SYNPROXY with CSF

2 posts Page 1 of 1
gnusys
Junior Member
Posts: 2
Joined: 19 Sep 2017, 13:54


I am trying to implement SYNPROXY for the http/https ports with csfpre.sh
Code: Select all
iptables -t raw -I PREROUTING -p tcp -m tcp --syn --dport 80 -j CT --notrack
iptables -t raw -I PREROUTING -p tcp -m tcp --syn --dport 443 -j CT --notrack
iptables -t filter -I INPUT -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -t filter -I INPUT -p tcp -m tcp --dport 443 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -m state --state INVALID -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -m state --state INVALID -j DROP
is what I have added in the pre script .

Above works with LF_SPI = "0" , but the ports are closed when LF_SPI = "1"

The difference I see when LF_SPI = 1 is the iptables rule
Code: Select all
target     prot  opt  source                destination
INVALID    tcp  --  anywhere             anywhere
this somehow blocks the traffic.

Is there a way around to have stateful packet inspection and SYNPROXY together?
MarcinKabiesz
Junior Member
Posts: 1
Joined: 04 Nov 2019, 12:34


Hello,
note that CSF uses the default DROP policy on INPUT and OUTPUT chains. For proper synrpoxy to work with CSF use the following lines:

/etc/csf/csfpost.sh: (HTTP 80 and HTTPs 443)
Code: Select all
iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j NOTRACK
iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 443 --syn -j NOTRACK
iptables -t filter -I INPUT -i eth0 -p tcp -m tcp -m conntrack --ctstate INVALID, UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -t filter -I OUTPUT -o eth0 -p tcp --sport 443 -m conntrack --ctstate INVALID, UNTRACKED -m tcp --tcp-flags SYN, RST, ACK SYN, ACK -j ACCEPT
iptables -t filter -I OUTPUT -o eth0 -p tcp --sport 80 -m conntrack --ctstate INVALID, UNTRACKED -m tcp --tcp-flags SYN, RST, ACK SYN, ACK -j ACCEPT
Firewall Restart
Done !! IT WORKS !!

Best Regards
2 posts Page 1 of 1