V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备,比如各种路由器上的系统,换成一个有更多可能性可以折腾的 Linux 系统。
OpenWrt 官方网站
billlee
V2EX  ›  OpenWrt

路由器上 iptables 怎么匹配 TCP RST 包?

  •  
  •   billlee · 2015-03-05 20:33:14 +08:00 · 1302 次点击
    这是一个创建于 3552 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我试了

    iptables -I FORWARD -p tcp --tcp-flags RST RST -j DROP
    

    iptables -vL FORWARD 检查发现根本没有匹配,但根据 tcpdump 的结果,是有 RST 包通过的。弄不明白是哪里出了问题了?

    12:05:38.763735 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [S], seq 705280096, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    12:05:39.116945 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [S.], seq 2373532821, ack 705280097, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
    12:05:39.120185 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [.], ack 1, win 4380, length 0
    12:05:39.125902 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [P.], seq 1:420, ack 1, win 4380, length 419
    12:05:39.127969 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
    12:05:39.128106 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0
    12:05:39.225220 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [S], seq 3277327128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    12:05:39.470248 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
    12:05:39.470394 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0
    12:05:39.553312 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [S.], seq 3843338864, ack 3277327129, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    12:05:39.555322 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [.], ack 1, win 4380, length 0
    12:05:39.555820 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [P.], seq 1:529, ack 1, win 4380, length 528
    12:05:39.559195 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
    12:05:39.559362 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0
    12:05:39.881566 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R], seq 3843338865, win 0, length 0
    
    6 条回复    2015-03-06 15:26:16 +08:00
    futursolo
        1
    futursolo  
       2015-03-05 21:17:26 +08:00
    试试以下命令
    iptables -I FORWARD -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP
    iptables -I INPUT -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP
    billlee
        2
    billlee  
    OP
       2015-03-05 21:25:23 +08:00
    @futursolo 试过了,没有用。而且这样的匹配规则会漏掉 RST/ACK 包吧?
    kttde
        3
    kttde  
       2015-03-05 21:44:05 +08:00   ❤️ 1
    在链前面加上表,如下
    iptables -t mangle -I FORWARD -p tcp --tcp-flags RST RST -j DROP
    billlee
        4
    billlee  
    OP
       2015-03-05 21:49:58 +08:00
    @kttde 正解!
    能解释下 mangle 表是干什么用的吗?我一直以为涉及 DROP 这个操作的都要放在 filter 表
    ryd994
        5
    ryd994  
       2015-03-06 01:27:08 +08:00 via Android
    @billlee 你filter FORWARD里有没有RELATED ACCEPT?
    照理说不会这样,因为mangle接着就是filter。
    方便的话贴贴规则
    billlee
        6
    billlee  
    OP
       2015-03-06 15:26:16 +08:00
    @ryd994 我是 -I 添加到最前面的,应该其它都不影响了啊

    ```
    root@WNDR4300:~# iptables -vL FORWARD
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
    48486 3101K delegate_forward all -- any any anywhere anywhere
    root@WNDR4300:~# iptables -t mangle -vL FORWARD
    Chain FORWARD (policy ACCEPT 2890K packets, 2549M bytes)
    pkts bytes target prot opt in out source destination
    12848 515K DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
    0 0 qos_Default all -- any eth0.2 anywhere anywhere
    5745K 4824M mssfix all -- any any anywhere anywhere
    ```
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   906 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 21:25 · PVG 05:25 · LAX 13:25 · JFK 16:25
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.