packet matching problem

packet matching problem

[P.Srihari]

hi,

i am facing what i think is a peculiar problem. i have a set of rules as
follows

iptables -I FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
1/s --limit-burst 1024 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j LOG
--log-prefix "SYN ATTACK"
iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN  -j DROP
iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j
ACCEPT

now i started an FTP session from the host to an FTP server. in this
session, i turn off the prompt and do an mget * ( multiple files ).
the files are in order of about 4 MB or so. as soon as the first file
is completed, it prints the message SYN ATTACK - with the SRC port as
ftp-data port (20) - no other traffic is coming into the firewall host. 
TCPDUMP on the firewall machine shows that about 8 or 9 SYN packets 
having been received by the firewall host. 

now in the netfilter framework in 2.4.5 kernel, i found the following

a. for some strange reason, the packet-matching code in the kernel
for limit is being invoked for even non-SYN packets and as the traffic
to ftp data port flows into firewall, the credit associated with the
entry for 1st rule in the above mentioned rule is getting reduced and
finally the SYN attack is printed. 

i am not saying that there is a bug in the netfilter code, but there
could be something wrong in the rules that i have framed.

the above observations are accurate as i have done the test quite a
few times.

the iptables version that i am using is 1.2.6a

can anyone suggest some solution

thanks
srihari

**************************Disclaimer************************************

Information contained in this E-MAIL being proprietary to Wipro Limited is 
'privileged' and 'confidential' and intended for use only by the individual
 or entity to which it is addressed. You are notified that any use, copying 
or dissemination of the information contained in the E-MAIL in any manner 
whatsoever is strictly prohibited.

***************************************************************************

Re: packet matching problem

[narendra prabhu]

Hi,

>iptables -I FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
>1/s --limit-burst 1024 -j ACCEPT
>iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j LOG
>--log-prefix "SYN ATTACK"
>iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN  -j DROP
>iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j
>ACCEPT
>

I am not quiet sure about the seqence of the rules. Usaully, we place 
the "-m state
--state RELATED,ESTABLISHED"( the connection tracking stuff) is in the 
top of the list of
rules.... I guess instead of -A  it should have been -I..  Read about 
connection tracking .. might help you.

>now i started an FTP session from the host to an FTP server. in this
>session, i turn off the prompt and do an mget * ( multiple files ).
>the files are in order of about 4 MB or so. as soon as the first file
>is completed, it prints the message SYN ATTACK - with the SRC port as
>ftp-data port (20) - no other traffic is coming into the firewall host. 
>TCPDUMP on the firewall machine shows that about 8 or 9 SYN packets 
>having been received by the firewall host. 
>
FTP is one of those peculiar protocols, Again, read about connection 
tracking. For the protocols  like these
the connection tracking modules have more work to do. However , this is 
not very relavent to your problem.
The solution for your problem possilbly is the ordering of the rules, or 
the sequence.

There is a link from netfilter.org..(docs section).

Hope this helps ...

Narendra.

--------------------------
Narendra Prabhu. B
DeepRoot Linux Pvt Ltd.,Bangalore.
http://www.deeproot.co.in