1This target will process TCP three-way-handshake parallel in netfilter 2context to protect either local or backend system. This target requires 3connection tracking because sequence numbers need to be translated. 4The kernels ability to absorb SYNFLOOD was greatly improved starting with 5Linux 4.4, so this target should not be needed anymore to protect Linux servers. 6.TP 7\fB\-\-mss\fP \fImaximum segment size\fP 8Maximum segment size announced to clients. This must match the backend. 9.TP 10\fB\-\-wscale\fP \fIwindow scale\fP 11Window scale announced to clients. This must match the backend. 12.TP 13\fB\-\-sack\-perm\fP 14Pass client selective acknowledgement option to backend (will be disabled 15if not present). 16.TP 17\fB\-\-timestamps\fP 18Pass client timestamp option to backend (will be disabled if not present, 19also needed for selective acknowledgement and window scaling). 20.PP 21Example: 22.PP 23Determine tcp options used by backend, from an external system 24.IP 25tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' 26.br 27 port 80 & 28.br 29telnet 192.0.2.42 80 30.br 3118:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757: 32.br 33 Flags [S.], seq 360414582, ack 788841994, win 14480, 34.br 35 options [mss 1460,sackOK, 36.br 37 TS val 1409056151 ecr 9690221, 38.br 39 nop,wscale 9], 40.br 41 length 0 42.PP 43Switch tcp_loose mode off, so conntrack will mark out\-of\-flow 44packets as state INVALID. 45.IP 46echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose 47.PP 48Make SYN packets untracked 49.IP 50iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80 51 \-\-syn \-j CT \-\-notrack 52.PP 53Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states 54and send them to SYNPROXY. This rule will respond to SYN packets with 55SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK 56packets) and drop incorrect cookies. Flags combinations not expected 57during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK). 58.IP 59iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 60 \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY 61 \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9 62.PP 63Drop invalid packets, this will be out\-of\-flow packets that were not 64matched by SYNPROXY. 65.IP 66iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP 67