Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
Another question
danielf at supportteam
Aug 4, 2001, 2:45 PM
Post #1 of 2 (516 views)
Permalink
I am going to be real anonying for the next few days :) with my questions but
I will return all the help I get.

just to let you guys know waht we are doing is building a Linux firewall for
an entire datacenter with one Oc3 and 3 Ds3 for connectivity.

I have some really nice hardware assembled :)

anyway my next question is.

is there a way to setup a rule/chain that would drop a syn and send a reset
packet back to the offending machine. and if so what would that look like.

thanks


--
Advanced Hosting UNIX Admin | Daniel Fairchild danielf@supportteam.net
To rate my service or provide feedback, please visit the following URL:
http://www.supportteam.net/rate.php3

Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
Re: Another question [ In reply to ]
n.morse at hyperknowledge
Aug 5, 2001, 5:18 PM
Post #2 of 2 (505 views)
Permalink
> is there a way to setup a rule/chain that would drop a syn and send a
reset
> packet back to the offending machine. and if so what would that look like.

From the man page....

REJECT
This is used to send back an error packet in response to the
matched packet: otherwise it is equivalent to DROP. This target is only
valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which
are only called from those chains. Several options control the nature of
the
error packet returned:

--reject-with type
The type given can be icmp-net-unreachable,
icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable,
icmp-net-prohibitedor icmp-host-prohibited, which return the appropriate
ICMP error message (port-unreachable is the default). The option
echo-reply is also allowed; it can only be used for rules which specify
an ICMP ping packet, and generates a ping reply. Finally, the option
tcp-reset can be used on rules which only match the TCP protocol: this
causes a TCP RST packet to be sent back. This is mainly useful for
blocking ident probes which frequently occur when sending mail to broken
mail hosts (which won't accept your mail otherwise).

From this I deduce an example might look something like

iptables -A FORWARD -p tcp --syn -j REJECT --reject-with tcp-reset

(and this is in the how-to as well - it just directs you to the man pages
the options)

Cheers
Nigel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal