Linux-based packet filtering firewalls (2)

2nd chapter, using User Space command iptables implement packet filtering

2.1 Related knowledge of TCP/IP

2.1.1 Establish a TCP connection (implemented with 3 handshake)

If server A and client B communicate.

(1) b->; A. When b wants to communicate with a, B first sends a SYN-tagged packet to a, telling a to request a connection. There is no other way to establish a connection until a receives a SYN packet from B. Therefore, if your firewall discards all SYN packets destined for the extranet interface, you will not be able to allow any external host to establish the connection actively.

(2) b<-a. Then, when a is received, a confirmation packet (syn/ack) of the SYN package is sent back, indicating the confirmation of the first SYN package and continuing the handshake.

(3) b->; A. b after receiving the Syn/ack package, B sends a confirmation packet (ACK) informing the a connection that it has been established. At this point, the 3 handshake completes, and a TCP connection completes.

It should be noted that when the 3 handshake is complete and the connection is established, each packet of the TCP connection will have an ACK bit set. This is why connection tracking is important, and without a connection trace, the firewall will not be able to determine whether the ACK packets received belong to an established connection.

2.1.2 End TCP Connection (implemented with 4 handshake)

If server A and client B communicate. Note that because the TCP connection is a two-way connection, closing the connection needs to be done in two directions.

(1) b->; A. When B is to end communication with a, B first sends a FIN-tagged packet to a, telling a to request that the connection be terminated. The FIN packet always has an ACK mark because the connection has not been closed. A package that has no ACK tag and only a fin tag is not a valid package and is often considered malicious.

(2) b<-a. A sends an ACK packet to B, indicating the successful suspension of b->; A transmission channel. But a->; b There may be data packets that need to be sent, so a->; The B transmission channel continues to flow until the transmission is completed before entering the next step.

(3) B<-a. When a completes the b<-a transmission, it sends out the Ack/fin package.

(4) b->; A. b send an ACK packet to a for confirmation.

2.1.3 Send connection Reset packet end TCP connection

4-time handshake is not the only way to end a TCP connection. Sometimes, if the host needs to close the connection as soon as possible (or if the connection times out, the port or host is unreachable), the RST packet will be sent. Note that since the RST package is not part of the TCP connection, you can send only the RST packet (that is, without an ACK tag). However, in a normal TCP connection, the RST packet can be marked with an ACK acknowledgement. Note that the RST package is not deceptions to confirm.

2.1.4 Invalid TCP token

At this point, you have seen the Syn, ACK, FIN, and rst markings. In addition, there are PSH and Urg tags.

The most common illegal combination is the Syn/fin package. Note that because the SYN packet is used to initialize the connection, it cannot appear with the fin and the RST tag, which is also a malicious attack.

When there are other combinations (such as SYN/FIN/PSH, Syn/fin/rst, SYN/FIN/RST/PSH) in the network, it is clear that the network is definitely under attack.