LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-22-2012, 03:33 PM   #1
rootaccess
Member
 
Registered: Mar 2012
Posts: 211

Rep: Reputation: Disabled
Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?


I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn
 
Old 08-22-2012, 06:37 PM   #2
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by rootaccess View Post
I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn
My default for INPUT is DROP
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)

In my iptables script I have this for dealing with Badflags
Code:
#deal with known bad flags
$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags
and while most are 0 you can see hits against the first even with DROP on INPUT

Code:
iptables -vL |grep Badflags
    2    92 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,ACK/FIN 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:PSH,ACK/PSH 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:ACK,URG/URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,RST/FIN,RST 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
Chain Badflags (11 references)
    2    92 LOG        all  --  any    any     anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `Badflags: '
 
Old 08-22-2012, 07:15 PM   #3
rootaccess
Member
 
Registered: Mar 2012
Posts: 211

Original Poster
Rep: Reputation: Disabled
In other words, I should leave it the way it is
 
Old 08-22-2012, 07:28 PM   #4
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by rootaccess View Post
In other words, I should leave it the way it is
IMHO yes
 
Old 08-22-2012, 07:29 PM   #5
rootaccess
Member
 
Registered: Mar 2012
Posts: 211

Original Poster
Rep: Reputation: Disabled
should I add any additional flags? I know I should add logging but that is a different topic altogether
 
Old 08-22-2012, 08:10 PM   #6
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Quote:
Originally Posted by rootaccess View Post
should I add any additional flags? I know I should add logging but that is a different topic altogether
I only ever see hits against FIN,ACK/FIN with the drop on input by default. It wont hurt to match up yours against mine and add what you don't have. It's not going to hurt anything to add
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question: default DROP policy and TCP Three Way Handshake johnnygear Linux - Networking 5 04-22-2012 08:38 PM
iptables / output *drop* policy reverse Linux - Security 3 11-22-2007 10:39 AM
Iptables drop policy problem Dakkar Linux - General 5 10-18-2006 02:38 PM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
WU-FTPD and IPTABLES DROP Policy Cpare Linux - Networking 0 10-23-2001 09:19 PM


All times are GMT -5. The time now is 05:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration