سؤال
With iptables utility on Linux host need to create mini firewall. I need to drop all incoming connections with package length greater than 722 AND TTL greater than 22. Need exactly AND. Drop only if both conditions are TRUE.
https://stackoverflow.com/questions/23594497
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiansudo iptables -N LOGDROP
sudo iptables -A OUTPUT -m ttl --ttl-gt 22 -j LOGDROP
sudo iptables -A INPUT -m ttl --ttl-gt 22 -j LOGDROP
sudo iptables -A LOGDROP -m length --length 722:65535 -j DROP
IP-adress of host is 10.6.7.9 with firewall.
I did 4 test from this host, trying to ping another host:
ping -s 10000 -t 250 10.6.7.10 //fail (TTL AND LENGHT are wrong)
ping -s 100 -t 200 10.6.7.10 //success (TTL is wrong)
ping -s 10 -t 10 10.6.7.10 //success (Both are right)
ping -s 10000 -t 10 10.6.7.10 // fail, BUT SHOULD BE TRUE.
Why last ping doesn't work ,and how to fix it? Thanks for any help.
المحلول
The problem is the reply path.
With ping -t you will only change the TTL for the packets that you are sending.
The reply packets will have a starting TTL set to the OS default (64 in Linux).
So in the forth case your outgoing packets will have a TTL of 10 and a size of ~10000. The packets that are coming back form 10.6.7.10 will have a TTL of 64 and a size of ~10000 and thus will be dropped.
You can use a sniffer, for example wireshark, to verify this.
