Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy?

rootaccess · 08-22-2012, 03:33 PM

I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn

TheMadIndian · 08-22-2012, 06:37 PM

Quote:

Originally Posted by rootaccess

I got the idea of dropping specific flags. Here is what I am referring to:

#Drop spoofed packets
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP

#Drop bogus packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

My default policy for INPUT is set to DROP. Another member pointed out a better solution would be to leave it open and delete the above rules and simply use this line below at the end of the INPUT rules

/sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp -j DROP

And nothing will get passed that. However, is that true? What about the bogus, spoofed or INVALID packets?

Thanks for any help,
Shawn

My default for INPUT is DROP

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)

In my iptables script I have this for dealing with Badflags

Code:

#deal with known bad flags
$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$ipt -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

and while most are 0 you can see hits against the first even with DROP on INPUT

Code:

iptables -vL |grep Badflags
    2    92 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,ACK/FIN 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:PSH,ACK/PSH 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:ACK,URG/URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,RST/FIN,RST 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG 
    0     0 Badflags   tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
Chain Badflags (11 references)
    2    92 LOG        all  --  any    any     anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `Badflags: '

rootaccess · 08-22-2012, 07:15 PM

In other words, I should leave it the way it is

TheMadIndian · 08-22-2012, 07:28 PM

Quote:

Originally Posted by rootaccess

In other words, I should leave it the way it is

IMHO yes

rootaccess · 08-22-2012, 07:29 PM

should I add any additional flags? I know I should add logging but that is a different topic altogether

TheMadIndian · 08-22-2012, 08:10 PM

Quote:

Originally Posted by rootaccess

should I add any additional flags? I know I should add logging but that is a different topic altogether

I only ever see hits against FIN,ACK/FIN with the drop on input by default. It wont hurt to match up yours against mine and add what you don't have. It's not going to hurt anything to add