i m just a rookie in learning Linux and computer networking. Previously, I downloaded the tutorial somewhere from the forum, and there are something i wish to ask

Part1:
$IPT -N allow-ssh-input
$IPT -F allow-ssh-input
$IPT -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPT -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPT -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPT -A allow-ssh-input -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -j allow-ssh-input

i know that there are 6 types of flags in TCP, namely URG, ACK, PSH, RST, SYN, FIN ... What i wish to ask is
1. Why ssh only need to consider the latter 3 flags?? (i notice the same goes for ftpd request)
2. What does the time limit indicate?? limit 1s .. can we set other time?? could it be possible that one of the reasons setting to 1s is to aviod certain attacks??

Part2:
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
if i m not wrong, we echo 0 or 1 is to set the parameter if we want it on or off, right?? then how about 2??

Lastly, thanks for reading this n would highly appreciate your help smile.gif thanks

From a rookie, ERIC

Part1-1 : Some flags are sent by your computer to remote computer, while some other are receive by your computer from remote. Assuming you don't really care about what you send, only important some flags can be discarded. As example, you shouldn't receive a SYN-ACK flag if you didn't sent a SYN yourself before and ACK are always legit if you filter SYN flag (unless someone is nasty against you).
You could filter EVERY flags but it will mostly be a waste of time and it doesn't mean you will get better security. If someone REALLY want to flood you a firewall script will not help you (as your home modem wouldn't stand 5 mins against a 1gb/sec flood, firewall or not). SYN-flood attack are dangerous because it consume CPU as well (most other flag aren't that CPU intensive). However there is built-in protection in the kernel about SYN-flood that you could activate instead to use these rules. At my opinion, these rules are more like a try to block some port-scanning attempt than real flood security.
Part1-2 : You could change the limit of these rules as well, but I wouldn't be really useful... The 1 per second is probably to block port scanner at my opinion, as most port-scanner will dumbly scan all the ports the fastest they can (which mean >1 per sec), so these rules will probably give scanners headache. However, any "hackers" that would figure this rule out could easily flood your SSH sending only 1 SYN per second, as it will prevent any legit connection, so it could become a security threat as well.

Part2 :
Herm, yes, 0 mean "false" and 1,"true". This 2 is really weird, but a search on google told me it was correct, but I still don't know the difference between 1 and 0 in that case. As you may already know, activating "rp_filter" will drop any trafic not related to the network card, somewhat preventing spoofing (as example, if you card ip is 192.168.0.1 and receive trafic from 1.2.3.4, it will assume it is wrong and drop the trafic). The "2" is probably some special options about it, but I can't tell you what exactly.


I feel like all I wrote is quite obscure, if you have anymore uestion, feel free to ask

thanks, half-elf
anway, i finally found the answer for this

$IPT -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
--> All flags should be examined (ALL=`SYN,ACK,FIN,RST,URG,PSH'), but only RST should be set
--> Thanks half-elf for the comments for the time limit

from a real rookie, ERIC