* Blocking UDP Fragments
@ 2011-05-16 20:42 Ryan Gelobter
2011-05-18 4:27 ` Pandu Poluan
0 siblings, 1 reply; 5+ messages in thread
From: Ryan Gelobter @ 2011-05-16 20:42 UTC (permalink / raw)
To: 'netfilter
Can anyone provide me with some help in creating an iptables rule to drop packets such as the ones below? I've modified the amount of XXX in the packet contents since they are normally much larger however they do vary in size. I've come to realize the -f flag does not work for this type of packet and am confused by examples that explain matching by using the u32 module/"more fragments" flag.
U 0.0.0.0 -> 0.0.0.0 +39221@5920:1480
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#
U 0.0.0.0-> 0.0.0.0 +39221@7400:800
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
U 0.0.0.0-> 0.0.0.0 +39221@2960:1480
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thanks,
Ryan G
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments
2011-05-16 20:42 Blocking UDP Fragments Ryan Gelobter
@ 2011-05-18 4:27 ` Pandu Poluan
2011-05-18 12:23 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Pandu Poluan @ 2011-05-18 4:27 UTC (permalink / raw)
To: Ryan Gelobter; +Cc: netfilter
On Tue, May 17, 2011 at 03:42, Ryan Gelobter
<r.gelobter@limestonenetworks.com> wrote:
> Can anyone provide me with some help in creating an iptables rule to drop packets such as the ones below? I've modified the amount of XXX in the packet contents since they are normally much larger however they do vary in size. I've come to realize the -f flag does not work for this type of packet and am confused by examples that explain matching by using the u32 module/"more fragments" flag.
>
> U 0.0.0.0 -> 0.0.0.0 +39221@5920:1480
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> U 0.0.0.0-> 0.0.0.0 +39221@7400:800
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> U 0.0.0.0-> 0.0.0.0 +39221@2960:1480
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
If you want to drop all fragmented packets, including the first packet
of the fragment,
iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment
--comment \"Fragmented\" -j DROP
Explanation:
-m u32 : use the u32 match
--u32 : the parameter for the u32 match
0x4 : get 32 bits starting byte #4 (very first byte is #0)
&0x3fff : do a bitwise AND against those 32 bits
=0x0 : UN-fragmented packets will have those 14 bits = 0
! : negation, i.e., we want to match packets whose fragmentation bits != 0
Rgds
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments
2011-05-18 4:27 ` Pandu Poluan
@ 2011-05-18 12:23 ` Jan Engelhardt
2011-05-19 8:43 ` Pandu Poluan
0 siblings, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2011-05-18 12:23 UTC (permalink / raw)
To: Pandu Poluan; +Cc: Ryan Gelobter, netfilter
On Wednesday 2011-05-18 06:27, Pandu Poluan wrote:
>
>If you want to drop all fragmented packets, including the first packet
>of the fragment,
>
>iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment
>--comment \"Fragmented\" -j DROP
Yeah but you forget
iptables -f -j DROP
and that, when nf_defrag is loaded, autodefragmentation is happening and
Xtables won't see any more fragments.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments
2011-05-18 12:23 ` Jan Engelhardt
@ 2011-05-19 8:43 ` Pandu Poluan
2011-05-19 8:51 ` Pandu Poluan
0 siblings, 1 reply; 5+ messages in thread
From: Pandu Poluan @ 2011-05-19 8:43 UTC (permalink / raw)
To: netfilter
On Wed, May 18, 2011 at 19:23, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Wednesday 2011-05-18 06:27, Pandu Poluan wrote:
>>
>>If you want to drop all fragmented packets, including the first packet
>>of the fragment,
>>
>>iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment
>>--comment \"Fragmented\" -j DROP
>
> Yeah but you forget
>
> iptables -f -j DROP
>
> and that, when nf_defrag is loaded, autodefragmentation is happening and
> Xtables won't see any more fragments.
>
Why should I match against -f ? Doesn't " ! --u32 0x4&0x3fff=0x0 "
already match against the first and subsequent packets?
And when does nf_defrag actually do its magic? Doesn't it take place
during conntrack, and thus after '-t raw' ?
Rgds,
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Blocking UDP Fragments
2011-05-19 8:43 ` Pandu Poluan
@ 2011-05-19 8:51 ` Pandu Poluan
0 siblings, 0 replies; 5+ messages in thread
From: Pandu Poluan @ 2011-05-19 8:51 UTC (permalink / raw)
To: netfilter
On Thu, May 19, 2011 at 15:43, Pandu Poluan <pandu@poluan.info> wrote:
> On Wed, May 18, 2011 at 19:23, Jan Engelhardt <jengelh@medozas.de> wrote:
>>
>> On Wednesday 2011-05-18 06:27, Pandu Poluan wrote:
>>>
>>>If you want to drop all fragmented packets, including the first packet
>>>of the fragment,
>>>
>>>iptables -t raw -A PREROUTING -m u32 ! --u32 0x4&0x3fff=0x0 -m comment
>>>--comment \"Fragmented\" -j DROP
>>
>> Yeah but you forget
>>
>> iptables -f -j DROP
>>
>> and that, when nf_defrag is loaded, autodefragmentation is happening and
>> Xtables won't see any more fragments.
>>
>
> Why should I match against -f ? Doesn't " ! --u32 0x4&0x3fff=0x0 "
> already match against the first and subsequent packets?
>
Um, maybe I need to explain it clearer:
0x3fff matches bits 18~31 of the 32 bits taken from octet 4.
Bit #19~31 indicates the fragment offset. Non-zero for subsequent
fragments, zero for first fragment.
Bit #18 is the "More Fragment" bit.
So, if the packet is fragmented, Bits #18~31 can't all be '0'; bit #18
will be '1' for all packets *except* the last fragmented packet, and
bits #19~31 will be non-zero for all packets *except* the first
fragmented packet.
Reference:
* http://www.wtcs.org/snmp4tpc/images/IP-Header.jpg
* http://www.stearns.org/doc/iptables-u32.current.html (near the end
of the page)
> And when does nf_defrag actually do its magic? Doesn't it take place
> during conntrack, and thus after '-t raw' ?
>
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Google Talk: pepoluan
Y! messenger: pepoluan
MSN / Live: pepoluan@hotmail.com (do not send email here)
Skype: pepoluan
More on me: My LinkedIn Account My Facebook Account
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-05-19 8:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-16 20:42 Blocking UDP Fragments Ryan Gelobter
2011-05-18 4:27 ` Pandu Poluan
2011-05-18 12:23 ` Jan Engelhardt
2011-05-19 8:43 ` Pandu Poluan
2011-05-19 8:51 ` Pandu Poluan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.