By default csf has a chain called INVALID that filters all sorts of... invalid packets, depending on their tcp flags, etc. But only now have I realised this chain is referenced in the INPUT chain at the beginning.
Code:
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name 22 --mask 255.255.255.255 --rsource
-A INPUT ! -i lo -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 300 --hitcount 10 --name 22 --mask 255.255.255.255 --rsource -j PORTFLOOD
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
etc.
Code:
Chain INVALID (2 references)
pkts bytes target prot opt in out source destination
201 9184 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
10 1214 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
The INVDROP chains simply drops everything.
So now I see that if a valid packet (let's say ssh) arrives in the INPUT chain, it will be parsed in the INVALID chain, and if none of the rules match, it will continue back to the next INPUT rule. Is this how it actually works? I thought you needed to set a RETURN target or something to that effect.
