1*a71a9546SAutomerger Merge WorkerThis target will process TCP three-way-handshake parallel in netfilter 2*a71a9546SAutomerger Merge Workercontext to protect either local or backend system. This target requires 3*a71a9546SAutomerger Merge Workerconnection tracking because sequence numbers need to be translated. 4*a71a9546SAutomerger Merge WorkerThe kernels ability to absorb SYNFLOOD was greatly improved starting with 5*a71a9546SAutomerger Merge WorkerLinux 4.4, so this target should not be needed anymore to protect Linux servers. 6*a71a9546SAutomerger Merge Worker.TP 7*a71a9546SAutomerger Merge Worker\fB\-\-mss\fP \fImaximum segment size\fP 8*a71a9546SAutomerger Merge WorkerMaximum segment size announced to clients. This must match the backend. 9*a71a9546SAutomerger Merge Worker.TP 10*a71a9546SAutomerger Merge Worker\fB\-\-wscale\fP \fIwindow scale\fP 11*a71a9546SAutomerger Merge WorkerWindow scale announced to clients. This must match the backend. 12*a71a9546SAutomerger Merge Worker.TP 13*a71a9546SAutomerger Merge Worker\fB\-\-sack\-perm\fP 14*a71a9546SAutomerger Merge WorkerPass client selective acknowledgement option to backend (will be disabled 15*a71a9546SAutomerger Merge Workerif not present). 16*a71a9546SAutomerger Merge Worker.TP 17*a71a9546SAutomerger Merge Worker\fB\-\-timestamps\fP 18*a71a9546SAutomerger Merge WorkerPass client timestamp option to backend (will be disabled if not present, 19*a71a9546SAutomerger Merge Workeralso needed for selective acknowledgement and window scaling). 20*a71a9546SAutomerger Merge Worker.PP 21*a71a9546SAutomerger Merge WorkerExample: 22*a71a9546SAutomerger Merge Worker.PP 23*a71a9546SAutomerger Merge WorkerDetermine tcp options used by backend, from an external system 24*a71a9546SAutomerger Merge Worker.IP 25*a71a9546SAutomerger Merge Workertcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' 26*a71a9546SAutomerger Merge Worker.br 27*a71a9546SAutomerger Merge Worker port 80 & 28*a71a9546SAutomerger Merge Worker.br 29*a71a9546SAutomerger Merge Workertelnet 192.0.2.42 80 30*a71a9546SAutomerger Merge Worker.br 31*a71a9546SAutomerger Merge Worker18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757: 32*a71a9546SAutomerger Merge Worker.br 33*a71a9546SAutomerger Merge Worker Flags [S.], seq 360414582, ack 788841994, win 14480, 34*a71a9546SAutomerger Merge Worker.br 35*a71a9546SAutomerger Merge Worker options [mss 1460,sackOK, 36*a71a9546SAutomerger Merge Worker.br 37*a71a9546SAutomerger Merge Worker TS val 1409056151 ecr 9690221, 38*a71a9546SAutomerger Merge Worker.br 39*a71a9546SAutomerger Merge Worker nop,wscale 9], 40*a71a9546SAutomerger Merge Worker.br 41*a71a9546SAutomerger Merge Worker length 0 42*a71a9546SAutomerger Merge Worker.PP 43*a71a9546SAutomerger Merge WorkerSwitch tcp_loose mode off, so conntrack will mark out\-of\-flow 44*a71a9546SAutomerger Merge Workerpackets as state INVALID. 45*a71a9546SAutomerger Merge Worker.IP 46*a71a9546SAutomerger Merge Workerecho 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose 47*a71a9546SAutomerger Merge Worker.PP 48*a71a9546SAutomerger Merge WorkerMake SYN packets untracked 49*a71a9546SAutomerger Merge Worker.IP 50*a71a9546SAutomerger Merge Workeriptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80 51*a71a9546SAutomerger Merge Worker \-\-syn \-j CT \-\-notrack 52*a71a9546SAutomerger Merge Worker.PP 53*a71a9546SAutomerger Merge WorkerCatch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states 54*a71a9546SAutomerger Merge Workerand send them to SYNPROXY. This rule will respond to SYN packets with 55*a71a9546SAutomerger Merge WorkerSYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK 56*a71a9546SAutomerger Merge Workerpackets) and drop incorrect cookies. Flags combinations not expected 57*a71a9546SAutomerger Merge Workerduring 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK). 58*a71a9546SAutomerger Merge Worker.IP 59*a71a9546SAutomerger Merge Workeriptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 60*a71a9546SAutomerger Merge Worker \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY 61*a71a9546SAutomerger Merge Worker \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9 62*a71a9546SAutomerger Merge Worker.PP 63*a71a9546SAutomerger Merge WorkerDrop invalid packets, this will be out\-of\-flow packets that were not 64*a71a9546SAutomerger Merge Workermatched by SYNPROXY. 65*a71a9546SAutomerger Merge Worker.IP 66*a71a9546SAutomerger Merge Workeriptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP 67