iptables command with ! syn
I enter this command:
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp ! --syn -j DROP And in sysconfig/iptables I get this: -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP I don't understand exactly how to interpret this line. It seems, at a first glance, absurd to me, because it says to drop all packets that start a tcp connection which do NOT have flags FIN,SYN,RST,ACK SYN. It's quite the reverse of what am writing. How come all these show up? |
There are two arguments there. The first, "FIN,SYN,RST,ACK" is the mask of flags to be tested, the second, "SYN" is the list of flags that should be set. So, the match triggers if the SYN bit is set and none of the FIN,RST,ACK bits are set, and that match is then negated.
|
Quote:
So basically two opposite conventions are used within the same program (iptables)? This is a little bit odd, but I understand your explanation. |
Quote:
|
Quote:
Code:
--ctstate NEW --tcp-flags SYN NONE The old "--syn" match does something different that is not particularly suited to a negated match. That "--syn" matcher is a carryover from the old ipchains syntax, and the main reason for its existence in iptables is to make conversion easier. |
Quote:
I guess you're right, I've been reading from this book which now I realise might be a little bit too old, at least when it comes to this subject, even though it's only from 2009. So, what would be a correct full command after all to drop new TCPs that don't have SYN flag set? Code:
iptables -m conntrack --ctate NEW -m tcp -p tcp --tcp-flags SYN NONE -j DROP |
Quote:
Just to explain a bit further, "--syn" matches the flag bits for a valid SYN packet, i.e. a packet with the SYN flag set and none of the (FIN,RST,ACK) flags set. The negation of that would match packets without the SYN flag set, but would also match packets with any of the (FIN,RST,ACK) flags set regardless of the SYN flag. That is not what you stated you were trying to do. [EDIT]The only difference is the treatment of invalid SYN packets, i.e., packets that have one of (FIN,RST,ACK) set in addition to the SYN flag. "! --syn DROP" would drop those. "--tcp-flags SYN NONE DROP" would not. |
This is quite difficult to take in, even if I know I've understood more difficult things than that. It's just that the convention seems a little bit weird. Anyway, I will have to ponder over it for a while :)
|
Quote:
|
Ok, I keep messing it up, but now I really think I got it right.
The first list is made up of all the flags that I want to be taken into consideration and the second list is all the flags taken FROM (that's what I hadn't understood) the first list that I want to be matched! So out of a list of one element (SYN), I want NONE to be matched. Now it really makes sense. So if I had placed a "!" before SYN NONE, it would have meant that the packet should be dropped if it HAS a SYN in it, right? Which obviously wouldn't have made sense for what I want to do. |
Another question: is it correct to write --tcp-flags ACK,FIN,RST ALL? It doesn't need to make sense, but what I'm actually asking is, can you write "ALL" in the second argument so that it tests if all mentioned flags are set?
|
Quote:
|
Quote:
|
All times are GMT -5. The time now is 08:21 PM. |