LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-06-2015, 09:49 AM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 556

Rep: Reputation: 52
iptables tcp flags scripts


I was checking out this link:
http://www.k-state.edu/its/security/...pt_Handout.pdf


There's a line that says:
Code:
iptables -A Log-N-Drop -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOG --log-prefix "Denied FIN SCAN: "
This is part of the Log-N-Drop chain that is made up of several similar statements.

First of all, I'd like to know what's the difference between --tcp-flags FIN FIN and --tcp-flags FIN,ACK FIN?

Then, there's this:
Code:
iptables -A Log-N-Drop -p tcp -m tcp --tcp-flags ALL NONE -j DROP
Which says that all tcp packets form the Log-N-Drop chain that have NO tcp flags set should be dropped.

Of course, there's a bigger context there in the link, but I'd like to take it step by step. How should I interpret this last iptables line? Why should it be necessary? I guess, in this case, it should make sense to drop all packets that have no flags set, right, 'cause they would be invalid? Any valid tcp flag should have at least one flag set, or am I wrong?

The fuller the feedback, the better
 
Old 04-07-2015, 12:51 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,845
Blog Entries: 36

Rep: Reputation: 453Reputation: 453Reputation: 453Reputation: 453Reputation: 453
This looks like a homework assignment. You should read "man iptables" and search for --tcp-flags. I found the answer relatively quickly by reading the man page. Also, I get a connection timeout when I click your link.

Last edited by sag47; 04-07-2015 at 12:53 AM.
 
Old 04-07-2015, 05:12 AM   #3
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 556

Original Poster
Rep: Reputation: 52
Quote:
Originally Posted by sag47 View Post
This looks like a homework assignment. You should read "man iptables" and search for --tcp-flags. I found the answer relatively quickly by reading the man page. Also, I get a connection timeout when I click your link.
This is not a homework assignment ) I finished college a few years ago, and it wasn't even a technical profile. I am sorry that your connection (or whatever's at fault) is not good enough to see the link, 'cause for me it works perfectly. But never mind that, at least you or someone else could answer this question:

What's the difference between --tcp-flags SIN,ACK SYN and --tcp-flags SYN SYN?

If you point people to man pages, you're basically flipping them off, really. If people went to the man pages and solved their problems in each case, these forums would no longer exist.

I know what man pages say:
Quote:
[!] --tcp-flags mask comp
Match when the TCP flags are as specified. The first argument mask is the
flags which we should examine, written as a comma-separated list, and the
second argument comp is a comma-separated list of flags which must be set.
Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST
flags unset.
THAT is what I had already known. But that's NO answer to my question whatsoever, so be reasonable.

Last edited by vincix; 04-07-2015 at 05:19 AM.
 
1 members found this post helpful.
Old 04-07-2015, 06:31 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Just to help you out on your question.
Quote:
First of all, I'd like to know what's the difference between --tcp-flags FIN FIN and --tcp-flags FIN,ACK FIN?
Lets see. First is FIN FIN. FIN is first argument which makes it the bit that is to be checked on. The second agrument is FIN. So the FIN bit needs to be set. Interpret like: Check the FIN bit of a tcp packet and see if the FIN bit is set. If yes its a match and we log the line.
The other one has FIN,ACK bits as first argument, thus those get checked on. And if the FIN flag is set its a match. The hidden bit (pun intended) is that the ACK bit should not be set. So maybe read it like --tcp-flags FIN,ACK FIN,!ACK. The negation is just left out.

And your right when it come to the ALL NONE thing. Checkk all the flag bits and if none is checked drop it.
 
1 members found this post helpful.
Old 04-07-2015, 08:43 AM   #5
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,845
Blog Entries: 36

Rep: Reputation: 453Reputation: 453Reputation: 453Reputation: 453Reputation: 453
Quote:
Originally Posted by vincix View Post
This is not a homework assignment ) I finished college a few years ago, and it wasn't even a technical profile. I am sorry that your connection (or whatever's at fault) is not good enough to see the link, 'cause for me it works perfectly. But never mind that, at least you or someone else could answer this question:

What's the difference between --tcp-flags SIN,ACK SYN and --tcp-flags SYN SYN?

If you point people to man pages, you're basically flipping them off, really. If people went to the man pages and solved their problems in each case, these forums would no longer exist.

I know what man pages say:

THAT is what I had already known. But that's NO answer to my question whatsoever, so be reasonable.
I don't appreciate your tone. I don't believe pointing you to the man pages is basically flipping you off. It is a valid reference in which to look up material. Part of the point of this forum is to help people grow. That comes with teaching people how to fish as well as showing other forms of etiquette like presenting what you have tried so far in your question. You did not mention the man pages so it was entirely likely that you did not know man pages exist. So I felt my comment was a point in the right direction. Considering you linked to a handout on a .edu domain I don't think it's absurd to assume you're a student. Students don't grow by being given the answers. Students post on this forum from time to time.

The man page quote you posted does answer part of your question. There is little difference between --tcp-flags FIN,ACK FIN and --tcp-flags FIN FIN. According to the man page you quoted the first field of the --tcp-flags option is what TCP packets should be inspected based on set flags. The second field only selects packets with every flag set which is specified.

--tcp-flags FIN,ACK FIN Means packets with FIN or ACK will be analyzed but only FIN packets are selected.

--tcp-flags FIN FIN Means packets with FIN bit set will be analyzed but only FIN packets will be selected.

The end result is the same from my understanding. The difference is what packets get analyzed.

Last edited by sag47; 04-07-2015 at 08:51 AM.
 
Old 04-07-2015, 11:41 AM   #6
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 556

Original Poster
Rep: Reputation: 52
Well, I don't appreciate your attitude either - you started by accusing me of trying to do my homework here, even though you weren't even able to access the link. If you had, you'd have seen that this is not a homework assignment, but actually a few lines of iptables script that someone has written. And it's quite typical of people who know better on this forum to just point to the man pages when the subject in hand is really slightly more complicated (you saw what I wanted to understand from the very beginning) and it CANNOT be inferred from a list of raw instructions. But I won't linger anymore over that. I don't think it's a very fruitful conversation.

What the man pages said I had already known. So before posting that, I had already known how to match a certain flag out of a list with --tcp-flags and it was all clear. So no, man pages actually didn't answer anything. I was particularly interested in this difference, which you both explained. So I thank you for that.

So basically, it would be more practical (resourcewise) to make the first list as short as possible, right? If you're interested in matching SYN, just write --tcp-flags SYN SYN, right?

Or on the contrary, if you're interested in matching the absence of SYN (for new tcp connections, for instance), write --tcp-flags SYN NONE instead of ! --syn (which I saw that tests all the flags, and write SYN in the second list, and then all is denied by the "!")

In the link I offered, the comments above one of the iptables lines says: "FIN is without the expected accompanying ACK". So I take it that the only reason why you'd place what would a be after all an unnecessary ACK in the first list too, is basically descriptive - so that when you read the line, you can tell what it is about easier. Is this correct?

[later edit]
@zhjim

After all, I seem not to have read your post carefully enough (and neither the man pages for that matter). Only now do I understand it.

FIN,ACK FIN means FIN=1,ACK=0
FIN FIN means FIN=1, and the rest of the flags can be either 0 or 1

So this is actually an essential difference.

Now I don't really agree with what sag47 says, that "--tcp-flags FIN,ACK FIN Means packets with FIN or ACK will be analyzed but only FIN packets are selected.", because in this case, from what I gather from your post, zhjim, ACK must be 0 in order to get a match. And this, of course, makes much more sense, because it offers you much better traffic control. So I am correct to think that way?

Last edited by vincix; 04-07-2015 at 02:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question - tcp-flags kathys39 Linux - Security 4 03-05-2012 05:58 PM
Accessing TCP flags in TCP packets on Linux using C !! vishamr2000 Programming 2 10-16-2006 10:46 AM
tcp flags Ammad Linux - Security 1 02-02-2006 02:13 PM
TCP-Flags?? X11 Linux - Networking 1 04-09-2002 03:41 AM
--tcp-flags bbenz3 Linux - Networking 2 03-12-2002 05:07 PM


All times are GMT -5. The time now is 07:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration