Reputation: 49
How to packet drop based on tcp option field in linux
I want to drop incoming traffic of my Linux host based on TCP option field. Like TCP option 30 Multi path TCP. If packet contain multi-path tcp notation or option field 30, then my Linux host needs drop the connection or packet.
My setup is host 1 <-> host 2 <-> host 3. Host 1 sends packet via host 2 to host 3. Host 2 have two interfaces eth0 and eth1. eth0 connects host 1 and eth1 connects host 3. When incoming eth 0 packets contains option field 30, I just want to cancel the connection or drop the packets.
I tried iptables string compare, but it didn't works.
The command is,
sudo iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "Multipath TCP" --algo bm.
But above rule doesnot stop the multipath TCP to send and receive via host 2 eth0, eth1. host 2 not able to drop the multi-path TCP (option field 30) traffic. Is it possible to drop a specif TCP packet based on option field.
Upvotes: 0
Views: 936
Answers (1)
Reputation: 631
First, you need to add the rule in FORWARDING chain on host2 (the reason is the packets are not targeted to host2 and will not hit the INPUT chain).
There is an option available in iptables to match the TCP options. Please try the following iptables command:
iptables -I FORWARD -p tcp --tcp-option 30 -j DROP
Upvotes: 0
Related Questions
- Simulate delayed and dropped packets on Linux
- How to set iptables mark when sending a packet?
- tc filter drop matched packets
- Need to drop established connections with iptables
- Dropping packets with matching string using iptables drops all the subsequent packets with no match
- How to make all outgoing RST drop
- IPtables to set tcp flags
- How do I simulate packet drop while sending packets from Linux Box
- How to drop tcp packet in linux kernel but do not receive again and again?
- Capability to drop IP packets in Linux