don't want to get reply

Support for security such as Firewalls and securing linux
Post Reply
nike
Posts: 60
Joined: 2018/05/07 14:05:24

don't want to get reply

Post by nike » 2022/09/22 11:42:36

how to configure iptables so that hping3 send request using -d optipn not getb reply from server ..please help
Top
User avatar
TrevorH
Site Admin
Posts: 32757
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: don't want to get reply

Post by TrevorH » 2022/09/22 11:59:12

I just read the man page for hping3 and it can send many different sorts of packets in almost infinite configurations. You won't be able to block it completely without pulling the network cable out or stopping all network services from running.

Perhaps you should rephrase your question about what you are really trying to achieve.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Top
User avatar
jlehtone
Posts: 4332
Joined: 2007/12/11 08:17:33
Location: Finland

Re: don't want to get reply

Post by jlehtone » 2022/09/22 13:20:02

Online 'man hping3' says that option -d (--data) is used to set how large packets are used, but does not tell what the extra bytes have.
How are you supposed to differentiate such TCP packets from legitimate TCP packets?


In any case, there is no iptables. The kernels in CentOS Stream 8 and 9 do have nftables (although bits of netfilter code are still used by nftables). There is still the iptables tool, but it is now a special wrapper for nft that translates your iptables-syntax rules into nftables-rules (and cannot translate everything since there is no complete mapping from netfilter to nftables).

EL7 does actually have backported nftables too, but the iptables in EL7 is still the "legacy" version that does talk to netfilter. Hence it has been possible to start learning nftables with EL7 several years ago.
Top
nike
Posts: 60
Joined: 2018/05/07 14:05:24

Re: don't want to get reply

Post by nike » 2022/09/23 07:45:05

TrevorH wrote:
2022/09/22 11:59:12
 I just read the man page for hping3 and it can send many different sorts of packets in almost infinite configurations. You won't be able to block it completely without pulling the network cable out or stopping all network services from running.

Perhaps you should rephrase your question about what you are really trying to achieve.

yes sir ..i am going in details ..actually i have seen some servers are not replying when hping3 sends with header+data..
as example

[root@# hping3 -c 50 -d 1024 -p tcp -p 443 -S mydomain.com
HPING mydomain.com (enp2s0 XX.XX.XX.XX): S set, 40 headers + 1024 data bytes

but without -d option i.e data size it will reply

root@]# hping3 -c 50 -p tcp -p 443 -S mydomain.com
HPING mydomain.com (enp2s0 XX.XX.XX.XX): S set, 40 headers + 0 data bytes
len=46 ip= XX.XX.XX.XX ttl=52 DF id=30022 sport=443 flags=SA seq=0 win=65535 rtt=93.9 ms
len=46 ip= XX.XX.XX.XX ttl=52 DF id=30543 sport=443 flags=SA seq=1 win=65535 rtt=92.8 ms
len=46 ip= XX.XX.XX.XX ttl=52 DF id=30891 sport=443 flags=SA seq=2 win=65535 rtt=93.7 ms
len=46 ip= XX.XX.XX.XX ttl=52 DF id=31395 sport=443 flags=SA seq=3 win=65535 rtt=102.6 ms
len=46 ip= XX.XX.XX.XX ttl=52 DF id=31849 sport=443 flags=SA seq=4 win=65535 rtt=109.5 ms
len=46 ip=XX.XX.XX.XX ttl=52 DF id=32179 sport=443 flags=SA seq=5 win=65535 rtt=98.4 ms
len=46 ip=XX.XX.XX.XX ttl=52 DF id=33035 sport=443 flags=SA seq=6 win=65535 rtt=89.3 ms


so how it possible to block replying from server in iptables
Top
aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: don't want to get reply

Post by aks » 2022/09/29 16:33:05

so how it possible to block replying from server in iptables
In this case, filter tcp/443 outbound. So iptables -A OUTPUT -i <interface_name> -p tcp --dport 443 -j DROP (assuming OUTPUT is your output chain).
Or am I missing something?
Top
Post Reply

Return to “8 /8-Stream / 9-Stream - Security Support”