Can iptables block TCP RST packets only?

February 20th, 2010 - 06:19 pm ET by James Taylor | Report spam
Hi,

I have discovered what I believe to be spoofed TCP reset packets being
injected into the stream to kill some large downloads I am trying to
make. I know the RST packets didn't come from the server I am
downloading from because I can see normal data-bearing packets arriving
after the RST packets and with later sequence numbers. It is probably
some half-wit attempt by the ISP to limit my downloads.

The problem is that when my computer receives the RST packets the
connection breaks and the download stops. If I could get my computer to
ignore these RSTs then I believe the connection would continue and my
downloads would complete.

Is there any way that I can use iptables to filter these RST packets
from a specific set of IP addresses corresponding to the servers in
question? A quick dip in the iptables man page has rather overwhelmed me
with the learning curve required, but also encouraged me when I saw
there was a --tcp-flags option.

Can anyone help me by showing me how to form a complete iptables command
line to block the RST packets?

James Taylor
email Follow the discussionReplies 32 repliesReplies Make a reply

Similar topics

Replies

#1 Tony
February 21st, 2010 - 03:06 am ET | Report spam
In uk.comp.os.linux, James Taylor
wrote:

Can anyone help me by showing me how to form a complete iptables command
line to block the RST packets?



http://tuxtraining.com/2008/06/21/b...h-iptables

If whoever is doing it, is doing it 'right' though, then you're in trouble
because they'll be sending RST's to both ends of the connection, as far as
I understand it.

Slashdot discussion,
http://tech.slashdot.org/article.pl?sid/06/30/0249249

Tony Evans
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
books -> http://www.bookthing.co.uk/
[ anything below this line wasn't written by me ]
Replies Reply to this message
#2 Graham Murray
February 21st, 2010 - 04:06 am ET | Report spam
James Taylor writes:

I have discovered what I believe to be spoofed TCP reset packets being
injected into the stream to kill some large downloads I am trying to
make. I know the RST packets didn't come from the server I am
downloading from because I can see normal data-bearing packets
arriving after the RST packets and with later sequence numbers. It is
probably some half-wit attempt by the ISP to limit my downloads.



Is it possible that by spoofing the IP address of the server you are
connected to that whoever is doing this is contravening the Computer
Misuse Act or some other legislation?
Replies Reply to this message
#3 James Taylor
February 21st, 2010 - 04:19 am ET | Report spam
Tony wrote:

James Taylor wrote:

Can anyone help me by showing me how to form a complete iptables command
line to block the RST packets?



http://tuxtraining.com/2008/06/21/b...h-iptables



Thanks. That's a starting point for further research at least.

There's still quite a lot to understand about iptables before I can see
how much of that information is relevant to me. I was rather expecting a
single command line to do the trick. Something semantically equivalent
to "drop all RST packets from IP address range xxx.xxx.xxx.xxx/24".

I suspect that eventually, I'll have to knuckle down and read the entire
documentation of iptables to master it myself, but it would be such a
huge help to me right now if an expert could give me a head start with a
specific command line.

If whoever is doing it, is doing it 'right' though, then you're in trouble
because they'll be sending RST's to both ends of the connection, as far as
I understand it.



Yes, you'd expect them to send RSTs to both ends, but they seem to be
sending them only to my end because I can see plenty of normal data
packets arriving from the other end with later TCP sequence numbers than
are in the spoofed RSTs.

What I find strange is why they are reseting the connections rather than
just bandwidth throttling. Resets are destructive and force the user to
restart the download repeatedly until they manage to download it all. I
can continue incomplete downloads from where they left off, but this
often causes data corruption. I cannot check whether the download is
complete *and* uncorrupted until it has finished after many stops and
starts, and when I find that it is indeed corrupted I then have to
restart the whole download all over again, typically 3 or 4 times. All
this actually *adds* to the ISPs bandwidth burden whereas, if they
simply limited the download rate, they would get the intended result of
bandwidth reduction without severely inconveniencing their users.

James Taylor
Replies Reply to this message
#4 James Taylor
February 21st, 2010 - 04:24 am ET | Report spam
Graham Murray wrote:

James Taylor writes:

I have discovered what I believe to be spoofed TCP reset packets being
injected into the stream to kill some large downloads I am trying to
make. I know the RST packets didn't come from the server I am
downloading from because I can see normal data-bearing packets
arriving after the RST packets and with later sequence numbers. It is
probably some half-wit attempt by the ISP to limit my downloads.



Is it possible that by spoofing the IP address of the server you are
connected to that whoever is doing this is contravening the Computer
Misuse Act or some other legislation?



I wish I knew enough about the law on this kind of thing because it is
appealing to think that I could throw the book at them. However, I
suspect that the ISP are within their rights to manage and balance data
flow across their network in line with the goal of providing reasonable
service to all users. To that end I could accept a degree of bandwidth
throttling. What I object to is having connections terminated entirely.

James Taylor
Replies Reply to this message
#5 Tony
February 21st, 2010 - 04:53 am ET | Report spam
In uk.comp.os.linux, James Taylor
wrote:

Tony wrote:

James Taylor wrote:

Can anyone help me by showing me how to form a complete iptables command
line to block the RST packets?



http://tuxtraining.com/2008/06/21/b...h-iptables



Thanks. That's a starting point for further research at least.

There's still quite a lot to understand about iptables before I can see
how much of that information is relevant to me. I was rather expecting a
single command line to do the trick. Something semantically equivalent
to "drop all RST packets from IP address range xxx.xxx.xxx.xxx/24".



<iptables command> -p tcp --dport 36745 --tcp-flags RST RST -j DROP;

What I'm not 100% sure about is whether it's an iptables -A INPUT, or
iptables -I FORWARD, I've seen various options and without going and
checking the manual myself, I'm not sure which to use. But that's the only
command you need (where 36745 is the port you're doing the transfer over)

Tony Evans
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
books -> http://www.bookthing.co.uk/
[ anything below this line wasn't written by me ]
Replies Reply to this message
Help Create a new topicNext page Replies Make a reply
Search Make your own search