* Blocking UDP Fragments @ 2011-05-16 20:42 Ryan Gelobter 2011-05-18 4:27 ` Pandu Poluan 0 siblings, 1 reply; 5+ messages in thread From: Ryan Gelobter @ 2011-05-16 20:42 UTC (permalink / raw) To: 'netfilter@vger.kernel.org' Can anyone provide me with some help in creating an iptables rule to drop packets such as the ones below? I've modified the amount of XXX in the packet contents since they are normally much larger however they do vary in size. I've come to realize the -f flag does not work for this type of packet and am confused by examples that explain matching by using the u32 module/"more fragments" flag. U 0.0.0.0 -> 0.0.0.0 +39221@5920:1480 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # U 0.0.0.0-> 0.0.0.0 +39221@7400:800 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX U 0.0.0.0-> 0.0.0.0 +39221@2960:1480 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Thanks, Ryan G ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments 2011-05-16 20:42 Blocking UDP Fragments Ryan Gelobter @ 2011-05-18 4:27 ` Pandu Poluan 2011-05-18 12:23 ` Jan Engelhardt 0 siblings, 1 reply; 5+ messages in thread From: Pandu Poluan @ 2011-05-18 4:27 UTC (permalink / raw) To: Ryan Gelobter; +Cc: netfilter On Tue, May 17, 2011 at 03:42, Ryan Gelobter <r.gelobter@limestonenetworks.com> wrote: > Can anyone provide me with some help in creating an iptables rule to drop packets such as the ones below? I've modified the amount of XXX in the packet contents since they are normally much larger however they do vary in size. I've come to realize the -f flag does not work for this type of packet and am confused by examples that explain matching by using the u32 module/"more fragments" flag. > > U 0.0.0.0 -> 0.0.0.0 +39221@5920:1480 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > # > U 0.0.0.0-> 0.0.0.0 +39221@7400:800 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > U 0.0.0.0-> 0.0.0.0 +39221@2960:1480 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > If you want to drop all fragmented packets, including the first packet of the fragment, iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment --comment \"Fragmented\" -j DROP Explanation: -m u32 : use the u32 match --u32 : the parameter for the u32 match 0x4 : get 32 bits starting byte #4 (very first byte is #0) &0x3fff : do a bitwise AND against those 32 bits =0x0 : UN-fragmented packets will have those 14 bits = 0 ! : negation, i.e., we want to match packets whose fragmentation bits != 0 Rgds -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments 2011-05-18 4:27 ` Pandu Poluan @ 2011-05-18 12:23 ` Jan Engelhardt 2011-05-19 8:43 ` Pandu Poluan 0 siblings, 1 reply; 5+ messages in thread From: Jan Engelhardt @ 2011-05-18 12:23 UTC (permalink / raw) To: Pandu Poluan; +Cc: Ryan Gelobter, netfilter On Wednesday 2011-05-18 06:27, Pandu Poluan wrote: > >If you want to drop all fragmented packets, including the first packet >of the fragment, > >iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment >--comment \"Fragmented\" -j DROP Yeah but you forget iptables -f -j DROP and that, when nf_defrag is loaded, autodefragmentation is happening and Xtables won't see any more fragments. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments 2011-05-18 12:23 ` Jan Engelhardt @ 2011-05-19 8:43 ` Pandu Poluan 2011-05-19 8:51 ` Pandu Poluan 0 siblings, 1 reply; 5+ messages in thread From: Pandu Poluan @ 2011-05-19 8:43 UTC (permalink / raw) To: netfilter On Wed, May 18, 2011 at 19:23, Jan Engelhardt <jengelh@medozas.de> wrote: > > On Wednesday 2011-05-18 06:27, Pandu Poluan wrote: >> >>If you want to drop all fragmented packets, including the first packet >>of the fragment, >> >>iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment >>--comment \"Fragmented\" -j DROP > > Yeah but you forget > > iptables -f -j DROP > > and that, when nf_defrag is loaded, autodefragmentation is happening and > Xtables won't see any more fragments. > Why should I match against -f ? Doesn't " ! --u32 0x4&0x3fff=0x0 " already match against the first and subsequent packets? And when does nf_defrag actually do its magic? Doesn't it take place during conntrack, and thus after '-t raw' ? Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments 2011-05-19 8:43 ` Pandu Poluan @ 2011-05-19 8:51 ` Pandu Poluan 0 siblings, 0 replies; 5+ messages in thread From: Pandu Poluan @ 2011-05-19 8:51 UTC (permalink / raw) To: netfilter On Thu, May 19, 2011 at 15:43, Pandu Poluan <pandu@poluan.info> wrote: > On Wed, May 18, 2011 at 19:23, Jan Engelhardt <jengelh@medozas.de> wrote: >> >> On Wednesday 2011-05-18 06:27, Pandu Poluan wrote: >>> >>>If you want to drop all fragmented packets, including the first packet >>>of the fragment, >>> >>>iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment >>>--comment \"Fragmented\" -j DROP >> >> Yeah but you forget >> >> iptables -f -j DROP >> >> and that, when nf_defrag is loaded, autodefragmentation is happening and >> Xtables won't see any more fragments. >> > > Why should I match against -f ? Doesn't " ! --u32 0x4&0x3fff=0x0 " > already match against the first and subsequent packets? > Um, maybe I need to explain it clearer: 0x3fff matches bits 18~31 of the 32 bits taken from octet 4. Bit #19~31 indicates the fragment offset. Non-zero for subsequent fragments, zero for first fragment. Bit #18 is the "More Fragment" bit. So, if the packet is fragmented, Bits #18~31 can't all be '0'; bit #18 will be '1' for all packets *except* the last fragmented packet, and bits #19~31 will be non-zero for all packets *except* the first fragmented packet. Reference: * http://www.wtcs.org/snmp4tpc/images/IP-Header.jpg * http://www.stearns.org/doc/iptables-u32.current.html (near the end of the page) > And when does nf_defrag actually do its magic? Doesn't it take place > during conntrack, and thus after '-t raw' ? > -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com Google Talk: pepoluan Y! messenger: pepoluan MSN / Live: pepoluan@hotmail.com (do not send email here) Skype: pepoluan More on me: My LinkedIn Account My Facebook Account ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-05-19 8:51 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-05-16 20:42 Blocking UDP Fragments Ryan Gelobter 2011-05-18 4:27 ` Pandu Poluan 2011-05-18 12:23 ` Jan Engelhardt 2011-05-19 8:43 ` Pandu Poluan 2011-05-19 8:51 ` Pandu Poluan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
