路由器上 iptables 怎么匹配 TCP RST 包？

OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备，比如各种路由器上的系统，换成一个有更多可能性可以折腾的 Linux 系统。

This topic created in 4091 days ago, the information mentioned may be changed or developed.

我试了

iptables -I FORWARD -p tcp --tcp-flags RST RST -j DROP

用 iptables -vL FORWARD 检查发现根本没有匹配，但根据 tcpdump 的结果，是有 RST 包通过的。弄不明白是哪里出了问题了？

12:05:38.763735 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [S], seq 705280096, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 12:05:39.116945 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [S.], seq 2373532821, ack 705280097, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 12:05:39.120185 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [.], ack 1, win 4380, length 0 12:05:39.125902 IP 192.168.1.147.57950 > 198.252.206.140.80: Flags [P.], seq 1:420, ack 1, win 4380, length 419 12:05:39.127969 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0 12:05:39.128106 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [R.], seq 1, ack 420, win 0, length 0 12:05:39.225220 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [S], seq 3277327128, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 12:05:39.470248 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0 12:05:39.470394 IP 198.252.206.140.80 > 192.168.1.147.57950: Flags [.], ack 1, win 29, length 0 12:05:39.553312 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [S.], seq 3843338864, ack 3277327129, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 12:05:39.555322 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [.], ack 1,win 4380, length 0 12:05:39.555820 IP 192.168.1.147.57951 > 83.145.197.2.80: Flags [P.], seq 1:529, ack 1, win 4380, length 528 12:05:39.559195 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0 12:05:39.559362 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R.], seq 1, ack 529, win 0, length 0 12:05:39.881566 IP 83.145.197.2.80 > 192.168.1.147.57951: Flags [R], seq 3843338865, win 0, length 0

flags

seq

ack

6 replies 2015-03-06 15:26:16 +08:00

futursolo

Mar 5, 2015

试试以下命令
iptables -I FORWARD -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,FIN,RST,URG,PSH RST -j DROP

billlee

Mar 5, 2015

@futursolo 试过了，没有用。而且这样的匹配规则会漏掉 RST/ACK 包吧？

kttde

Mar 5, 2015

在链前面加上表，如下
iptables -t mangle -I FORWARD -p tcp --tcp-flags RST RST -j DROP

billlee

Mar 5, 2015

@kttde 正解！
能解释下 mangle 表是干什么用的吗？我一直以为涉及 DROP 这个操作的都要放在 filter 表

ryd994

Mar 6, 2015 via Android

@billlee 你filter FORWARD里有没有RELATED ACCEPT？
照理说不会这样，因为mangle接着就是filter。
方便的话贴贴规则

billlee

Mar 6, 2015

@ryd994 我是 -I 添加到最前面的，应该其它都不影响了啊

```
root@WNDR4300:~# iptables -vL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
48486 3101K delegate_forward all -- any any anywhere anywhere
root@WNDR4300:~# iptables -t mangle -vL FORWARD
Chain FORWARD (policy ACCEPT 2890K packets, 2549M bytes)
pkts bytes target prot opt in out source destination
12848 515K DROP tcp -- any any anywhere anywhere tcp flags:RST/RST
0 0 qos_Default all -- any eth0.2 anywhere anywhere
5745K 4824M mssfix all -- any any anywhere anywhere
```