路由器上 iptables 怎么匹配 TCP RST 包？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

已注册用户请登录

OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备，比如各种路由器上的系统，换成一个有更多可能性可以折腾的 Linux 系统。

这是一个创建于 3352 天前的主题，其中的信息可能已经有所发展或是发生改变。

我试了

iptables -I FORWARD -p tcp --tcp-flags RST RST -j DROP

用 iptables -vL FORWARD 检查发现根本没有匹配，但根据 tcpdump 的结果，是有 RST 包通过的。弄不明白是哪里出了问题了？

12:05:38.763735 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [S], seq 705280096, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:05:39.116945 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [S.], seq 2373532821, ack 705280097, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:05:39.120185 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [.], ack 1, win 4380, length 0
12:05:39.125902 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [P.], seq 1:420, ack 1, win 4380, length 419
12:05:39.127969 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
12:05:39.128106 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
12:05:39.225220 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [S], seq 3277327128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:05:39.470248 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
12:05:39.470394 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
12:05:39.553312 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [S.], seq 3843338864, ack 3277327129, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:05:39.555322 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [.], ack 1, win 4380, length 0
12:05:39.555820 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [P.], seq 1:529, ack 1, win 4380, length 528
12:05:39.559195 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
12:05:39.559362 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
12:05:39.881566 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R], seq 3843338865, win 0, length 0

flags

seq

ack

6 条回复 • 2015-03-06 15:26:16 +08:00

futursolo

2015-03-05 21:17:26 +08:00

试试以下命令
iptables -I FORWARD -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP

billlee

2015-03-05 21:25:23 +08:00

@futursolo 试过了，没有用。而且这样的匹配规则会漏掉 RST/ACK 包吧？

kttde

2015-03-05 21:44:05 +08:00

在链前面加上表，如下
iptables -t mangle -I FORWARD -p tcp --tcp-flags RST RST -j DROP

billlee

2015-03-05 21:49:58 +08:00

@kttde 正解！
能解释下 mangle 表是干什么用的吗？我一直以为涉及 DROP 这个操作的都要放在 filter 表

ryd994

2015-03-06 01:27:08 +08:00 via Android

@billlee 你filter FORWARD里有没有RELATED ACCEPT？
照理说不会这样，因为mangle接着就是filter。
方便的话贴贴规则

billlee

2015-03-06 15:26:16 +08:00

@ryd994 我是 -I 添加到最前面的，应该其它都不影响了啊

```
root@WNDR4300:~# iptables -vL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
48486 3101K delegate_forward all -- any any anywhere anywhere
root@WNDR4300:~# iptables -t mangle -vL FORWARD
Chain FORWARD (policy ACCEPT 2890K packets, 2549M bytes)
pkts bytes target prot opt in out source destination
12848 515K DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
0 0 qos_Default all -- any eth0.2 anywhere anywhere
5745K 4824M mssfix all -- any any anywhere anywhere
```