Firewall functions: IPTABLES
SYN packet from client to server
SYN/ACK packet from server to client
ACK packet from client to server
At this point the connection is established and is able to transmit data:
In this way if NEW and ESTABLISHED packets can exit and only ESTABLISHED packets can enter, all
the attempts of connection to our internal network will be denied.
By executing the iptables-conntrack command, the status shown once received the first SYN
packet is as follows:
tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23
[UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1
The next internal status is reached when a packet is received in the opposite direction:
tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23
src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1
The status of established is reached when the final ACK arrives:
tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031
dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 [ASSURED] use=1
The following diagram shows the flow of terminating packets (closing in normal conditions):
As it can be seen, the connection is not completely closed until the final ACK arrives.
Notice that the connection tracking mechanism does not consider the TCP flags within the packets
and that a packet without SYN or ACK will be counted as NEW. If you want to associate the status
NEW with the presence of SYN, the following rule should be added:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
Various parameters set the timeout associated with TCP session States:
tcp_timeout_close
To Next Page
Loading...
Need help?
General
