-
Notifications
You must be signed in to change notification settings - Fork 2
/
xt-rawcookie.4
82 lines (82 loc) · 2.63 KB
/
xt-rawcookie.4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
.\" Automatically generated by Pandoc 1.17.2
.\"
.TH "RAWCOOKIE" "4" "" "1.0.2+3~4.19.0\-0.bpo.16" ""
.hy
.SH RAWCOOKIE
.PP
RAWCOOKIE is a SYNPROXY module extension which moves initial SYN+ACK
conversation into lower levels of kernel.
It replaces original \f[C]\-j\ CT\ \-\-notrack\f[] rule in iptables with
RAWCOOKIE targes.
.SS Example
.PP
Original rules with SYNPROXY module:
.IP
.nf
\f[C]
iptables\ \-t\ raw\ \-A\ PREROUTING\ \-i\ tge22\ \-p\ tcp\ \-m\ tcp\ \-\-syn\ \-\-dport\ 80\ \-j\ CT\ \-\-notrack
iptables\ \-A\ INPUT\ \-i\ tge22\ \-p\ tcp\ \-m\ tcp\ \-\-dport\ 80\ \-m\ state\ \-\-state\ INVALID,UNTRACKED\ \-j\ SYNPROXY\ \-\-sack\-perm\ \-\-timestamp\ \-\-wscale\ 7\ \-\-mss\ 1460
iptables\ \-A\ INPUT\ \-i\ tge22\ \-p\ tcp\ \-m\ tcp\ \-\-dport\ 80\ \-m\ state\ \-\-state\ INVALID\ \-j\ DROP
\f[]
.fi
.PP
Must be replaced with:
.IP
.nf
\f[C]
iptables\ \-t\ raw\ \-A\ PREROUTING\ \-i\ tge22\ \-p\ tcp\ \-m\ tcp\ \-\-syn\ \-\-dport\ 80\ \-j\ RAWCOOKIE\ \-\-sack\-perm\ \-\-timestamp\ \-\-wscale\ 7\ \-\-mss\ 1460\ \-\-senddirect
iptables\ \-A\ INPUT\ \-i\ tge22\ \-p\ tcp\ \-m\ tcp\ \-\-dport\ 80\ \-m\ state\ \-\-state\ INVALID,UNTRACKED\ \-j\ SYNPROXY\ \-\-sack\-perm\ \-\-timestamp\ \-\-wscale\ 7\ \-\-mss\ 1460
iptables\ \-A\ INPUT\ \-i\ tge22\ \-p\ tcp\ \-m\ tcp\ \-\-dport\ 80\ \-m\ state\ \-\-state\ INVALID\ \-j\ DROP
\f[]
.fi
.SS Direct mode
.PP
RAWCOOKIE module supports special mode for sending initial SYN+ACK
packet when the packet avoids Linux routing system.
The SYN+ACK packet is send directly to the MAC addres (the address of
the router) which we received the original SYN packet from.
The direct mode can be enable via \f[C]\-\-senddirect\f[] option.
.PP
In case when it is necessary to override the destination MAC address
there is option \f[C]\-\-txmac\f[] which can do it for you.
.PP
\f[C]\-\-txmac\ 4c:ae:a3:6a:80:bc\f[]
.RS
.PP
NOTE: Please do not set \f[C]\-\-txmac\f[] option if you are not sure
how this option works.
By setting invalid/not existing MAC address you might flood packets to
all ethernet ports whet the server is connected to!
.RE
.SS Build from sources
.IP
.nf
\f[C]
#\ git\ clone\ https://github.com/netx\-as/xt_RAWCOOKIE.git
#\ cd\ xt_RAWCOOKIE
#\ make
#\ make\ install
\f[]
.fi
.RS
.PP
It is required to have kernel and iptables sources installed.
.RE
.SS Build debian package
.PP
Make sure you have installed build\-essential
.IP
.nf
\f[C]
dpkg\-buildpackage\ \-b\ \-us\ \-uc
\f[]
.fi
.PP
On failure, install source dependencies.
.SS Sources
.PP
For sources please visit: https://github.com/netx\-as/xt_RAWCOOKIE
.SS Licence
.PP
RAWCOKIE module is based on Linux SYNCOKIE module as is provided under
same license as the SYNCOOKIE module.