0

I want to drop incoming traffic of my Linux host based on TCP option field. Like TCP option 30 Multi path TCP. If packet contain multi-path tcp notation or option field 30, then my Linux host needs drop the connection or packet.

My setup is host 1 <-> host 2 <-> host 3. Host 1 sends packet via host 2 to host 3. Host 2 have two interfaces eth0 and eth1. eth0 connects host 1 and eth1 connects host 3. When incoming eth 0 packets contains option field 30, I just want to cancel the connection or drop the packets.

I tried iptables string compare, but it didn't works.

The command is,

sudo iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "Multipath TCP" --algo bm.

But above rule doesnot stop the multipath TCP to send and receive via host 2 eth0, eth1. host 2 not able to drop the multi-path TCP (option field 30) traffic. Is it possible to drop a specif TCP packet based on option field.

frogatto
  • 28,539
  • 11
  • 83
  • 129
user680288
  • 49
  • 1
  • 10

1 Answers1

0

First, you need to add the rule in FORWARDING chain on host2 (the reason is the packets are not targeted to host2 and will not hit the INPUT chain).

There is an option available in iptables to match the TCP options. Please try the following iptables command:

iptables -I FORWARD -p tcp --tcp-option 30 -j DROP
frogatto
  • 28,539
  • 11
  • 83
  • 129
Arun Kaushal
  • 593
  • 3
  • 16