How does this translate into OpenWrt?
Since paqet uses pcap to bypass standard firewalls, you MUST configure
iptables on the server to prevent kernel interference:sudo iptables -t raw -A PREROUTING -p tcp --dport 9999 -j NOTRACK
sudo iptables -t raw -A OUTPUT -p tcp --sport 9999 -j NOTRACK
sudo iptables -t mangle -A OUTPUT -p tcp --sport 9999 --tcp-flags RST RST -j DROP
Replace 9999 with your actual listen port.
Are you copying AI questions? You know that RAW tables do not have distinction between local sockets and routing, so you will un-NAT all port traffic?
What is your end goal? I'd guess just tap "drop inValid packets" in firewall and you are safe from middlebox resets....
No, just the requirements.
more OpenWrt friendly implementation rather than a cold iptables script.
You can create rules in LuCI that use the “don’t track” action (target), which equates to NOTRACK. Whether it gives you the results you want will be hard to say.
Check the results with nft list ruleset and look for the “raw” and “notrack” chains.
The setjp is not ok on a router... iptables-translate helps
Place somefile.nft into /etc/nftables.d/
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
tcp dport 9999 counter notrack
}
chain raw_output {
type filter hook output priority raw; policy accept;
# th sport 9999 tcp flags rst counter drop
# tcp sport 9999 counter notrack
tcp sport 9999 counter notrack tcp flags rst counter drop
}
EDIT - save one payload reference....
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.