Linux iptables - reject tcp SYN with RST

Question

I am doing an implementation on a linux machine to reject incoming telnet requests from wan side telnet port 8023. The functionality is achieved by using the below iptables rules. The first rule in NAT prerouting chain to DNAT incoming tcp frames from port 8023 to 23, and the second rule to reject these tcp frames on port 23 with tcp-reset

iptables -t nat -A PREROUTING -i wan+ -p tcp --dport 8023 -j DNAT --to-destination :23
iptables -A INPUT -i wan+ -p tcp --dport 23 -j REJECT --reject-with tcp-reset

The new session on the wan machine gets terminated after adding these rules.

[root@ROOT ~]# telnet 192.168.3.252 8023
Trying 192.168.3.252...
Connected to 192.168.3.252.
Escape character is '^]'.
Connection closed by foreign host.

However, on seeing wireshark capture of the entire transaction from the wan machine, the following sequence has been observed.

TCP sequence:
SYN -->
    <-- SYN/ACK
ACK -->
    <-- RST

The wireshark capture has been attached too. Wireshark capture of telnet frames

Can we send RST for the first SYN request by rule in iptables as below?

TCP sequence:
SYN -->
    <-- RST

Could some one help in this regard... Thanks in advance.

Why do you need PREROUTING then? You should just drop this packet instead NAT it to another port. — Navern, Aug 23 '14 at 23:04

Ian Macintosh · Answer 1 · 2014-08-22T13:51:47.417

Interesting.

I just tested that and on my system it works as you expect it to. I tested it with port 25 on my local server which isn't in high use:

iptables-save
# Generated by iptables-save v1.4.12 on Fri Aug 22 14:34:49 2014
*nat
:PREROUTING ACCEPT [12:1729]
:INPUT ACCEPT [12:1729]
:OUTPUT ACCEPT [110:7484]
:POSTROUTING ACCEPT [110:7484]
-A PREROUTING -p tcp -m tcp --dport 225 -j DNAT --to-destination :25
COMMIT
# Completed on Fri Aug 22 14:34:49 2014
# Generated by iptables-save v1.4.12 on Fri Aug 22 14:34:49 2014
*filter
:INPUT ACCEPT [888:1187686]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [883:134630]
-A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Fri Aug 22 14:34:49 2014

telnet XXX.XXX.XXX.XXX 225
Trying XXX.XXX.XXX.XXX...
telnet: Unable to connect to remote host: Connection refused

I don't get the connection established, and then the reset like you do.

I'm using Linux 3.2.0-67 & iptables v1.4.12

tcpdump -vvvv tcp port 225
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:48:29.178049 IP (tos 0x10, ttl 64, id 50487, offset 0, flags [DF], proto TCP (6), length 60)
    xx.39444 > xxxxx.225: Flags [S], cksum 0x2c0d (correct), seq 47731887, win 14600, options [mss 1460,sackOK,TS val 665686424 ecr 0,nop,wscale 5], length 0
14:48:29.178089 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    xxxxx.225 > xx.39444: Flags [R.], cksum 0x3745 (incorrect -> 0x8628), seq 0, ack 47731888, win 0, length 0

I use iptables v1.4.8, do we have limitation in this version?? — UserM, Aug 26 '14 at 06:32

Linux iptables - reject tcp SYN with RST

1 Answers1