Re: How to stop kernel TCP responses on a port

[Dale Mellor <dale@rdmp.org>]

[-- Attachment #1: Type: text/plain, Size: 1836 bytes --]

On Mon, 2014-09-08 at 11:11 +0800, Brad Campbell wrote:
> On 05/09/14 13:41, Dale Mellor wrote:
> >
> 
> > Anyway, the point is I don't want the syn-ack to come from the ground,
> > but the Linux kernel insists on sending it.  That's what I want to
> > filter out, or otherwise stop.
> 
> 
> The kernel only does that if there is a piece of application code that 
> is bound to that socket.
> 
> > In case I haven't been clear, the PC is the gateway to the spacecraft;
> > effectively, it _is_ the proxy.  When a telnet client (on the ground)
> > connects to the gateway (on the ground), the gateway is responding to
> > the SYN when I don't want it to.
> 
> Ok, so the ground station PC is acting as a proxy and you don't want 
> that. You want it to *route* the IP packets rather than be an 
> application level proxy.
> 
> So at the moment you are connecting to a socket that is bound in the 
> ground station PC. There is a piece of code there than binds and then 
> accepts the connection. Stop doing that and have iptables forward/nat 
> the packets instead.
> 
> If all that is incorrect, then you have not provided anywhere enough 
> information on the how's and why's.


Thanks for all your thoughts.  It is likely true I didn't give enough
information for you to fully understand my problem, but I didn't have
time to write an essay and there is only so much I'm allowed to
disclose.

Anyway, for information, my solution was to vector packets to my port in
the PREROUTING chain of the mangle table to target QUEUE, and then have
a user-land program feed the packet to the space link.  This program
instructs the kernel to DROP the frame, and the kernel does not then
send any SYN-ACK or RST itself to the connecting client, which is what I
wanted to achieve.

Thanks again,
Dale


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]