Iptables – TCP packet filter based on TCP sequence

iptablespacketlosstctcp

I need to build a test environment with a very precise packet loss based on specific TCP sequence or, optionally, on payload content. I couldn't figure out how to do it with tc or iptables. What tool should I use?

Thanks.

Best Answer

http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html

Moving on to the TCP header

Let's say I'd like to look at bytes 4-7 of the TCP header (the TCP sequence number)...

The final expression (check for TCP, check for unfragmented packet or first fragment, and jump over the IP header, checking that bytes 4-7 of the TCP header are equal to 41) is:

iptables -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C@4=0x29"

Related Solutions

Linux – Why would a server not send a SYN/ACK packet in response to a SYN packet

We had this exact same problem. Just disabling TCP timestamps solved the problem.

sysctl -w net.ipv4.tcp_timestamps=0

To make this change permanent, make an entry in /etc/sysctl.conf.

Be very careful about disabling the TCP Window Scale option. This option is important for providing maximum performance over the internet. Someone with a 10 megabit/sec connection will have a suboptimal transfer if the round trip time (basically same as ping) is more than 55 ms.

We really noticed this problem when there were multiple devices behind the same NAT. I suspect that the server might have been confused seeing timestamps from Android devices and OSX machines at the same time since they put completely different values in the timestamp fields.

Linux – How to reset a tcp connection immediately on both ends on a certain condition using linux netfilter/iptables

You can use xt_RESET, e.g., -j RESET

Best Answer

Related Solutions

Linux – Why would a server not send a SYN/ACK packet in response to a SYN packet

Linux – How to reset a tcp connection immediately on both ends on a certain condition using linux netfilter/iptables

Related Topic