Linux iptables - reject tcp SYN with RST

iptables tcp rst syn

12,539

Interesting.

I just tested that and on my system it works as you expect it to. I tested it with port 25 on my local server which isn't in high use:

iptables-save
# Generated by iptables-save v1.4.12 on Fri Aug 22 14:34:49 2014
*nat
:PREROUTING ACCEPT [12:1729]
:INPUT ACCEPT [12:1729]
:OUTPUT ACCEPT [110:7484]
:POSTROUTING ACCEPT [110:7484]
-A PREROUTING -p tcp -m tcp --dport 225 -j DNAT --to-destination :25
COMMIT
# Completed on Fri Aug 22 14:34:49 2014
# Generated by iptables-save v1.4.12 on Fri Aug 22 14:34:49 2014
*filter
:INPUT ACCEPT [888:1187686]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [883:134630]
-A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Fri Aug 22 14:34:49 2014

telnet XXX.XXX.XXX.XXX 225
Trying XXX.XXX.XXX.XXX...
telnet: Unable to connect to remote host: Connection refused

I don't get the connection established, and then the reset like you do.

I'm using Linux 3.2.0-67 & iptables v1.4.12

tcpdump -vvvv tcp port 225
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:48:29.178049 IP (tos 0x10, ttl 64, id 50487, offset 0, flags [DF], proto TCP (6), length 60)
    xx.39444 > xxxxx.225: Flags [S], cksum 0x2c0d (correct), seq 47731887, win 14600, options [mss 1460,sackOK,TS val 665686424 ecr 0,nop,wscale 5], length 0
14:48:29.178089 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    xxxxx.225 > xx.39444: Flags [R.], cksum 0x3745 (incorrect -> 0x8628), seq 0, ack 47731888, win 0, length 0

12,539

UserM

Telecom Engineer with experience in C/C++ programming for Embedded systems.

Updated on September 18, 2022

Comments

UserM over 1 year
I am doing an implementation on a linux machine to reject incoming telnet requests from wan side telnet port 8023. The functionality is achieved by using the below iptables rules. The first rule in NAT prerouting chain to DNAT incoming tcp frames from port 8023 to 23, and the second rule to reject these tcp frames on port 23 with tcp-reset
```
iptables -t nat -A PREROUTING -i wan+ -p tcp --dport 8023 -j DNAT --to-destination :23
iptables -A INPUT -i wan+ -p tcp --dport 23 -j REJECT --reject-with tcp-reset
```
The new session on the wan machine gets terminated after adding these rules.
```
[root@ROOT ~]# telnet 192.168.3.252 8023
Trying 192.168.3.252...
Connected to 192.168.3.252.
Escape character is '^]'.
Connection closed by foreign host.
```
However, on seeing wireshark capture of the entire transaction from the wan machine, the following sequence has been observed.
```
TCP sequence:
SYN -->
    <-- SYN/ACK
ACK -->
    <-- RST
```
The wireshark capture has been attached too.

Can we send RST for the first SYN request by rule in iptables as below?
```
TCP sequence:
SYN -->
    <-- RST
```
Could some one help in this regard... Thanks in advance.
- Navern over 9 years
  
  Why do you need PREROUTING then? You should just drop this packet instead NAT it to another port.
UserM over 9 years

I use iptables v1.4.8, do we have limitation in this version??