REJECT patch

From kadlec@blackhole.kfki.hu Mon Sep 17 11:40:02 2001
Date: Tue, 18 Jan 2000 15:40:24 +0100 (CET)
From: Jozsef Kadlecsik 
To: Multiple recipients of list NETFILTER 
Subject: [PATCH] netfilter-0.1.16

Hello,

The attached patch against netfilter-0.1.16 adds the following new
features:

1. REJECT: different reject packets can be selected:

	- ICMP net, host, proto or port unreachable 
	  (just for the sake of completeness :-)
	- TCP RST for TCP
	- faked echo reply for echo request

# Examples:

# TCP keeps retransmitting, even when an ICMP error message is
# sent back. Reject with an appropriate TCP RST packet.
iptables -A INPUT -p tcp -d n.n.n.n --dport xx -j REJECT --with tcp-reset

# Answer the echo requests sent to a protected server.
iptables -A INPUT -p icmp -d n.n.n.n --icmp-type echo-request -j REJECT --with echo-reply

2. state: simple protection against SYN flooding

   After the server sent SYN-ACK, an ACK packet coming from the client 
   can be faked, thus protecting the server against SYN flood attempts.

   I renamed the states a little bit, so that one can protect established
   and/or related established TCP sessions:

	original: INVALID		IP_CT_INVALID
		  NEW			IP_CT_NEW
		  ESTABLISHED		IP_CT_ESTABLISHED,
					IP_CT_ESTABLISHED_SPECIFIES_RELATED
		  RELATED		IP_CT_RELATED

	in patch: INVALID		IP_CT_INVALID
		  NEW			IP_CT_NEW
		  ESTABLISHED		IP_CT_ESTABLISHED
		  RELATED_NEW		IP_CT_RELATED
		  RELATED_ESTABLISHED   IP_CT_ESTABLISHED_SPECIFIES_RELATED
		  RELATED		IP_CT_RELATED,
					IP_CT_ESTABLISHED_SPECIFIES_RELATED
# Example:

# Protect the mail/web/etc server against SYN flooding
iptables -N state
iptables -A INPUT -p tcp -d n.n.n.n --dport xx -j state
iptables -A state -m state --state ESTABLISHED --fake-ack ESTABLISHED -j ACCEPT
iptables -A state -m state --state NEW -j ACCEPT

3. In order to deal with the faked/generated packets easily, those
   packets are flagged as NFC_GENERATED in nfcache and with a new
   test, can easily be accepted:

# Example:

# Let out all packets generated/faked by iptables:
iptables -A OUTPUT -m nfcache --nfcache GENERATED -j ACCEPT


The bad news is that the attached kernel patch against 2.3.39 is
required as well...
netfilter-0.1.16.patch.bz2
2.3.39.patch.bz2