-3

Im using the following iptables rule:

iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH,ACK -m length --length 52 -m state --state ESTABLISHED -j DROP

It does it's job for blocking the unwanted packet from my server , but it also blocks things that shouldn't.

Here are the packets captured whit wireshark:

unwanted packet:source=192.168.0.100    destination=192.168.0.111   TCP lenght=66   [TCP Retransmission] 62401→38111 [PSH, ACK] Seq=15 Ack=19 Win=65536 Len=12

needed packet:source=192.168.0.100  destination=192.168.0.111   TCP lenght=66   [TCP Retransmission] 62433→38111 [PSH, ACK] Seq=344 Ack=37855 Win=62825 Len=12

My question is , how to modify the rule to allow the needed packet and to block the unwanted one.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Adrian Nica
  • 1
  • 1
  • 3
  • 1
    Possible XY Problem (http://xyproblem.info) -- what is the actual problem? – fukawi2 Mar 03 '15 at 03:14
  • I need to block the 1 packet but to allow the 2nd one. This is a world srv from a game the first packet is an packet that calls the server to shut down and the second one is a packet that opens a shop in game that dosen't work whit the firewall rule on. – Adrian Nica Mar 03 '15 at 08:53

1 Answers1

5

You can't do this at the firewall layer (well, you can - but it won't accomplish what you think it will, nor what you want). The second packet (which you desire) is part of the same TCP stream as the first packet (which you don't want), and TCP is a reliable delivery mechanism. That means that the OS knows if a packet in the middle of the stream has gone missing (by virtue of the sequence number in the header of each packet, see eg http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure for more information).

If you filter out a packet in the middle of a stream, the kernel will simply keep letting the other end know that a packet's missing, and the other end will keep retransmitting it (which behaviour you are already seeing, note the [TCP Retransmission] markers above). If you continue to block those retransmissions, the stream will become desynchronised, the connection will be dropped, and nothing in the stream will get processed.

You will have to do this at the application layer.

Edit a comment exchange between the two of us (much of which has since been deleted) has made it clear that the question might not contain all the details it should. I recommend that you close this question - either accept my answer, or delete the whole question - and write a new one where you lay out in considerable detail what exactly happens now, how it happens, and what you want to achieve.

All I can say now, with some confidence, is that you cannot use iptables to cut out a single packet from the middle of a TCP stream and expect the rest of that stream to be correctly processed by the receiving application.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Well let me explain other thing, that packet is used when the exe is injected , so in the first rule I want that packet to be blocked if the main is not injected it has other length so is ok to be dropped.The 2nd is the problem witch it dosen't allow me to open the shop from the game unless I move , and when I move I change the length of the transmission so it will open , I understand what you explained to be , I lack knowledge in iptables so that s why I was asking.I need to block the packet just one time per connection then I can allow it *from login to the world* – Adrian Nica Mar 03 '15 at 09:26
  • @AdrianNica I see you've written a new question, which is certainly clearer than this one, and I hope we can give you good answers to it. **But you still need to deal with this question**. Please either delete it (see link at the bottom of the question) or accept my answer (click the "tick" outline next to it). Otherwise this question will float around forever without an accepted answer, and that's messy. – MadHatter Mar 03 '15 at 10:27