Linux-based packet filtering firewalls (2)

Source: Internet
Author: User
Tags ack bit set end connection reset client firewall linux

2nd chapter, using User Space command iptables implement packet filtering

2.1 Related knowledge of TCP/IP

2.1.1 Establish a TCP connection (implemented with 3 handshake)

If server A and client B communicate.

(1) b->; A. When b wants to communicate with a, B first sends a SYN-tagged packet to a, telling a to request a connection. There is no other way to establish a connection until a receives a SYN packet from B. Therefore, if your firewall discards all SYN packets destined for the extranet interface, you will not be able to allow any external host to establish the connection actively.

(2) b<-a. Then, when a is received, a confirmation packet (syn/ack) of the SYN package is sent back, indicating the confirmation of the first SYN package and continuing the handshake.

(3) b->; A. b after receiving the Syn/ack package, B sends a confirmation packet (ACK) informing the a connection that it has been established. At this point, the 3 handshake completes, and a TCP connection completes.

It should be noted that when the 3 handshake is complete and the connection is established, each packet of the TCP connection will have an ACK bit set. This is why connection tracking is important, and without a connection trace, the firewall will not be able to determine whether the ACK packets received belong to an established connection.

2.1.2 End TCP Connection (implemented with 4 handshake)

If server A and client B communicate. Note that because the TCP connection is a two-way connection, closing the connection needs to be done in two directions.

(1) b->; A. When B is to end communication with a, B first sends a FIN-tagged packet to a, telling a to request that the connection be terminated. The FIN packet always has an ACK mark because the connection has not been closed. A package that has no ACK tag and only a fin tag is not a valid package and is often considered malicious.

(2) b<-a. A sends an ACK packet to B, indicating the successful suspension of b->; A transmission channel. But a->; b There may be data packets that need to be sent, so a->; The B transmission channel continues to flow until the transmission is completed before entering the next step.

(3) B<-a. When a completes the b<-a transmission, it sends out the Ack/fin package.

(4) b->; A. b send an ACK packet to a for confirmation.

2.1.3 Send connection Reset packet end TCP connection

4-time handshake is not the only way to end a TCP connection. Sometimes, if the host needs to close the connection as soon as possible (or if the connection times out, the port or host is unreachable), the RST packet will be sent. Note that since the RST package is not part of the TCP connection, you can send only the RST packet (that is, without an ACK tag). However, in a normal TCP connection, the RST packet can be marked with an ACK acknowledgement. Note that the RST package is not deceptions to confirm.

2.1.4 Invalid TCP token

At this point, you have seen the Syn, ACK, FIN, and rst markings. In addition, there are PSH and Urg tags.

The most common illegal combination is the Syn/fin package. Note that because the SYN packet is used to initialize the connection, it cannot appear with the fin and the RST tag, which is also a malicious attack.

When there are other combinations (such as SYN/FIN/PSH, Syn/fin/rst, SYN/FIN/RST/PSH) in the network, it is clear that the network is definitely under attack.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.