How to make all outgoing RST drop

Question

How to make all outgoing RST drop

I am trying to remove all outgoing RST and incoming RST on all ports. I am using Debian linux. I tried all possible combinations of commands listed on the Internet, but nothing works.

For example, I tried:

iptables -A OUTPUT -o eth0 -p tcp --tcp-flags RST RST -j DROP iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP iptables -A INPUT -p tcp --tcp-flags RST RST -m state --state RELATED,ESTABLISHED -j DROP iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

However, I see that RST packets are sent by the kernel and also receive RST packets. Try to solve this problem.

+4

linux linux-kernel networking tcp iptables

Justin carrey Nov 04 '12 at 1:08

source share

4 answers

If you want to remove incoming RST packets, you will want to do this:

 iptables -I INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP iptables -I INPUT -p tcp --tcp-flags ALL RST -j DROP

If you want to remove outgoing RST packets, you will want to do this:

 iptables -I OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

Why RST ACK? According to the RFC, any response to a TCP packet containing a SYN must ACK to the sequence number. Therefore, even if you indicate that your port is closed, you are responding with an RST ACK.

Why worry about outgoing RST? If you are trying to use a tool like Scapy to experiment with IP behavior, you will often need to prevent the host IP stack from sending RST ACKs. Alternatively, you can implement the pseudo-source in Scapy, requiring a MAC, responding to ARP or ICMP ND for IPv6, and bind your own IP address, which will also prevent the host from reacting. Obviously, this is more than just blocking outgoing RST packets.

+4

David Hoelzer Jul 15 '16 at 7:21

source share

Reset packets have the RST and ACK flags. So the correct rule is:

iptables -I INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

0

adrianlzt Dec 04 '13 at 10:51

source share

Hope this helps:

 echo 0 > /proc/sys/net/ipv4/tcp_rst_retries echo 0 > /proc/sys/net/ipv4/tcp_rst_timeout

-2

user3452496 Mar 29 '14 at 8:20

source share

Att igh · Accepted Answer · 2012-12-10T19:49:37+0000

Hmm, it is entirely possible that this goes through a direct chain, and not into an input or output chain, since you are running it on the main machine.

The trick for debugging is using iptables -L -v, this displays the number of retries for each rule if you configure a command that sends a lot of packets, such as

 watch --interval 0.1 "nc remote.machine CLOSED_PORT"

You can decide which rule gets hit. You should also know that there are orthogonal tables - sets of chains of rules used in different situations (for example, for nat). It might be worth looking at the NAT table - since your virtual host can be NAT'ing through your host, rather than having its own IP address

 iptables -L -v -t nat

It would be informative to find out which IP the virtual host has, because if it does not overlap with your network subnet, it will probably be NAT'ed.

How to make all outgoing RST drop

More articles: