Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    iptables tcp-flags question


    I have continuous apparent break in attempts using HEAD and PROPFIND. Here are some records:

    570 40796.394973 192.99.144.140 -> me.me.me.me TCP 66 59325 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
    571 40796.395325 me.me.me.me -> 192.99.144.140 TCP 66 80 → 59325 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=256
    572 40796.479213 192.99.144.140 -> me.me.me.me TCP 52 59325 → 80 [ACK] Seq=2126074772 Ack=2008317638 Win=513[Malformed Packet]
    573 40796.937086 192.99.144.140 -> me.me.me.me HTTP 165 PROPFIND /webdav/ HTTP/1.1
    574 40797.259328 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    575 40797.862543 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    576 40799.075384 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    577 40799.312331 192.99.144.140 -> me.me.me.me TCP 52 59325 → 80 [FIN, ACK] Seq=2126074883 Ack=2008317638 Win=513[Malformed Packet]
    578 40799.312476 me.me.me.me -> 192.99.144.140 TCP 66 [TCP Window Update] 80 → 59325 [ACK] Seq=1 Ack=1 Win=14848 Len=0 SLE=112 SRE=113
    579 40800.340801 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [FIN, PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    580 40801.555925 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [FIN, PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    581 40803.958048 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [FIN, PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    582 40808.825058 192.99.144.140 -> me.me.me.me TCP 165 [TCP Retransmission] 59325 → 80 [FIN, PSH, ACK] Seq=1 Ack=1 Win=131328 Len=111
    583 40818.434262 192.99.144.140 -> me.me.me.me TCP 52 59325 → 80 [RST, ACK] Seq=2126074884 Ack=2008317638 Win=0[Malformed Packet]
    584 40818.434635 me.me.me.me -> 192.99.144.140 TCP 66 [TCP Dup ACK 571#1] 80 → 59325 [ACK] Seq=1 Ack=1 Win=14848 Len=0 SLE=112 SRE=113
    585 40818.518562 192.99.144.140 -> me.me.me.me TCP 52 59325 → 80 [RST] Seq=2126074772 Win=0[Malformed Packet]

    What I have done is to try to reset such nonsense with this tcp-flags entry:

    iptables -I INPUT 1 -p tcp -m tcp --tcp-flags PSH,ACK PSH,ACK -m length --length 52 -j REJECT --reject-with tcp-reset

    What I thought this would do is reset any PSH,ACK that comes in as INPUT, but it doesn't seem to reset the connection as hoped. I was expecting to see a [RST] just after the first [PSH, ACK]. Can anyone tell me why this isn't working?

    Thanks.

  2. #2
    -->
    Quote Originally Posted by battles View Post
    iptables -I INPUT 1 -p tcp -m tcp --tcp-flags PSH,ACK PSH,ACK -m length --length 52 -j REJECT --reject-with tcp-reset
    What I thought this would do is reset any PSH,ACK that comes in as INPUT, but it doesn't seem to reset the connection as hoped. I was expecting to see a [RST] just after the first [PSH, ACK]. Can anyone tell me why this isn't working?
    Thanks.
    Just to be curious — IP forwarding is disabled on your server?
    Did you tried to create it in the FORWARD chain if not?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •