• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1This target will process TCP three-way-handshake parallel in netfilter
2context to protect either local or backend system. This target requires
3connection tracking because sequence numbers need to be translated.
4.TP
5\fB\-\-mss\fP \fImaximum segment size\fP
6Maximum segment size announced to clients. This must match the backend.
7.TP
8\fB\-\-wscale\fP \fIwindow scale\fP
9Window scale announced to clients. This must match the backend.
10.TP
11\fB\-\-sack\-perm\fP
12Pass client selective acknowledgement option to backend (will be disabled
13if not present).
14.TP
15\fB\-\-timestamps\fP
16Pass client timestamp option to backend (will be disabled if not present,
17also needed for selective acknowledgement and window scaling).
18.PP
19Example:
20.PP
21Determine tcp options used by backend, from an external system
22.IP
23tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
24.br
25    port 80 &
26.br
27telnet 192.0.2.42 80
28.br
2918:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
30.br
31    Flags [S.], seq 360414582, ack 788841994, win 14480,
32.br
33    options [mss 1460,sackOK,
34.br
35    TS val 1409056151 ecr 9690221,
36.br
37    nop,wscale 9],
38.br
39    length 0
40.PP
41Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
42packets as state INVALID.
43.IP
44echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
45.PP
46Make SYN packets untracked
47.IP
48iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
49    \-\-syn \-j CT \-\-notrack
50.PP
51Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
52and send them to SYNPROXY. This rule will respond to SYN packets with
53SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
54packets) and drop incorrect cookies. Flags combinations not expected
55during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
56.IP
57iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
58    \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
59    \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
60.PP
61Drop invalid packets, this will be out\-of\-flow packets that were not
62matched by SYNPROXY.
63.IP
64iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP
65