LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-18-2003, 04:02 PM   #1
MadCactus
Member
 
Registered: Jul 2003
Distribution: Slackware 9.1
Posts: 195

Rep: Reputation: 30
iptables FLOOD FLAGS and INVALID chains - need another module?


Hi,

Am trying to set up a firewall with the minimum number of rules and max security.

Dumbass that I am I went out and bought Redhat Linux Firewalls (a good book, but the online documentation for iptables is much better!) and it mentions using the FLOOD chain to check for too many SYN packets arriving, FLAGS for invalid combinations of flags, and INVALID for ... well stuff thats just invalid.

Does anyone have idea what these chains refer to as they aren't builtin - maybe I need another module loaded?

Also if I have contradictory rules, what happens?

eg.

# deny all incoming:

iptables -A INPUT -i ppp0 -p all DROP

# then allow incoming TCP from port 80

iptables -A INPUT -i ppp0 -p tcp --sport 80 ACCEPT

Will the packet get to the second rule?

Cheers,

MadCactus
 
Old 11-18-2003, 07:12 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Both FLOOD and FLAGS are user defined chains. If you take a look at the entire firewall they list (starting on pg 290) you'll see that for each of those, they start out by creating the user-defined chain:

$IPT -N FLAGS

Then they give FLAGS some rules to describe it:

$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH
...etc...

They do something similar with FLOOD. So if you want to use the FLOOD and FLAGS chains, you'll have to create them yourself. INVALID is different. It is an actual built-in feature that loads with the "state" module, not a chain like INPUT or OUTPUT. To use it, you'll have to invoke the state module with:

-m state --state INVALID


For contradictory rules, whoever comes first wins. So as iptables moves through the chain, it tries to match a packet to each of the individual rules in the chain. Once it hits a rule that specifies it to either DROP/REJECT/ACCEPT the packet, iptables won't try to match any more rules. That's an important concept to keep in mind when building your firewall rules.

Some of the other Targets don't follow that behavior, for example the LOG target will log a packet, but iptables will keep on going down the chain. Some of the other targets like QUEUE and MARK do other funky things, but they're rarely used.

Hope that Helps

Last edited by Capt_Caveman; 11-18-2003 at 08:10 PM.
 
Old 11-19-2003, 04:12 AM   #3
MadCactus
Member
 
Registered: Jul 2003
Distribution: Slackware 9.1
Posts: 195

Original Poster
Rep: Reputation: 30
Cheers Capt, thats cleared that up. I found that page just after I posted =/
 
Old 11-19-2003, 09:26 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by MadCactus
I found that page just after I posted =/
Always works out like that doesn't it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Invalid module format king111 Linux - Newbie 4 07-19-2005 02:14 AM
Invalid kernel module formats Mr_C Linux - General 3 06-09-2005 04:09 AM
'Invalid module format' loading simple module on Suse Linux Professional 9.1 rocketdude Linux - Distributions 3 07-28-2004 12:40 AM
invalid module format powadha Slackware 5 12-25-2003 05:19 PM
how packets traverse thru iptables chains? hardigunawan Linux - Security 1 01-09-2003 02:50 AM


All times are GMT -5. The time now is 09:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration