Home | History | Annotate | Download | only in extensions 
      1 This target will process TCP three-way-handshake parallel in netfilter
      2 context to protect either local or backend system. This target requires
      3 connection tracking because sequence numbers need to be translated.
      4 .TP
      5 \fB\-\-mss\fP \fImaximum segment size\fP
      6 Maximum segment size announced to clients. This must match the backend.
      7 .TP
      8 \fB\-\-wscale\fP \fIwindow scale\fP
      9 Window scale announced to clients. This must match the backend.
     10 .TP
     11 \fB\-\-sack\-perm\fP
     12 Pass client selective acknowledgement option to backend (will be disabled
     13 if not present).
     14 .TP
     15 \fB\-\-timestamps\fP
     16 Pass client timestamp option to backend (will be disabled if not present,
     17 also needed for selective acknowledgement and window scaling).
     18 .PP
     19 Example:
     20 .PP
     21 Determine tcp options used by backend, from an external system
     22 .IP
     23 tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
     24 .br
     25     port 80 &
     26 .br
     27 telnet 192.0.2.42 80
     28 .br
     29 18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
     30 .br
     31     Flags [S.], seq 360414582, ack 788841994, win 14480,
     32 .br
     33     options [mss 1460,sackOK,
     34 .br
     35     TS val 1409056151 ecr 9690221,
     36 .br
     37     nop,wscale 9],
     38 .br
     39     length 0
     40 .PP
     41 Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
     42 packets as state INVALID.
     43 .IP
     44 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
     45 .PP
     46 Make SYN packets untracked
     47 .IP
     48 iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
     49     \-\-syn \-j CT \-\-notrack
     50 .PP
     51 Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
     52 and send them to SYNPROXY. This rule will respond to SYN packets with
     53 SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
     54 packets) and drop incorrect cookies. Flags combinations not expected
     55 during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
     56 .IP
     57 iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
     58     \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
     59     \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
     60 .PP
     61 Drop invalid packets, this will be out\-of\-flow packets that were not
     62 matched by SYNPROXY.
     63 .IP
     64 iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP
     65