Question

当iptables被赋予INPUT链的DROP默认策略时，TCP握手在第二步中断：服务器的SYN_ACK包被丢弃。例如：

[root@drft006 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  drft001              anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

启动与www.yahoo.com的连接时：

[root@drft006 ~]# curl 46.228.47.114

以下内容由tcpdump捕获：

[root@drft006 ~]# tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-ack|tcp-rst) != 0 and dst port 80 or src host 46.228.47.114' -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:15:46.783296 IP (tos 0x0, ttl 64, id 51106, offset 0, flags [DF], proto TCP (6), length 60)
    drft006.45744 > 46.228.47.114.http: Flags [S], cksum 0x2f53 (correct), seq 622966869, win 14600, options [mss 1460,sackOK,TS val 1195016183 ecr 0,nop,wscale 7], length 0
11:15:46.880769 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    46.228.47.114.http > drft006.45744: Flags [S.], cksum 0xfc66 (correct), seq 1096135183, ack 622966870, win 14480, options [mss 1460,sackOK,TS val 1072168965 ecr 1195016183,nop,wscale 8], length 0
11:15:47.783062 IP (tos 0x0, ttl 64, id 51107, offset 0, flags [DF], proto TCP (6), length 60)
    drft006.45744 > 46.228.47.114.http: Flags [S], cksum 0x2b6b (correct), seq 622966869, win 14600, options [mss 1460,sackOK,TS val 1195017183 ecr 0,nop,wscale 7], length 0
11:15:47.880535 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    46.228.47.114.http > drft006.45744: Flags [S.], cksum 0xf87e (correct), seq 1096135183, ack 622966870, win 14480, options [mss 1460,sackOK,TS val 1072169965 ecr 1195016183,nop,wscale 8], length 0

我们可以看到curl重新发送SYN包但它无法获得SYN-ACK（[S.]）包。

现在，如果我将以下规则添加到iptables：

root@drft006 ~]# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

[root@drft006 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  drft001              anywhere            
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

连接成功建立：

[root@drft006 ~]# tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-ack|tcp-rst) != 0 and dst port 80 or src host 46.228.47.114' -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:28:07.563034 IP (tos 0x0, ttl 64, id 31908, offset 0, flags [DF], proto TCP (6), length 60)
    drft006.37720 > ir2.fp.vip.ir2.yahoo.com.http: Flags [S], cksum 0x5cb2 (correct), seq 3501371654, win 14600, options [mss 1460,sackOK,TS val 1195756962 ecr 0,nop,wscale 7], length 0
11:28:07.677086 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    ir2.fp.vip.ir2.yahoo.com.http > drft006.37720: Flags [S.], cksum 0x6a6c (correct), seq 2796538490, ack 3501371655, win 14480, options [mss 1460,sackOK,TS val 1072906638 ecr 1195756962,nop,wscale 8], length 0
11:28:07.677139 IP (tos 0x0, ttl 64, id 31909, offset 0, flags [DF], proto TCP (6), length 52)
    drft006.37720 > ir2.fp.vip.ir2.yahoo.com.http: Flags [.], cksum 0xd0e3 (correct), ack 1, win 115, options [nop,nop,TS val 1195757077 ecr 1072906638], length 0
11:28:07.677259 IP (tos 0x0, ttl 64, id 31910, offset 0, flags [DF], proto TCP (6), length 226)
    drft006.37720 > ir2.fp.vip.ir2.yahoo.com.http: Flags [P.], cksum 0x88d0 (incorrect -> 0x4375), seq 1:175, ack 1, win 115, options [nop,nop,TS val 1195757077 ecr 1072906638], length 174
11:28:07.790475 IP (tos 0x0, ttl 50, id 34939, offset 0, flags [DF], proto TCP (6), length 52)

我想知道为什么这条规则允许建立新连接。

iptables手册说：

表10.连接跟踪状态

ESTABLISHED连接已经看到数据包进入两者   方向。

但是我的示例中的连接不应该在两个方向上都看到数据包，而只能在drft006到yahoo的一个方向上看到 - 从yahoo到drft006的方向应该默认阻止DROP策略。

我想念什么？

iptables允许建立新连接而无需明确接受NEW状态

0 个答案: