block ip fragmented packet

block ip fragmented packet

[Satish Patel]

We have iptables v1.4.21 running and i am trying to stop all
fragmented packet but following rules doesn't working what is wrong
here?



iptables -t raw -A PREROUTING -m u32 ! --u32 "0x4&0x3fff=0x0" -m
comment --comment "Fragmented" -j DROP

To test rules i am doing following:

ping -M want -s 3000 192.168.1.1

Re: block ip fragmented packet

[Anton Danilov]

Hello.
Local originated packets aren't passed through raw/PREROUTING chain
(see this flowchart -
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
). To test your rule you should use raw/OUTPUT chain.
Also iptables has own match for fragmented packes. In your case this
rule should looks like: iptables -t raw -I OUTPUT --fragment -j DROP.

2015-12-11 1:38 GMT+03:00 Satish Patel <satish.txt@gmail.com>:
> We have iptables v1.4.21 running and i am trying to stop all
> fragmented packet but following rules doesn't working what is wrong
> here?
>
>
>
> iptables -t raw -A PREROUTING -m u32 ! --u32 "0x4&0x3fff=0x0" -m
> comment --comment "Fragmented" -j DROP
>
> To test rules i am doing following:
>
> ping -M want -s 3000 192.168.1.1
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Anton.

Re: block ip fragmented packet

[Pascal Hambourg]

Anton Danilov a écrit :
> Hello.
> Local originated packets aren't passed through raw/PREROUTING chain
> To test your rule you should use raw/OUTPUT chain.

It may not work either, because packets are not fragmented yet in the
OUTPUT chain at least when conntrack is active (not sure when it isn't).

Re: block ip fragmented packet

[Satish Patel]

I'm testing this rule from remote machine and sending fragmented packet using hping3 utility. 

-f  iptables option is not going to work if conntrack there. 

I don't know why it's so hard for iptable to block something like this. 

If I use tc filter then it works. But I wanted to block using iptables. 

--
Sent from my iPhone

> On Dec 11, 2015, at 3:14 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> 
> Anton Danilov a écrit :
>> Hello.
>> Local originated packets aren't passed through raw/PREROUTING chain
>> To test your rule you should use raw/OUTPUT chain.
> 
> It may not work either, because packets are not fragmented yet in the
> OUTPUT chain at least when conntrack is active (not sure when it isn't).

Re: block ip fragmented packet

[Pablo Neira Ayuso]

On Fri, Dec 11, 2015 at 07:53:12AM -0500, Satish Patel wrote:
> I'm testing this rule from remote machine and sending fragmented packet using hping3 utility. 
> 
> -f  iptables option is not going to work if conntrack there. 
> 
> I don't know why it's so hard for iptable to block something like this. 

You got nf_defrag_ipv4 loaded (it comes with conntrack), therefore,
fragments are reassembled before entering conntrack, then fragmented
back from the output path.

In nftables you can add a chain *before* priority -400 that should see
fragmented packets.

Re: block ip fragmented packet

[Satish Patel]

>> In nftables you can add a chain *before* priority -400 that should see
fragmented packets.

what is nftables?  How do i set priority? could you please explain?

On Fri, Dec 11, 2015 at 12:22 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Dec 11, 2015 at 07:53:12AM -0500, Satish Patel wrote:
>> I'm testing this rule from remote machine and sending fragmented packet using hping3 utility.
>>
>> -f  iptables option is not going to work if conntrack there.
>>
>> I don't know why it's so hard for iptable to block something like this.
>
> You got nf_defrag_ipv4 loaded (it comes with conntrack), therefore,
> fragments are reassembled before entering conntrack, then fragmented
> back from the output path.
>
> In nftables you can add a chain *before* priority -400 that should see
> fragmented packets.