* How to stop kernel TCP responses on a port @ 2014-09-04 15:17 Dale Mellor 2014-09-04 16:16 ` Leonardo Rodrigues 0 siblings, 1 reply; 6+ messages in thread From: Dale Mellor @ 2014-09-04 15:17 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 138 bytes --] I want to do TCP with raw sockets. How can I filter away the kernel's RST/ACK/SYN response messages when I want to do this myself? [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to stop kernel TCP responses on a port 2014-09-04 15:17 How to stop kernel TCP responses on a port Dale Mellor @ 2014-09-04 16:16 ` Leonardo Rodrigues 2014-09-05 4:27 ` Dale Mellor 0 siblings, 1 reply; 6+ messages in thread From: Leonardo Rodrigues @ 2014-09-04 16:16 UTC (permalink / raw) To: netfilter you'll probably need to tweak the kernel itself for that. If you wanna do all the 'dirty work', why not use UDP instead of TCP ?? On 04/09/14 12:17, Dale Mellor wrote: > I want to do TCP with raw sockets. How can I filter away the kernel's > RST/ACK/SYN response messages when I want to do this myself? > -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to stop kernel TCP responses on a port 2014-09-04 16:16 ` Leonardo Rodrigues @ 2014-09-05 4:27 ` Dale Mellor [not found] ` <CBD8736BE6044AE0B06076D69855AF85@gmail.com> 0 siblings, 1 reply; 6+ messages in thread From: Dale Mellor @ 2014-09-05 4:27 UTC (permalink / raw) To: Leonardo Rodrigues; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 999 bytes --] > On 04/09/14 12:17, Dale Mellor wrote: > I want to do TCP with raw sockets. How can I filter away the kernel's > RST/ACK/SYN response messages when I want to do this myself? On Thu, 2014-09-04 at 13:16 -0300, Leonardo Rodrigues wrote: you'll probably need to tweak the kernel itself for that. If you wanna do all the 'dirty work', why not use UDP instead of TCP ?? I need to tunnel TCP (specifically telnet) through a space link to a spacecraft in orbit (don't worry, security exists in the link layer). But of course I need the SYN/ACKs to come from the spacecraft itself (rather than the ground-station PC) so I know when I can send commands up. I'm going to try to use the iptables' QUEUE target and a user-space packet filter, thinking that if I reject the incoming SYN it will be dropped without further ado, and then I can synthesize a response later with a raw socket. Any thoughts people may have on this would likely be useful. Thanks, Dale [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <CBD8736BE6044AE0B06076D69855AF85@gmail.com>]
* Re: How to stop kernel TCP responses on a port [not found] ` <CBD8736BE6044AE0B06076D69855AF85@gmail.com> @ 2014-09-05 5:41 ` Dale Mellor 2014-09-08 3:11 ` Brad Campbell 0 siblings, 1 reply; 6+ messages in thread From: Dale Mellor @ 2014-09-05 5:41 UTC (permalink / raw) To: Payam Chychi; +Cc: Leonardo Rodrigues, netfilter [-- Attachment #1: Type: text/plain, Size: 1844 bytes --] > > > On 04/09/14 12:17, Dale Mellor wrote: > > > I want to do TCP with raw sockets. How can I filter away the > > > kernel's > > > RST/ACK/SYN response messages when I want to do this myself? > > > > > > On Thu, 2014-09-04 at 13:16 -0300, Leonardo Rodrigues wrote: > > you'll probably need to tweak the kernel itself for that. If you > > wanna do all the 'dirty work', why not use UDP instead of TCP ?? > > > > > > On Thursday, September 4, 2014 at 9:27 PM, Dale Mellor wrote: > > I need to tunnel TCP (specifically telnet) through a space link to a > > spacecraft in orbit (don't worry, security exists in the link > > layer). > > But of course I need the SYN/ACKs to come from the spacecraft itself > > (rather than the ground-station PC) so I know when I can send > > commands > > up. I'm going to try to use the iptables' QUEUE target and a > > user-space > > packet filter, thinking that if I reject the incoming SYN it will be > > dropped without further ado, and then I can synthesize a response > > later > > with a raw socket. > > > > > > Any thoughts people may have on this would likely be useful. > > On Thu, 2014-09-04 at 22:06 -0700, Payam Chychi wrote: Why would the syn-ack come from the ground pc and not the space station? Are you proxying this? If so, there are other ways todo this ... I thought this list had rules about not top-posting? Anyway, the point is I don't want the syn-ack to come from the ground, but the Linux kernel insists on sending it. That's what I want to filter out, or otherwise stop. In case I haven't been clear, the PC is the gateway to the spacecraft; effectively, it _is_ the proxy. When a telnet client (on the ground) connects to the gateway (on the ground), the gateway is responding to the SYN when I don't want it to. Dale [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to stop kernel TCP responses on a port 2014-09-05 5:41 ` Dale Mellor @ 2014-09-08 3:11 ` Brad Campbell 2014-09-09 13:49 ` Dale Mellor 0 siblings, 1 reply; 6+ messages in thread From: Brad Campbell @ 2014-09-08 3:11 UTC (permalink / raw) To: Dale Mellor, Payam Chychi; +Cc: Leonardo Rodrigues, netfilter On 05/09/14 13:41, Dale Mellor wrote: > > Anyway, the point is I don't want the syn-ack to come from the ground, > but the Linux kernel insists on sending it. That's what I want to > filter out, or otherwise stop. The kernel only does that if there is a piece of application code that is bound to that socket. > In case I haven't been clear, the PC is the gateway to the spacecraft; > effectively, it _is_ the proxy. When a telnet client (on the ground) > connects to the gateway (on the ground), the gateway is responding to > the SYN when I don't want it to. Ok, so the ground station PC is acting as a proxy and you don't want that. You want it to *route* the IP packets rather than be an application level proxy. So at the moment you are connecting to a socket that is bound in the ground station PC. There is a piece of code there than binds and then accepts the connection. Stop doing that and have iptables forward/nat the packets instead. If all that is incorrect, then you have not provided anywhere enough information on the how's and why's. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to stop kernel TCP responses on a port 2014-09-08 3:11 ` Brad Campbell @ 2014-09-09 13:49 ` Dale Mellor 0 siblings, 0 replies; 6+ messages in thread From: Dale Mellor @ 2014-09-09 13:49 UTC (permalink / raw) To: Brad Campbell; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 1836 bytes --] On Mon, 2014-09-08 at 11:11 +0800, Brad Campbell wrote: > On 05/09/14 13:41, Dale Mellor wrote: > > > > > Anyway, the point is I don't want the syn-ack to come from the ground, > > but the Linux kernel insists on sending it. That's what I want to > > filter out, or otherwise stop. > > > The kernel only does that if there is a piece of application code that > is bound to that socket. > > > In case I haven't been clear, the PC is the gateway to the spacecraft; > > effectively, it _is_ the proxy. When a telnet client (on the ground) > > connects to the gateway (on the ground), the gateway is responding to > > the SYN when I don't want it to. > > Ok, so the ground station PC is acting as a proxy and you don't want > that. You want it to *route* the IP packets rather than be an > application level proxy. > > So at the moment you are connecting to a socket that is bound in the > ground station PC. There is a piece of code there than binds and then > accepts the connection. Stop doing that and have iptables forward/nat > the packets instead. > > If all that is incorrect, then you have not provided anywhere enough > information on the how's and why's. Thanks for all your thoughts. It is likely true I didn't give enough information for you to fully understand my problem, but I didn't have time to write an essay and there is only so much I'm allowed to disclose. Anyway, for information, my solution was to vector packets to my port in the PREROUTING chain of the mangle table to target QUEUE, and then have a user-land program feed the packet to the space link. This program instructs the kernel to DROP the frame, and the kernel does not then send any SYN-ACK or RST itself to the connecting client, which is what I wanted to achieve. Thanks again, Dale [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-09-09 13:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-04 15:17 How to stop kernel TCP responses on a port Dale Mellor
2014-09-04 16:16 ` Leonardo Rodrigues
2014-09-05 4:27 ` Dale Mellor
[not found] ` <CBD8736BE6044AE0B06076D69855AF85@gmail.com>
2014-09-05 5:41 ` Dale Mellor
2014-09-08 3:11 ` Brad Campbell
2014-09-09 13:49 ` Dale Mellor
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).