#317 stateless filtering with --syn



I'd like to test for TCP flags in a firewall rule. I always *disable* connection tracking and filter based on TCP flags.

So, three things I need:
1. Allow me to disable xt_conntrack kernel module
2. Allow me to do --syn on outbound rules and ! --syn on inbound rules with the service as the source
3. A service can also be a source

Or better yet, combine the last two into the default for stateless filtering for iptables. I don't want anybody with a service source port like 22 (possible!) to connect to all of my services, but I don't want to keep state in my ipv6 firewall.


  • Vadim Kurland

    Vadim Kurland - 2013-01-20

    you can generate "--syn" match using Custom Service object

    also turn on checkbox "stateless rule" in the rule options dialog to remove state match.

    I think this will get you what you are asking for, or close.

  • Vadim Kurland

    Vadim Kurland - 2013-01-20
    • assigned_to: nobody --> vkurland
  • Wilco Baan Hofman

    Actually, that won't work. I tried.. The problem is that I can't do negative matching on TCP flags alone.. and I'd need to define a separate service for the source port.

  • Vadim Kurland

    Vadim Kurland - 2013-01-20

    If I use tcp service with flag S and mask S set and source port 22 in a rule and also turn on negation in "Service", I get the following :

    $IPTABLES -N Cid44889X40140.0
    $IPTABLES -A INPUT -j Cid44889X40140.0
    $IPTABLES -A Cid44889X40140.0 -p tcp -m tcp --sport 22 --tcp-flags SYN SYN -j RETURN
    $IPTABLES -A Cid44889X40140.0 -j DROP

    not quite "! --syn" but isnt it equivalent ?

  • Wilco Baan Hofman

    This also negates the source port, and it's not quite ! --syn, because --syn is explicitly SYN enabled with RST, ACK and FIN disabled.

    So I need to positively match any packet that's not a completely new packet, but SYN/ACK is okay.. and it still needs to match source port 22

  • Vadim Kurland

    Vadim Kurland - 2013-01-20

    right, I see what you mean

    unfortunately this is not so easy to do, it requires a lot of changes. See the latest announcement in the Open Forum.

  • Wilco Baan Hofman

    In iptables it's a matter of:

    ip6tables -A FORWARD -d 2001:db8:aaa::1 -p tcp --dport 22 -j ACCEPT
    ip6tables -A FORWARD -s 2001:db8:aaa::1 -p tcp --sport 22 ! --syn -j ACCEPT


Log in to post a comment.