路由器上 iptables 怎么匹配 TCP RST 包?

2015-03-05 20:33:14 +08:00
 billlee

我试了

iptables -I FORWARD -p tcp --tcp-flags RST RST -j DROP

iptables -vL FORWARD 检查发现根本没有匹配,但根据 tcpdump 的结果,是有 RST 包通过的。弄不明白是哪里出了问题了?

12:05:38.763735 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [S], seq 705280096, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:05:39.116945 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [S.], seq 2373532821, ack 705280097, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:05:39.120185 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [.], ack 1, win 4380, length 0
12:05:39.125902 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [P.], seq 1:420, ack 1, win 4380, length 419
12:05:39.127969 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
12:05:39.128106 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
12:05:39.225220 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [S], seq 3277327128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:05:39.470248 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
12:05:39.470394 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
12:05:39.553312 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [S.], seq 3843338864, ack 3277327129, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:39.555322 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [.], ack 1, win 4380, length 0
12:05:39.555820 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [P.], seq 1:529, ack 1, win 4380, length 528
12:05:39.559195 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
12:05:39.559362 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
12:05:39.881566 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R], seq 3843338865, win 0, length 0
1322 次点击
所在节点    OpenWrt
6 条回复
futursolo
2015-03-05 21:17:26 +08:00
试试以下命令
iptables -I FORWARD -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP
billlee
2015-03-05 21:25:23 +08:00
@futursolo 试过了,没有用。而且这样的匹配规则会漏掉 RST/ACK 包吧?
kttde
2015-03-05 21:44:05 +08:00
在链前面加上表,如下
iptables -t mangle -I FORWARD -p tcp --tcp-flags RST RST -j DROP
billlee
2015-03-05 21:49:58 +08:00
@kttde 正解!
能解释下 mangle 表是干什么用的吗?我一直以为涉及 DROP 这个操作的都要放在 filter 表
ryd994
2015-03-06 01:27:08 +08:00
@billlee 你filter FORWARD里有没有RELATED ACCEPT?
照理说不会这样,因为mangle接着就是filter。
方便的话贴贴规则
billlee
2015-03-06 15:26:16 +08:00
@ryd994 我是 -I 添加到最前面的,应该其它都不影响了啊

```
root@WNDR4300:~# iptables -vL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
48486 3101K delegate_forward all -- any any anywhere anywhere
root@WNDR4300:~# iptables -t mangle -vL FORWARD
Chain FORWARD (policy ACCEPT 2890K packets, 2549M bytes)
pkts bytes target prot opt in out source destination
12848 515K DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
0 0 qos_Default all -- any eth0.2 anywhere anywhere
5745K 4824M mssfix all -- any any anywhere anywhere
```

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/174763

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX