locked
How to drop new TCP connection and send inject TCP RST/ICMP in LAYER_IPFORWARD? RRS feed

  • Question

  • Hi,

    I am trying to filter packets in Windows 2008 server at the Forwarding Layer and want to block all IP traffic accept one that matches my filters. On the blocked traffic, I want to send TCP RST so that TCP connection attempt at source terminates immediately rather than timing out (after 10s of seconds).  My box is a IP forwarding/filtering entity and is not at the receiving end of the connection, hence ALE layer at INBOUND or OUTBOUND layers would not help.

    I could not find a simple way to do it. It seems like I will have to write a call-out that inspects all blocked traffic  at IPFORWARD layer, find TCP-SYN packet among blocked packets, and then send inject a TCP-RST packet. Is this the only way? Can I do this in user space somehow?

    Thanks for your help!
    Sunday, September 6, 2009 6:56 PM

All replies

  • I think you will need a callout to abort TCP flows from a gateway machine. Your algorithm above should work.

    Thanks,
    Biao.W.

    • Marked as answer by Biao Wang [MSFT] Thursday, September 10, 2009 1:51 AM
    • Unmarked as answer by Nilesh Parekh Thursday, October 1, 2009 5:01 PM
    Wednesday, September 9, 2009 4:22 AM
  • So I wrote the callout. And it doe send the RST packet. I am encountering the following problem.

    - The server has filter/callout to block all traffic from a private subnet to Internet
    - The NAT is enabled on the server (Windows 2008) for all internet bound traffic from the private subnet
    - I capture TCP-SYN on the IPFORWARD layer in the server and re-inject TCP-RST at the same layer. I swap source/destination addresses. So if a TCP-SYN initiates from the private subnet, it immediately gets TCP-RST.
    - The problem is that re-injected packet get NATed. i.e if TCP-SYN had source/destination as A/B, the TCP-RST should have B/A where A is a private subnet address (192.168.x.y), B is routable IP address. But what I see is that TCP-RST received by the originator of the TCP-SYN has address D/A where D is the NATed address.

    I use FwpsInjectForwardAsync0 function to inject TCP-RST in the forward path. I have created a new sublayer.

    Not sure why NAT comes to picture on a packet that is routed to a private subnet in the forward-layer

    Thanks for your help.
    Wednesday, September 30, 2009 11:07 PM