* block ip fragmented packet
@ 2015-12-10 22:38 Satish Patel
2015-12-11 6:27 ` Anton Danilov
0 siblings, 1 reply; 6+ messages in thread
From: Satish Patel @ 2015-12-10 22:38 UTC (permalink / raw)
To: netfilter
We have iptables v1.4.21 running and i am trying to stop all
fragmented packet but following rules doesn't working what is wrong
here?
iptables -t raw -A PREROUTING -m u32 ! --u32 "0x4&0x3fff=0x0" -m
comment --comment "Fragmented" -j DROP
To test rules i am doing following:
ping -M want -s 3000 192.168.1.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: block ip fragmented packet
2015-12-10 22:38 block ip fragmented packet Satish Patel
@ 2015-12-11 6:27 ` Anton Danilov
2015-12-11 8:14 ` Pascal Hambourg
0 siblings, 1 reply; 6+ messages in thread
From: Anton Danilov @ 2015-12-11 6:27 UTC (permalink / raw)
To: Satish Patel; +Cc: netfilter
Hello.
Local originated packets aren't passed through raw/PREROUTING chain
(see this flowchart -
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
). To test your rule you should use raw/OUTPUT chain.
Also iptables has own match for fragmented packes. In your case this
rule should looks like: iptables -t raw -I OUTPUT --fragment -j DROP.
2015-12-11 1:38 GMT+03:00 Satish Patel <satish.txt@gmail.com>:
> We have iptables v1.4.21 running and i am trying to stop all
> fragmented packet but following rules doesn't working what is wrong
> here?
>
>
>
> iptables -t raw -A PREROUTING -m u32 ! --u32 "0x4&0x3fff=0x0" -m
> comment --comment "Fragmented" -j DROP
>
> To test rules i am doing following:
>
> ping -M want -s 3000 192.168.1.1
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Anton.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: block ip fragmented packet
2015-12-11 6:27 ` Anton Danilov
@ 2015-12-11 8:14 ` Pascal Hambourg
2015-12-11 12:53 ` Satish Patel
0 siblings, 1 reply; 6+ messages in thread
From: Pascal Hambourg @ 2015-12-11 8:14 UTC (permalink / raw)
To: Anton Danilov; +Cc: Satish Patel, netfilter
Anton Danilov a écrit :
> Hello.
> Local originated packets aren't passed through raw/PREROUTING chain
> To test your rule you should use raw/OUTPUT chain.
It may not work either, because packets are not fragmented yet in the
OUTPUT chain at least when conntrack is active (not sure when it isn't).
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: block ip fragmented packet
2015-12-11 8:14 ` Pascal Hambourg
@ 2015-12-11 12:53 ` Satish Patel
2015-12-11 17:22 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Satish Patel @ 2015-12-11 12:53 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: Anton Danilov, netfilter
I'm testing this rule from remote machine and sending fragmented packet using hping3 utility.
-f iptables option is not going to work if conntrack there.
I don't know why it's so hard for iptable to block something like this.
If I use tc filter then it works. But I wanted to block using iptables.
--
Sent from my iPhone
> On Dec 11, 2015, at 3:14 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>
> Anton Danilov a écrit :
>> Hello.
>> Local originated packets aren't passed through raw/PREROUTING chain
>> To test your rule you should use raw/OUTPUT chain.
>
> It may not work either, because packets are not fragmented yet in the
> OUTPUT chain at least when conntrack is active (not sure when it isn't).
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: block ip fragmented packet
2015-12-11 12:53 ` Satish Patel
@ 2015-12-11 17:22 ` Pablo Neira Ayuso
2015-12-11 18:40 ` Satish Patel
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-11 17:22 UTC (permalink / raw)
To: Satish Patel; +Cc: Pascal Hambourg, Anton Danilov, netfilter
On Fri, Dec 11, 2015 at 07:53:12AM -0500, Satish Patel wrote:
> I'm testing this rule from remote machine and sending fragmented packet using hping3 utility.
>
> -f iptables option is not going to work if conntrack there.
>
> I don't know why it's so hard for iptable to block something like this.
You got nf_defrag_ipv4 loaded (it comes with conntrack), therefore,
fragments are reassembled before entering conntrack, then fragmented
back from the output path.
In nftables you can add a chain *before* priority -400 that should see
fragmented packets.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: block ip fragmented packet
2015-12-11 17:22 ` Pablo Neira Ayuso
@ 2015-12-11 18:40 ` Satish Patel
0 siblings, 0 replies; 6+ messages in thread
From: Satish Patel @ 2015-12-11 18:40 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Pascal Hambourg, Anton Danilov, netfilter
>> In nftables you can add a chain *before* priority -400 that should see
fragmented packets.
what is nftables? How do i set priority? could you please explain?
On Fri, Dec 11, 2015 at 12:22 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Dec 11, 2015 at 07:53:12AM -0500, Satish Patel wrote:
>> I'm testing this rule from remote machine and sending fragmented packet using hping3 utility.
>>
>> -f iptables option is not going to work if conntrack there.
>>
>> I don't know why it's so hard for iptable to block something like this.
>
> You got nf_defrag_ipv4 loaded (it comes with conntrack), therefore,
> fragments are reassembled before entering conntrack, then fragmented
> back from the output path.
>
> In nftables you can add a chain *before* priority -400 that should see
> fragmented packets.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-12-11 18:40 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-10 22:38 block ip fragmented packet Satish Patel
2015-12-11 6:27 ` Anton Danilov
2015-12-11 8:14 ` Pascal Hambourg
2015-12-11 12:53 ` Satish Patel
2015-12-11 17:22 ` Pablo Neira Ayuso
2015-12-11 18:40 ` Satish Patel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.