hello,
got a iptables firewall filtering our servers.

Is it possible to block tcp packets that contains experimental tcp
options ?

AND is it smart to do so ?


-- 
Mvh Glenn Terjesen @ Webcat AS
Tlf: +47 37 02 20 20
E-post: support@webcat.no


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: is it possible to block ip packets that contains experimental tcp options ?
@ 2007-05-16 12:18 Marc Cozzi
  2007-05-16 18:04 ` Jan Engelhardt
  0 siblings, 1 reply; 8+ messages in thread
From: Marc Cozzi @ 2007-05-16 12:18 UTC (permalink / raw)
  To: netfilter


Glenn,

Not sure what you mean by "experimental" however, there are
some conditions of flags that should never occur on the
network. These can be trapped with rules similar to the following.

iptables -A BLOCKED -m state --state INVALID -j LOG-AND-DROP
iptables -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP
iptables -A BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP

  --marc


> -----Original Message-----
> From: Glenn Terjesen [mailto:glenn@webcat.no] 
> Sent: Wednesday, May 16, 2007 5:24 AM
> To: netfilter@lists.netfilter.org
> Subject: is it possible to block ip packets that contains 
> experimental tcp options ?
> 
> Hello,
> got a iptables firewall filtering our servers.
> 
> Is it possible to block tcp packets that contains 
> experimental tcp options ?
> 
> AND is it smart to do so ?
> 
> 
> --
> Mvh Glenn Terjesen @ Webcat AS
> Tlf: +47 37 02 20 20
> E-post: support@webcat.no
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: is it possible to block ip packets that contains experimental tcp options ?
  2007-05-16 12:18 Marc Cozzi
@ 2007-05-16 18:04 ` Jan Engelhardt
  0 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-05-16 18:04 UTC (permalink / raw)
  To: Marc Cozzi; +Cc: netfilter


On May 16 2007 08:18, Marc Cozzi wrote:
>
>Not sure what you mean by "experimental" however, there are
>some conditions of flags that should never occur on the
>network. These can be trapped with rules similar to the following.
>
>iptables -A BLOCKED -m state --state INVALID -j LOG-AND-DROP
>iptables -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP
>iptables -A BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP

Uhm, I think it is valid for a packet to carry no flags at all.
(Regular data packet without TCP Selective ACK)

Check up on http://jengelh.hopto.org/p/chaostables/ to see how
to block evil stuff.


	Jan
-- 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: is it possible to block ip packets that contains experimental tcp options ?
@ 2007-05-17 17:18 Marc Cozzi
  2007-05-21 11:32 ` Glenn Terjesen
  0 siblings, 1 reply; 8+ messages in thread
From: Marc Cozzi @ 2007-05-17 17:18 UTC (permalink / raw)
  To: netfilter

 Paul,

I believe that's correct. Although I'm still not
Sure what was originally meant by "experimental tcp options".

  -marc

> -----Original Message-----
> From: Paul Blondé [mailto:jpb@entel.ca] 
> Sent: Thursday, May 17, 2007 11:09 AM
> To: netfilter@lists.netfilter.org
> Subject: RE: is it possible to block ip packets that contains 
> experimentaltcp options ?
> 
> I assume that LOG-AND-DROP is your own chain, crafted so that 
> you can perform both functions with a single entry?
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Paul Blondé
>  
> 
> 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Marc Cozzi
> > Sent: Wednesday, May 16, 2007 5:19 AM
> > To: netfilter@lists.netfilter.org
> > Subject: RE: is it possible to block ip packets that contains 
> > experimentaltcp options ?
> > 
> > 
> > 
> > Glenn,
> > 
> > Not sure what you mean by "experimental" however, there are some 
> > conditions of flags that should never occur on the network. 
> These can 
> > be trapped with rules similar to the following.
> > 
> > iptables -A BLOCKED -m state --state INVALID -j 
> LOG-AND-DROP iptables 
> > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A 
> > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP
> > 
> >   --marc
> > 
> > 
> > > -----Original Message-----
> > > From: Glenn Terjesen [mailto:glenn@webcat.no]
> > > Sent: Wednesday, May 16, 2007 5:24 AM
> > > To: netfilter@lists.netfilter.org
> > > Subject: is it possible to block ip packets that contains 
> > > experimental tcp options ?
> > > 
> > > Hello,
> > > got a iptables firewall filtering our servers.
> > > 
> > > Is it possible to block tcp packets that contains 
> experimental tcp 
> > > options ?
> > > 
> > > AND is it smart to do so ?
> > > 
> > > 
> > > --
> > > Mvh Glenn Terjesen @ Webcat AS
> > > Tlf: +47 37 02 20 20
> > > E-post: support@webcat.no
> > > 
> > 
> 
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: is it possible to block ip packets that contains experimental tcp options ?
  2007-05-17 17:18 Marc Cozzi
@ 2007-05-21 11:32 ` Glenn Terjesen
  2007-05-21 11:55   ` Glenn Terjesen
  2007-05-21 18:27   ` Pascal Hambourg
  0 siblings, 2 replies; 8+ messages in thread
From: Glenn Terjesen @ 2007-05-21 11:32 UTC (permalink / raw)
  To: netfilter

Hi,
What i meant with "experimental tcp options" is that my ids (snort)
keept logging these "experimental tcp options"

#
code 76
length 8
data 01019DEDBEF00005

I know this aint a snort list, but my servers don't serve any services
that require this kind of traffic.

So i was wondering if iptables has any way of blocking these.

These to magic lines fixed it all
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP


Thanks alot for the help.


On Thu, 2007-05-17 at 13:18 -0400, Marc Cozzi wrote:
>  Paul,
> 
> I believe that's correct. Although I'm still not
> Sure what was originally meant by "experimental tcp options".
> 
>   -marc
> 
> > -----Original Message-----
> > From: Paul Blondé [mailto:jpb@entel.ca] 
> > Sent: Thursday, May 17, 2007 11:09 AM
> > To: netfilter@lists.netfilter.org
> > Subject: RE: is it possible to block ip packets that contains 
> > experimentaltcp options ?
> > 
> > I assume that LOG-AND-DROP is your own chain, crafted so that 
> > you can perform both functions with a single entry?
> > 
> > 
> > 
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Paul Blondé
> >  
> > 
> > 
> > > -----Original Message-----
> > > From: netfilter-bounces@lists.netfilter.org
> > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> > Marc Cozzi
> > > Sent: Wednesday, May 16, 2007 5:19 AM
> > > To: netfilter@lists.netfilter.org
> > > Subject: RE: is it possible to block ip packets that contains 
> > > experimentaltcp options ?
> > > 
> > > 
> > > 
> > > Glenn,
> > > 
> > > Not sure what you mean by "experimental" however, there are some 
> > > conditions of flags that should never occur on the network. 
> > These can 
> > > be trapped with rules similar to the following.
> > > 
> > > iptables -A BLOCKED -m state --state INVALID -j 
> > LOG-AND-DROP iptables 
> > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A 
> > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP
> > > 
> > >   --marc
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: Glenn Terjesen [mailto:glenn@webcat.no]
> > > > Sent: Wednesday, May 16, 2007 5:24 AM
> > > > To: netfilter@lists.netfilter.org
> > > > Subject: is it possible to block ip packets that contains 
> > > > experimental tcp options ?
> > > > 
> > > > Hello,
> > > > got a iptables firewall filtering our servers.
> > > > 
> > > > Is it possible to block tcp packets that contains 
> > experimental tcp 
> > > > options ?
> > > > 
> > > > AND is it smart to do so ?
> > > > 
> > > > 
> > > > --
> > > > Mvh Glenn Terjesen @ Webcat AS
> > > > Tlf: +47 37 02 20 20
> > > > E-post: support@webcat.no
> > > > 
> > > 
> > 
> > 
> 
> 
-- 
Mvh Glenn Terjesen @ Webcat AS
Tlf: +47 37 02 20 20
E-post: support@webcat.no


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: is it possible to block ip packets that contains experimental tcp options ?
  2007-05-21 11:32 ` Glenn Terjesen
@ 2007-05-21 11:55   ` Glenn Terjesen
  2007-05-21 18:27   ` Pascal Hambourg
  1 sibling, 0 replies; 8+ messages in thread
From: Glenn Terjesen @ 2007-05-21 11:55 UTC (permalink / raw)
  To: netfilter

Was a little to fast there..

iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

did not fix it..

Im gonna take a look at the Paul Blondé suggestion and just ignore the
traffic I suppose..


On Mon, 2007-05-21 at 13:32 +0200, Glenn Terjesen wrote:
> Hi,
> What i meant with "experimental tcp options" is that my ids (snort)
> keept logging these "experimental tcp options"
> 
> #
> code 76
> length 8
> data 01019DEDBEF00005
> 
> I know this aint a snort list, but my servers don't serve any services
> that require this kind of traffic.
> 
> So i was wondering if iptables has any way of blocking these.
> 
> These to magic lines fixed it all
> iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
> iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> 
> 
> Thanks alot for the help.
> 
> 
> On Thu, 2007-05-17 at 13:18 -0400, Marc Cozzi wrote:
> >  Paul,
> > 
> > I believe that's correct. Although I'm still not
> > Sure what was originally meant by "experimental tcp options".
> > 
> >   -marc
> > 
> > > -----Original Message-----
> > > From: Paul Blondé [mailto:jpb@entel.ca] 
> > > Sent: Thursday, May 17, 2007 11:09 AM
> > > To: netfilter@lists.netfilter.org
> > > Subject: RE: is it possible to block ip packets that contains 
> > > experimentaltcp options ?
> > > 
> > > I assume that LOG-AND-DROP is your own chain, crafted so that 
> > > you can perform both functions with a single entry?
> > > 
> > > 
> > > 
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > Paul Blondé
> > >  
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: netfilter-bounces@lists.netfilter.org
> > > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> > > Marc Cozzi
> > > > Sent: Wednesday, May 16, 2007 5:19 AM
> > > > To: netfilter@lists.netfilter.org
> > > > Subject: RE: is it possible to block ip packets that contains 
> > > > experimentaltcp options ?
> > > > 
> > > > 
> > > > 
> > > > Glenn,
> > > > 
> > > > Not sure what you mean by "experimental" however, there are some 
> > > > conditions of flags that should never occur on the network. 
> > > These can 
> > > > be trapped with rules similar to the following.
> > > > 
> > > > iptables -A BLOCKED -m state --state INVALID -j 
> > > LOG-AND-DROP iptables 
> > > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A 
> > > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP
> > > > 
> > > >   --marc
> > > > 
> > > > 
> > > > > -----Original Message-----
> > > > > From: Glenn Terjesen [mailto:glenn@webcat.no]
> > > > > Sent: Wednesday, May 16, 2007 5:24 AM
> > > > > To: netfilter@lists.netfilter.org
> > > > > Subject: is it possible to block ip packets that contains 
> > > > > experimental tcp options ?
> > > > > 
> > > > > Hello,
> > > > > got a iptables firewall filtering our servers.
> > > > > 
> > > > > Is it possible to block tcp packets that contains 
> > > experimental tcp 
> > > > > options ?
> > > > > 
> > > > > AND is it smart to do so ?
> > > > > 
> > > > > 
> > > > > --
> > > > > Mvh Glenn Terjesen @ Webcat AS
> > > > > Tlf: +47 37 02 20 20
> > > > > E-post: support@webcat.no
> > > > > 
> > > > 
> > > 
> > > 
> > 
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: is it possible to block ip packets that contains experimental tcp options ?
  2007-05-21 11:32 ` Glenn Terjesen
  2007-05-21 11:55   ` Glenn Terjesen
@ 2007-05-21 18:27   ` Pascal Hambourg
  2007-05-22  8:58     ` Glenn Terjesen
  1 sibling, 1 reply; 8+ messages in thread
From: Pascal Hambourg @ 2007-05-21 18:27 UTC (permalink / raw)
  To: netfilter

Hello,

Glenn Terjesen a écrit :
> What i meant with "experimental tcp options" is that my ids (snort)
> keept logging these "experimental tcp options"
> 
> #
> code 76
> length 8
> data 01019DEDBEF00005
> 
> I know this aint a snort list, but my servers don't serve any services
> that require this kind of traffic.
> 
> So i was wondering if iptables has any way of blocking these.

If you have a black list of options you want to drop (or a white list of 
allowed options), what about the "--tcp-option" option of the "tcp" match ?

> These to magic lines fixed it all
> iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
> iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

I wonder how these rules could drop packets according to TCP options. 
TCP flag combinations are not TCP options.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: is it possible to block ip packets that contains experimental tcp options ?
  2007-05-21 18:27   ` Pascal Hambourg
@ 2007-05-22  8:58     ` Glenn Terjesen
  0 siblings, 0 replies; 8+ messages in thread
From: Glenn Terjesen @ 2007-05-22  8:58 UTC (permalink / raw)
  To: netfilter

Thanks allot Pascal,

iptables -A FORWARD -p tcp --tcp-option 76 -j REJECT

seems to be working.


On Mon, 2007-05-21 at 20:27 +0200, Pascal Hambourg wrote:
> Hello,
> 
> Glenn Terjesen a écrit :
> > What i meant with "experimental tcp options" is that my ids (snort)
> > keept logging these "experimental tcp options"
> > 
> > #
> > code 76
> > length 8
> > data 01019DEDBEF00005
> > 
> > I know this aint a snort list, but my servers don't serve any services
> > that require this kind of traffic.
> > 
> > So i was wondering if iptables has any way of blocking these.
> 
> If you have a black list of options you want to drop (or a white list of 
> allowed options), what about the "--tcp-option" option of the "tcp" match ?
> 
> > These to magic lines fixed it all
> > iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
> > iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> 
> I wonder how these rules could drop packets according to TCP options. 
> TCP flag combinations are not TCP options.
> 
> 
-- 
Mvh Glenn Terjesen @ Webcat AS
Tlf: +47 37 02 20 20
E-post: support@webcat.no


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2007-05-22  8:58 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-16  9:23 is it possible to block ip packets that contains experimental tcp options ? Glenn Terjesen
  -- strict thread matches above, loose matches on Subject: below --
2007-05-16 12:18 Marc Cozzi
2007-05-16 18:04 ` Jan Engelhardt
2007-05-17 17:18 Marc Cozzi
2007-05-21 11:32 ` Glenn Terjesen
2007-05-21 11:55   ` Glenn Terjesen
2007-05-21 18:27   ` Pascal Hambourg
2007-05-22  8:58     ` Glenn Terjesen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox