Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to make all outgoing RST drop

Tags:

linux

networking

linux-kernel

tcp

iptables

I am trying to drop all the outgoing RST and incoming RST on all ports. I am using Debian linux. I tried all possible combinations of commands listed on the internet but nothing seems to work.

For example, i tried: 

iptables -A OUTPUT -o eth0 -p tcp --tcp-flags RST RST -j DROP  
iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
iptables -A INPUT -p tcp --tcp-flags RST RST -m state --state RELATED,ESTABLISHED -j DROP  
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

Still i am seeing RST packets being sent by the kernel and also receiving RST packets. Please try to resolve this issue

like image 312
Justin Carrey Avatar asked Nov 04 '12 01:11

Justin Carrey

2 Answers

If you are looking to drop inbound RST packets, you will want to do this:

iptables -I INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL RST -j DROP

If you are looking to drop outbound RST packets, you will want to do this:

iptables -I OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

Why RST ACK? According to the RFC, any response to a TCP packet including a SYN must ACK that sequence number. Therefore, even if you are indicating that your port is closed, you respond with a RST ACK.

Why care about outbound RST? If you're trying to use a tool like Scapy to experiment with IP behavior, you will frequently need to prevent the host's IP stack from sending back a RST ACK. Alternatively, you could implement a pseudo-stack in Scapy, claiming a MAC, responding to ARP or ICMP ND for IPv6, and bind your own IP address, which will also prevent the host's stack from responding. Clearly, this is more work than simply blocking outbound RST packets.

like image 200
David Hoelzer Avatar answered Sep 30 '22 16:09

David Hoelzer

Hmm, it's quite possible that this is going through the forward chain rather than the input or output chain, since you are running this on the host machine.

A trick to debug this is to use iptables -L -v, this displays counts of how many packets go to each rule, if you set up a command that send lots of packets like this

watch --interval 0.1 "nc remote.machine CLOSED_PORT"

you can work out which rule is getting hit. You should also be aware that there are orthogonal tables - sets of rule chains used in different situations (e.g for nat). It might be worth looking in the NAT table - since your virtual host might be NAT'ing through your host rather than having it's own IP address

iptables -L -v -t nat

It would be informative to know what IP address the virtual host has - since if this is disjoint from your network's subnet this will probably be being NAT'ed.

like image 41
Att Righ Avatar answered Sep 30 '22 15:09

Att Righ
Sign in to Comment

Related questions

Magento Extension 404 Error
Is Mercurial Server a must for using Mercurial?
How to add a carriage return as a character to a file?
Deploying a Java project on Linux system
Update file, but not alter file modify date. Can it be done?
Is there a lightweight way to obtain the current number of Processes in Linux?
How to find nested directories?
Best way to exit a program gracefully without using pkill
freeing memory inside a signal handler
php file_exists is returning false even if file exist on my linux
How to change encoding in many files?
Using stdin with select() in C
Pass action as Parameter on Command Prompt (Linux)
Bash: '$(( ))' means 'expr' and '[ ]' means 'test'?
Delete line from text file with line numbers from another file
Why does Gunicorn use port 8000/8001 instead of 80?
In linux shell, How to cp/rm files by time?
How to make gcc warn about unknown functions?
Atomic Operations in C on Linux
raw socket listener

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!