From: Mark Hobley on 21 Feb 2010 06:08
James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote:
> I suspect that the ISP are within their rights to manage and balance data
> flow across their network in line with the goal of providing reasonable
> service to all users.
Throttling across their own network yes (or they could send a throttle control
request with their own IP address in it), but send spoofed packets (with a
falsified sender address) could be considered to be computer misuse.
Linux User: #370818 http://markhobley.yi.org/
From: Mark Hobley on 21 Feb 2010 07:08
Tony <tony(a)darkstorm.invalid> wrote:
> What I'm not 100% sure about is whether it's an iptables -A INPUT, or
> iptables -I FORWARD, I've seen various options and without going and
> checking the manual myself, I'm not sure which to use.
It's an INPUT.
The FORWARD chain is mainly used for router and gateway applications.
Linux User: #370818 http://markhobley.yi.org/
From: Baron on 21 Feb 2010 16:09
James Taylor Inscribed thus:
> I have discovered what I believe to be spoofed TCP reset packets being
> injected into the stream to kill some large downloads I am trying to
> make. I know the RST packets didn't come from the server I am
> downloading from because I can see normal data-bearing packets
> arriving after the RST packets and with later sequence numbers. It is
> probably some half-wit attempt by the ISP to limit my downloads.
> The problem is that when my computer receives the RST packets the
> connection breaks and the download stops. If I could get my computer
> to ignore these RSTs then I believe the connection would continue and
> my downloads would complete.
> Is there any way that I can use iptables to filter these RST packets
> from a specific set of IP addresses corresponding to the servers in
> question? A quick dip in the iptables man page has rather overwhelmed
> me with the learning curve required, but also encouraged me when I saw
> there was a --tcp-flags option.
> Can anyone help me by showing me how to form a complete iptables
> command line to block the RST packets?
For what its worth Talktalk / Opal Telecom do a similar thing with file
sharing sites ie "Rapidshare" etc.
From: Tony on 22 Feb 2010 09:38
On 21/02/2010 12:08, Mark Hobley wrote:
> Tony<tony(a)darkstorm.invalid> wrote:
>> What I'm not 100% sure about is whether it's an iptables -A INPUT, or
>> iptables -I FORWARD, I've seen various options and without going and
>> checking the manual myself, I'm not sure which to use.
> It's an INPUT.
> The FORWARD chain is mainly used for router and gateway applications.
Thanks Mark / Dave, that makes eminent sense.
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
books -> http://www.bookthing.co.uk
[ anything below this line wasn't written by me ]
From: James Taylor on 22 Feb 2010 12:41
Nigel Wade wrote:
> James Taylor wrote:
>> If I've understood it correctly, the full command line for blocking
>> RST packets coming from the download servers in my case is:
>> # iptables -A INPUT -p tcp -s 184.108.40.206/24 --sport 1935 \
>> --tcp-flags RST RST -j DROP
>> And I can check that the rule exists with:
>> # iptables -n -v -L INPUT
>> Chain INPUT (policy ACCEPT 436K packets, 526M bytes)
>> pkts bytes target prot opt in out source destination
>> 114 4560 DROP tcp -- * * 220.127.116.11/24 0.0.0.0/0
>> tcp spt:1935 flags:0x04/0x04
>> The above report shows 114 matching packets during the course of a
>> download I tried, but unfortunately the resets are still getting through
>> the firewall... well, I can still see them in Wireshark and the
>> connections are still getting broken and having to be recontinued.
> Since you mention a firewall, is this rule really on a firewall?
There is no separate hardware firewall. I am refering to "iptables", the
software firewall on my Linux computer. I am trying to use iptables to
drop some spoofed TCP RST packets that are prematurely breaking some
large video downloads. I believe they are being spoofed by the ISP to
prevent me from downloading so much. I am within my rights to download
this legitimate media, so I want to bypass the ISPs meddling by
filtering out the spoofed RST packets. Am I wrong to use iptables for this?
> The INPUT chain on the firewall is used to filter packets which terminate
> at the firewall itself.
Yes, which is why the INPUT chain is the correct one to use in this case
I think. Please correct me if that's not right.
> The other point to note is that iptables rules do not work in isolation,
> they are part of a chain. Packets are dealt with by the first rule they
> match. You cannot just add/insert a rule into a chain without considering
> the other rules which precede it. Another rule prior to the rule you've
> added may be accepting the packets.
Well, if you look at the iptables -n -v -L INPUT command I show above
you'll see exactly what the INPUT chain contains; just one rule to drop
RST packets from that particular IP range. Did I do this incorrectly?
>> Can anyone tell me whether Wireshark *should* see the pre-firewall
>> traffic or not? How can I use Wireshark to see only the packets that
>> pass through the firewall?
> Yes, wireshark sees packets before they get to iptables module. If it's a
> firewall, capture packets on the internal interface.
My computer has only one Ethernet interface. How can I point Wireshark
at the already filtered traffic to check that iptables is working as