Iptables Block port scans and bogus TCP Flags

dalacor · 03-20-2023, 09:27 AM

These three websites have some examples of rules to apply to block port scans and ddos.

https://github.com/BrentonEarl/Iptab...firewall.basic

https://www.booleanworld.com/depth-g...inux-firewall/

https://javapipe.com/blog/iptables-ddos-protection/

I have input the ones that I am asking about:

Code:

Website 3:

### 1: Drop invalid packets ### 
/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

### 4: Block packets with bogus TCP flags ### 
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

Website 2:

iptables -A INPUT -p tcp -m tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Website 1:

# Block port scans
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

As you can see the different website have slightly different flags for Bogus/Port Scanning Traffic. How do I verify what is actually correct as I don't want to drop legitimate traffic? Unfortunately, a lot of websites have a lot of obsolete or inaccurate information on Iptables. So I am not sure why Website 3 doesn't have all the flags that say website 1 mentions. I have only applied the rules from Website 3, but would like to apply from the other two websites.

nini09 · 03-20-2023, 07:39 PM

The examples between Web 3 and Wen1&2 are for different purpose. The Web3 block the all incoming type of traffic, such as going-through and going-in.

dalacor · 03-22-2023, 07:18 AM

If you are referring to the difference between prerouting and Input, I get that. Website 3 makes perfect sense to block unwanted traffic at Prerouting stage as these rules are applied before the Input, Forward rules.

to use an example of what I am actually asking:

Website three TCP Flags are as follows - --tcp-flags FIN,SYN FIN,SYN -j DROP
Whereas Website one TCP flags are as follows - --tcp-flags SYN,FIN SYN,FIN -j DROP

As you can see the FIN, SYN is reversed to SYN, FIN in each example. What I want to understand is what the difference is between these two sets of flags for example. I don't know if one of the websites is wrong or both are correct and are blocking a different attack. I want to learn what each set of flags is blocking and whether I have covered all the rules necessary to drop unwanted traffic.

nini09 · 03-22-2023, 08:01 PM

> I don't know if one of the websites is wrong or both are correct.
Both is the same from TCP flags point of view, blocking TCP SYN or TCP FIN packet.

dalacor · 03-23-2023, 06:50 AM

Thank you. I will see if I can find a website that explains what each of these flag settings actually do.