How to block fragmented UDP packets

01-24-2007, 07:55 AM

Thanks google i read that using u32 module i can stop fragmented udp
packets. I have router with nat and conntrack and I cannot manage
bandwidth of these packets so I decided to cut them.
I found the rule:
iptables -m u32 --u32 "3&0x20=0x20"
or
|iptables -m u32 --u32 "3&0x20>>5=1"
or
||"4&0x3FFF=1:0x3FFF"
but none works.
I have to add that these packets cannot be clasified using HTB rules
and filters.

01-24-2007, 11:18 AM

Hello,

(E-Mail Removed) a écrit :
> Thanks google i read that using u32 module i can stop fragmented udp
> packets. I have router with nat and conntrack and I cannot manage
> bandwidth of these packets so I decided to cut them.

Conntrack does reassembly before the packet enters the PREROUTING
chains, so fragmentation should not be a problem. Packets may be
fragmented again after the FORWARD chains when the packet size is bigger
than the output interface MTU and reassembled again before the
nat/POSTROUTING chain (NAT needs to work on complete IP datagrams), so
you will see fragments only in the mangle/POSTROUTING chain.

> I found the rule:
> iptables -m u32 --u32 "3&0x20=0x20"
> or
> |iptables -m u32 --u32 "3&0x20>>5=1"
> or
> ||"4&0x3FFF=1:0x3FFF"
> but none works.

These are not valid iptables commands : no command, no chain.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Do NAT-routers block UDP packets?	Router Man	Network Routers	10	09-04-2007 08:41 PM
Fragmented IP packages	Johann Höchtl	Linux Networking	1	07-17-2006 07:55 AM
block outgoing packets with iptables	Peter Lowrie	Linux Networking	2	05-05-2006 03:31 AM
detect tcp fragmented packets	Giacomo	Linux Networking	0	09-09-2005 12:03 PM
block broadcast packets from routing	Dave Lister	Linux Networking	1	09-16-2003 08:01 PM