using iptables to prevent RST related to a specific port

Posted on

Problem :

I have a program which uses libpcap to capture incoming TCP SYN packets, these SYN packets are destined for a specific port.

But I have no tcp listening socket for that port, so in practice, the OS Kernel(it is the kernel or the tcp stack? I’m not sure, can anyone tell me) will issue a RST to the source ip of the TCP SYN.

now I want to prevent the RST, I don’t want the RST to be sent to the source ip. I think maybe iptables can do this?
so how to set the rules with iptables to prevent these RSTs (which are triggered by incoming TCP SYN for a specific port)?

if there are other better solutions, that’s better!

Solution :

A rather basic inbound blocking setup is this:

# Set default policy to 'drop everything'
iptables -P INPUT DROP
# Allow lo traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow icmp
iptables -A INPUT -p icmp -j ACCEPT
# Allow packets sent in response to an outgoing connection
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outgoing connections

This should drop all attempts of establishing a connection to your host.

If you want to be more specific, try adding one of these:

# Block request from being handled further by the TCP stack
iptables -A INPUT -p tcp --dport <port> -j DROP
# Send an ICMP 'administratively prohibited' response
iptables -A INPUT -p tcp --dport <port> -j REJECT
# Don't send any RESETs upon a request to this port
iptables -A OUTPUT -p tcp -o <outgoing interface> --sport <port> --tcp-flags RST RST -j DROP

Leave a Reply

Your email address will not be published.