iptables-save bug with tcp-reset ?
Hi people! I am using Susefirewall2. In the customary rules I added the 2 lines iptables -A input_ext -j LOG -p tcp --dport 113 iptables -A input_ext -j REJECT -p tcp --reject-with tcp-reset --dport 113 to secure the identd port. When I check the rules with SuSEfirewall2 status i looks alright: 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x16/0x02 reject-with tcp-reset but with iptables-save|more I find -A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with reject-with ^^^^^^^^^^^^^^^^^^^^^^here You see that tcp-reset is replaced by reject-with Since this rule seems to be working alright ,is this a bug in iptables-save ??? here the interesting part. fw_custom_before_port_handling() { # could also be named "after_antispoofing()" # these rules will be loaded after the anti-spoofing and icmp handling # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. #example: always filter backorifice/netbus trojan connect requests and log them. iptables -A input_ext -j LOG -p tcp --dport 113 iptables -A input_ext -j REJECT -p tcp --reject-with tcp-reset --dport 113 for target in LOG DROP; do for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do iptables -A $chain -j $target -p tcp --dport 31337 iptables -A $chain -j $target -p udp --dport 31337 iptables -A $chain -j $target -p tcp --dport 12345:12346 iptables -A $chain -j $target -p udp --dport 12345:12346 done done true }
participants (1)
-
Karsten Schell