Linux iptables - reject tcp SYN with RST
Interesting.
I just tested that and on my system it works as you expect it to. I tested it with port 25 on my local server which isn't in high use:
iptables-save # Generated by iptables-save v1.4.12 on Fri Aug 22 14:34:49 2014 *nat :PREROUTING ACCEPT [12:1729] :INPUT ACCEPT [12:1729] :OUTPUT ACCEPT [110:7484] :POSTROUTING ACCEPT [110:7484] -A PREROUTING -p tcp -m tcp --dport 225 -j DNAT --to-destination :25 COMMIT # Completed on Fri Aug 22 14:34:49 2014 # Generated by iptables-save v1.4.12 on Fri Aug 22 14:34:49 2014 *filter :INPUT ACCEPT [888:1187686] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [883:134630] -A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset COMMIT # Completed on Fri Aug 22 14:34:49 2014 telnet XXX.XXX.XXX.XXX 225 Trying XXX.XXX.XXX.XXX... telnet: Unable to connect to remote host: Connection refused
I don't get the connection established, and then the reset like you do.
I'm using Linux 3.2.0-67 & iptables v1.4.12
tcpdump -vvvv tcp port 225 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:48:29.178049 IP (tos 0x10, ttl 64, id 50487, offset 0, flags [DF], proto TCP (6), length 60) xx.39444 > xxxxx.225: Flags [S], cksum 0x2c0d (correct), seq 47731887, win 14600, options [mss 1460,sackOK,TS val 665686424 ecr 0,nop,wscale 5], length 0 14:48:29.178089 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxxx.225 > xx.39444: Flags [R.], cksum 0x3745 (incorrect -> 0x8628), seq 0, ack 47731888, win 0, length 0
Related videos on Youtube
UserM
Telecom Engineer with experience in C/C++ programming for Embedded systems.
Updated on September 18, 2022Comments
-
UserM over 1 year
I am doing an implementation on a linux machine to reject incoming telnet requests from wan side telnet port 8023. The functionality is achieved by using the below iptables rules. The first rule in NAT prerouting chain to DNAT incoming tcp frames from port 8023 to 23, and the second rule to reject these tcp frames on port 23 with tcp-reset
iptables -t nat -A PREROUTING -i wan+ -p tcp --dport 8023 -j DNAT --to-destination :23 iptables -A INPUT -i wan+ -p tcp --dport 23 -j REJECT --reject-with tcp-reset
The new session on the wan machine gets terminated after adding these rules.
[root@ROOT ~]# telnet 192.168.3.252 8023 Trying 192.168.3.252... Connected to 192.168.3.252. Escape character is '^]'. Connection closed by foreign host.
However, on seeing wireshark capture of the entire transaction from the wan machine, the following sequence has been observed.
TCP sequence: SYN --> <-- SYN/ACK ACK --> <-- RST
The wireshark capture has been attached too.
Can we send RST for the first SYN request by rule in iptables as below?
TCP sequence: SYN --> <-- RST
Could some one help in this regard... Thanks in advance.
-
Navern over 9 yearsWhy do you need PREROUTING then? You should just drop this packet instead NAT it to another port.
-
-
UserM over 9 yearsI use iptables v1.4.8, do we have limitation in this version??