LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables; ACK/SYN/etc; understand the bits, and potential firewall entries (http://www.linuxquestions.org/questions/linux-security-4/iptables%3B-ack-syn-etc%3B-understand-the-bits-and-potential-firewall-entries-301556/)

TheLinuxDuck 03-14-2005 02:43 PM

iptables; ACK/SYN/etc; understand the bits, and potential firewall entries
 
I am pretty new to firewalling and have recently been having a bit of good luck in setting up a firewall on a domain I run. I started from a base setup of rules, and have been slowly modifying it for my needs.

Now, I'm curious to know more about the bits used in a TCP header, namely the URG, ACK, PSH, RST, SYN, and FIN bits (Info taken from here).

Some questions I have are:
1* Is SYN always set when accepting a new connection?
2* Will any other bits be set when accepting a new connection?
3* Is RST or FIN always set when ending a connection?
4* Will any other bits be set when ending a connection?
5* Can SYN, RST, or FIN be set in a packet that is neither a new connection, nor an ending connection?

I assume that 1 and 3 are always true, and 5 is always false. Is this correct?

If that is correct, my thinking is that I could set up firewall rules that are something like:
* Accept TCP packet with new connection and SYN.
* Drop TCP packet with new connection and without SYN.
* Accept TCP packet with ending connection and (RST or FIN)
* Drop TCP packet with ending connection and without (RST OR FIN)

Which of course begs the question, is it worth it? Do I gain anything by this? Will this help prevent attacks against my system?

For anyone with any helpful info, I'd sure appreciate you input!!

win32sux 03-14-2005 06:33 PM

Re: iptables; ACK/SYN/etc; understand the bits, and potential firewall entries
 
Quote:

Originally posted by TheLinuxDuck
Drop TCP packet with new connection and without SYN
this is an important and quite common check... example:

Code:

iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
just my two cents...



PS: here's some other checks... they are from a script posted here at LQ... i can't remember who was the original poster for these, though:

Code:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP      #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP      #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP              #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP              #DROP ALL/ALL SCANS

i'm sure if you google you can find more rules for checking weird bit combinations... if you do, please go ahead and share them here on this thread...

=)


rhbegin 10-18-2011 09:17 PM

I know this thread is older, however I am interested in the syn, ack and other rules in your ip chains.


Does this affect any traffic in the way of slowing down incoming connections?

I put in rate limiting rules to the email ports and they work GREAT, once the limit is reached it blocks malicious traffic.

Any expert advice would be great.


All times are GMT -5. The time now is 05:11 PM.