faked-tcp

iptables -A chain match-options -j FAKED_TCP [faked-tcp-options]

--syn-ack
    Sends a SYN-ACK packet in response to an incoming SYN, making a closed port appear open.

--rst-ack
    Sends a RST-ACK packet in response, useful for explicitly resetting connections or making a port appear immediately closed.

--fin-ack
    Sends a FIN-ACK packet, potentially mimicking a graceful connection termination or for deceptive purposes.

--set-ttl ttl
    Sets the Time-To-Live (TTL) value for the generated faked packet.
This can be used to control how many hops the packet can traverse.

--set-window size
    Sets the TCP window size for the faked packet.
This can influence how the remote host perceives the buffer capacity.

--set-seq seq_num
    Sets the TCP sequence number for the faked packet.
Useful for precise TCP state manipulation.

--set-ack-seq ack_seq_num
    Sets the TCP acknowledgment sequence number for the faked packet.
Crucial for maintaining or faking TCP flow.

--set-src-port port
    Sets the source port of the faked TCP packet.
Normally, this is automatically set to the destination port of the incoming packet.

The faked-tcp functionality refers to a module within the Linux netfilter framework, typically provided by xtables-addons. It is not a standalone command but an iptables extension (often a target module) designed to generate deceptive TCP responses to incoming packets. This allows system administrators to manipulate how a host appears to network scanners or remote systems. For instance, a closed port can be made to appear open (by sending a SYN-ACK in response to a SYN), or various other TCP flags and sequence numbers can be manipulated to confuse, delay, or misdirect network probes. It's a powerful tool for honeypots, obfuscating network services, or implementing advanced firewall evasion and detection countermeasures.

The faked-tcp functionality is not part of the standard Linux kernel or default iptables distribution. It typically requires the installation of xtables-addons (or similar third-party iptables extensions) and corresponding kernel modules.
Misuse can lead to unexpected network behavior, interfere with legitimate traffic, or make debugging network issues more complex.
Advanced network scanners or intrusion detection systems may be able to detect the deceptive nature of these faked responses.

To make a closed port 80 appear open to an incoming SYN packet, you could use the following rule:

iptables -A INPUT -p tcp --dport 80 -j FAKED_TCP --syn-ack

This rule instructs iptables to respond with a SYN-ACK packet to any TCP SYN packet arriving on destination port 80, even if no service is actually listening there. This can trick simple port scanners into believing the port is open.

The ability to perform advanced packet manipulation within netfilter has evolved alongside the Linux kernel's networking capabilities. faked-tcp emerged as part of the broader xtables-addons project, which extends iptables with specialized match and target modules. Its development was driven by the need for more sophisticated network security tactics, including honeypot implementations and advanced host-based deception, allowing administrators to craft highly specific responses to network probes that go beyond simple packet drops or accepts.

iptables(8), nft(8), nmap(1), tcpdump(1)