How to packet drop based on tcp option field in linux - linux

I want to drop incoming traffic of my Linux host based on TCP option field.
Like TCP option 30 Multi path TCP.
If packet contain multi-path tcp notation or option field 30, then my Linux host needs drop the connection or packet.
My setup is host 1 <-> host 2 <-> host 3.
Host 1 sends packet via host 2 to host 3.
Host 2 have two interfaces eth0 and eth1.
eth0 connects host 1 and eth1 connects host 3.
When incoming eth 0 packets contains option field 30, I just want to cancel the connection or drop the packets.
I tried iptables string compare, but it didn't works.
The command is,
sudo iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "Multipath TCP" --algo bm.
But above rule doesnot stop the multipath TCP to send and receive via host 2 eth0, eth1.
host 2 not able to drop the multi-path TCP (option field 30) traffic.
Is it possible to drop a specif TCP packet based on option field.

First, you need to add the rule in FORWARDING chain on host2 (the reason is the packets are not targeted to host2 and will not hit the INPUT chain).
There is an option available in iptables to match the TCP options. Please try the following iptables command:
iptables -I FORWARD -p tcp --tcp-option 30 -j DROP

Related

IP table rule to block telnet packet for particular active port but not other type of packets

In my Linux device port 5080 is open which accepts all packets. I want to block only telnet packets.
I tried to add iptable rule but i am not sure how to specifically mention telnet packets only because adding iptable rule with protocol tcp blocks all the tcp packets and telnet but I want to block only telnet packets.
iptables -I INPUT 1 -p tcp --dport 5080 -j DROP
I don't think you can do that with iptables.
You'll need some application layer aware IPS (maybe suricata?)

In-kernel packet forwarding from one port to multiple ports

On a Linux-based system I need data incoming on a TCP port to be automatically redirected to other 50 local ports without going through user-space's send/recv. Each port needs to receive a copy of all incoming traffic. All ports are local to the same machine.
I've discarded the splice syscall due to the limit of one endpoint being a file. I guess that iptables is the right tool for this purpose, but I can't figure out the right syntax for this purpose. It should be something similar to:
iptables -t nat -A PREROUTING -p tcp --dport <in_port> -j REDIRECT --to-ports <out_port1>-<out_port50>
I wonder e.g. if the option -m multiport is needed.

Can a Connection Be Double DNAT Through an Iptables Rule

so say for instance i have an iptables rule that is of the sort
iptables -I PREROUTING 1 -p udp 1000 -j DNAT --to-dest 192.168.1.10:1010
is there a way that i can midway through the connection based on say a u32 match or a string match further redirect the incoming ports connection to another ip
so in laymans terms i have forwarded port 1000 to an internal ip and port, and upon transmission of a packet that meets a certain criteria "re DNAT" that connection to another internal ip
I would think that I could insert this rule before hand and effectuate what i want but it consistently just skips over the rule
iptables -I PREROUTING 1 -p udp 1000 -m string --algo bm "stringtomatch" -j DNAT --to-dest 192.168.1.100:1010
should it maybe be after... and should i change the port on the secondary rule to the changed port address?

IPTABLES How to block 8.8.8.8

I am creating a script that allows you to block, IP, port, certain IP's and ports, and DNS servers. It basically gets a name and blocks certain addresses for that person.
Problem is, I am stuck at blocking 8.8.8.8 . No matter what I have tried, I cannot seem to block it!
Here is what I have tried so far:
iptables -A OUTPUT -p tcp -d 8.8.8.8 --destination-port 53 -j DROP
iptables -A OUTPUT -p udp -d 8.8.8.8 --destination-port 53 -j DROP
iptables -A OUTPUT -p -s 8.8.8.8 -j DROP
And even
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j DROP
Pinging any other site doesn't work, while pinging 8.8.8.8 still works...
My Policies are all set to ALLOW. Should I change them?
I am kinda new to this, apologies if this all seems queer . Thanks!
You're trying to block a SOURCE address in the OUTPUT chain. 8.8.8.8 would be a DESTINATION in the output chain. The SOURCE of a packet in the output chain is generally the machine you're running these rules on... Try these:
-A INPUT -s 8.8.8.8 -j DROP
-A OUTPUT -d 8.8.8.8 -j DROP
rule #1 will drop any packets coming IN to your system which originated on google's public DNS. rule #2 will drop any packets LEAVING your system destined for the same.
As for ping, remember that ping uses the ICMP protocol. You're trying to block UDP only. Also remember that DNS requests CAN use TCP if the request or response would need more than 1 udp packet.

Iptables: Redirect to port 8080 and ACCEPT only one IP address

Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.

Resources