netfilter/iptables synproxy; need help deciding

Paige Thompson paigeadele at gmail.com
Wed Oct 8 14:43:35 UTC 2014


Hi,

I guess syncookies wasn't enough and the SYNPROXY target is a relatively
new addition to netfilter. If I remember correctly this has been a part
of BSD PF for quite some time and is pretty easy to get up and working.
I recently tried to set this up on one of my gateways considering that
it's just one less uncovered means for somebody to be a dick that I have
to deal with in the future. But, after spending some time researching
and asking on Freenode I have been unable to determine whether or not it
works, or even makes any sense. I'm starting to think it's a moot point.

pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of
things to pick at but please try to focus on the subject of synproxy for
the purpose of this e-mail.)

based on the following table I want to say its not working because it
seems to never change:

http://pastie.org/private/xwct5opbb0aajcko2tnpw

more info on /proc/stat/synproxy:
http://www.spinics.net/lists/netdev/msg264350.html

My only guess is that you can't do this at all with NAT because it
relies on conntrack or maybe it will only work with SNAT? I don't
understand this well enough to say; are proper firewall rules really a
science that need to be understood that far in depth? Why is this not
documented? This tutorial seems to indicate that you could use this with
a NAT'd network:

http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYNPROXY

I really would like to come to some closure on this subject. Whether it
needs to be done right or not done at all, I'm tired of it looming over
me. I really want to believe I should do the very best to have all
mitigation techniques already in place, but I'm having a hard time
understanding why this is next to impossible to figure out if it's so
important. #netfilter on freenode is next to no help, the mailing list
seems to be unavailable.... the things people are saying about how I
should "just switch" back to using pf seem like a drastic solution when
people in #netfilter are so content (yet many of them have never heard
of synproxy before.)


Any thoughts on this are appreciated,

-Paige




More information about the NANOG mailing list