|
Differences between NEW and --syn in iptables
Can somebody explain this to me, or at least, point me where I can read it?
I tried with the man pages, but, sincerely, didn't understand it completely. Thanks. |
--syn means a SYN packet (--tcp-flags SYN,ACK,RST SYN)
You know SYNs create new TCP connections... --state NEW may apply to non-SYN packets... ie, non-SYN packets may create NEW entries in netfilter's state table So you must make sure that only SYN's create NEW entries in the state table Bonus: Some scanners use SYN/FIN's for portscanning and OS fingerprinting. These 3 rules alone protect against all invalid combinations: Code:
iptables -A tcp-in -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROPNote: We SYN/FIN rule before the check for --syn. There was a bug in the iptables manpage that stated that --syn "only match TCP packets with the SYN bit set and the ACK and FIN bits cleared", which isn't true. |
Thanks!
The idea was to try to avoid syn floods, but never was sure if the NEW option includes the whole connection process (syn, syn/ack, ack), and the --syn, only the syn bit to start a new connection. I'm still a little confused with it, but now, at least have a better idea. Do you know if can be posible to do this? avoid syn floods. Since a can't figure out how to discriminate packets with only the syn flag that doesn't belong to any connection process. I hope you understand the question (English is not my usual language). ge! :D Thanks. |
There's "-m limit" which setups limits on packet matched by the rule. There's syn cookies protection which is usually on by default, and there are various sysctl's that increase the size of many buffers related to TCP
The best tutorials on iptables and ip sysctl's are here: http://www.frozentux.net/ |
Thanks, I have downloaded the tutorials and i'm ready to read them.
Thanks a lot. |
| All times are GMT -5. The time now is 09:23 PM. |