iptables FLOOD FLAGS and INVALID chains - need another module?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables FLOOD FLAGS and INVALID chains - need another module?
Hi,
Am trying to set up a firewall with the minimum number of rules and max security.
Dumbass that I am I went out and bought Redhat Linux Firewalls (a good book, but the online documentation for iptables is much better!) and it mentions using the FLOOD chain to check for too many SYN packets arriving, FLAGS for invalid combinations of flags, and INVALID for ... well stuff thats just invalid.
Does anyone have idea what these chains refer to as they aren't builtin - maybe I need another module loaded?
Also if I have contradictory rules, what happens?
eg.
# deny all incoming:
iptables -A INPUT -i ppp0 -p all DROP
# then allow incoming TCP from port 80
iptables -A INPUT -i ppp0 -p tcp --sport 80 ACCEPT
Both FLOOD and FLAGS are user defined chains. If you take a look at the entire firewall they list (starting on pg 290) you'll see that for each of those, they start out by creating the user-defined chain:
$IPT -N FLAGS
Then they give FLAGS some rules to describe it:
$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH
...etc...
They do something similar with FLOOD. So if you want to use the FLOOD and FLAGS chains, you'll have to create them yourself. INVALID is different. It is an actual built-in feature that loads with the "state" module, not a chain like INPUT or OUTPUT. To use it, you'll have to invoke the state module with:
-m state --state INVALID
For contradictory rules, whoever comes first wins. So as iptables moves through the chain, it tries to match a packet to each of the individual rules in the chain. Once it hits a rule that specifies it to either DROP/REJECT/ACCEPT the packet, iptables won't try to match any more rules. That's an important concept to keep in mind when building your firewall rules.
Some of the other Targets don't follow that behavior, for example the LOG target will log a packet, but iptables will keep on going down the chain. Some of the other targets like QUEUE and MARK do other funky things, but they're rarely used.
Hope that Helps
Last edited by Capt_Caveman; 11-18-2003 at 07:10 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.