'Netty how to completely ignore TCP/UDP packets from unknown IPs
I'm trying to create a SOCKS proxy implementation using Netty and I need to drop packets from unknown hosts/IPs. It should behave like a firewall if the packet received from unknown host it should drop it and do not send any packets in responce.
IpFilterRule[] rules = new IpFilterRule[2];
rules[0] = new IpSubnetFilterRule("127.0.0.1", 8, IpFilterRuleType.ACCEPT);
rules[1] = new IpSubnetFilterRule("127.0.0.1", 0, IpFilterRuleType.REJECT);
ServerBootstrap bootstrap = new ServerBootstrap();
bootstrap.group(boss, worker)
.channel(NioServerSocketChannel.class)
.option(ChannelOption.SO_BACKLOG, 1024)
.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 1000)
.childHandler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) throws Exception {
ch.pipeline().addFirst(ipFilter);
ch.pipeline().addLast(new IdleStateHandler(3, 30, 0));
ch.pipeline().addLast(new ProxyIdleHandler());
// some socks channel pipeline initialization
}
});
Edit 1: After I've added IP filter to the channel pipeline I can still see SYN ACK responces and FIN ACK, RST ACK packets from my Netty proxy server 192.168.56.1
Solution 1:[1]
Would RuleBasedIpFilter.accept() be of any help?
@Override
protected boolean accept(ChannelHandlerContext ctx, InetSocketAddress remoteAddress) throws Exception {
for (IpFilterRule rule : rules) {
if (rule == null) {
break;
}
if (rule.matches(remoteAddress)) {
return rule.ruleType() == IpFilterRuleType.ACCEPT;
}
}
return true;
}
}
Solution 2:[2]
With Netty, you can only drop messages at application layer. You cannot drop packets at the network layer with Netty. The network stack of the operating system will ACK the TCP packet before pushing that packet to Netty.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | halfpenny-ian |
| Solution 2 | HyperX Pro |