tcp flags

Ammad · 02-02-2006, 06:31 AM

iptables -A INPUT -p tcp -m tcp --syn -j DROP
iptables -A FORWARD -p tcp -m tcp --syn -j DROP

can any one tell me about abvoe,

syn flags is used to establish new connection, if i drop this how it to possible to communication with other hosts.

gilead · 02-02-2006, 01:13 PM

You are right - if you drop anything with the SYN flag set, a connection cannot be made. I use a slightly different approach and drop packets that don't have the SYN flag set if their state is NEW:

Code:

-p TCP ! --syn -m state --state NEW

But I don't drop packets with the SYN flag set unless there are too many of them (SYN flooding):

Code:

-p TCP --syn -m limit --limit 1/s --limit-burst 4