- Subject: Re: dropping fragmented packetsusing iptables -f option
- From: Steven Kath <steven.kath@xxxxxxxxxx>
- Date: Fri, 29 Jun 2012 13:35:29 -0700
- Cc: netfilter@xxxxxxxxxxxxxxx
- In-reply-to: <CAE1WnGfxNuu1yhySKaMF7LOVubHcyJg_o+n8N9Vt69A=z+BQFw@mail.gmail.com>
On Fri, Jun 29, 2012 at 12:13 AM, rahul shrivastava
<shrivastavaone@xxxxxxxxx> wrote:
> my objective is to drop all fragmented packets on my system
> following rules are used
>
> iptables -A INPUT -f -j DROP
> iptables -A OUTPUT -f -j DROP
> iptables -A FORWARD -f -j DROP
>
> above rules are not making any effect
I would check whether your interface has offloading parameters
enabled. I think it's possible for the NIC or driver to reassemble
fragments before passing them up the stack to netfilter.
$ sudo ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off
ntuple-filters: off
receive-hashing: off
GRO, LRO and possibly GSO could impact the case of detecting ICMP
fragments. TSO and UFO might impact the detection of TCP and UDP
fragments.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Kernel Development]
[Linux Resources]
[Advanced Routing & Traffice Control]
[Bugtraq]
[Free Internet Dating]
[Yosemite Forum]
[Photos]
