LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy? (http://www.linuxquestions.org/questions/linux-networking-3/is-it-necessary-to-drop-specific-flags-in-iptables-with-an-input-drop-policy-4175423487/)

rootaccess 08-22-2012 04:33 PM

Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?
 
I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn

TheMadIndian 08-22-2012 07:37 PM

Quote:

Originally Posted by rootaccess (Post 4761462)
I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn

My default for INPUT is DROP
Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)

In my iptables script I have this for dealing with Badflags
Code:

#deal with known bad flags
$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

and while most are 0 you can see hits against the first even with DROP on INPUT

Code:

iptables -vL |grep Badflags
    2    92 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,ACK/FIN
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:PSH,ACK/PSH
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:ACK,URG/URG
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,RST/FIN,RST
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:SYN,RST/SYN,RST
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG
    0    0 Badflags  tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
Chain Badflags (11 references)
    2    92 LOG        all  --  any    any    anywhere            anywhere            limit: avg 10/min burst 5 LOG level warning prefix `Badflags: '


rootaccess 08-22-2012 08:15 PM

In other words, I should leave it the way it is

TheMadIndian 08-22-2012 08:28 PM

Quote:

Originally Posted by rootaccess (Post 4761580)
In other words, I should leave it the way it is

IMHO yes

rootaccess 08-22-2012 08:29 PM

should I add any additional flags? I know I should add logging but that is a different topic altogether

TheMadIndian 08-22-2012 09:10 PM

Quote:

Originally Posted by rootaccess (Post 4761593)
should I add any additional flags? I know I should add logging but that is a different topic altogether

I only ever see hits against FIN,ACK/FIN with the drop on input by default. It wont hurt to match up yours against mine and add what you don't have. It's not going to hurt anything to add


All times are GMT -5. The time now is 03:55 PM.