Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?
I got the idea of dropping specific flags. Here is what I am referring to:
#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP
And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?
I got the idea of dropping specific flags. Here is what I am referring to:
#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP
And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?
Thanks for any help,
Shawn
My default for INPUT is DROP
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
In my iptables script I have this for dealing with Badflags
Code:
#deal with known bad flags
$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags
and while most are 0 you can see hits against the first even with DROP on INPUT
Code:
iptables -vL |grep Badflags
2 92 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,ACK/FIN
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:PSH,ACK/PSH
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:ACK,URG/URG
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,RST/FIN,RST
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG
0 0 Badflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
Chain Badflags (11 references)
2 92 LOG all -- any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `Badflags: '
should I add any additional flags? I know I should add logging but that is a different topic altogether
I only ever see hits against FIN,ACK/FIN with the drop on input by default. It wont hurt to match up yours against mine and add what you don't have. It's not going to hurt anything to add
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.