iptables command with ! syn
 

I enter this command:
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp ! --syn -j DROP

And in sysconfig/iptables I get this:

-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

I don't understand exactly how to interpret this line. It seems, at a first glance, absurd to me, because it says to drop all packets that start a tcp connection which do NOT have flags FIN,SYN,RST,ACK SYN. It's quite the reverse of what am writing.

How come all these show up?

There are two arguments there. The first, "FIN,SYN,RST,ACK" is the mask of flags to be tested, the second, "SYN" is the list of flags that should be set. So, the match triggers if the SYN bit is set and none of the FIN,RST,ACK bits are set, and that match is then negated.

So basically two opposite conventions are used within the same program (iptables)? This is a little bit odd, but I understand your explanation.

Now I realise that I actually don't understand it after all. The idea was to drop ALL tcp packets that are NEW and that do NOT have SYN flag set. If they did, then it made no sense to drop them, would it, if they did have the expected SYN flag set?

You can do that withThe first arg to --tcp-flags says that the only bit you want to consider is the SYN bit. The second arg says that, of the bits you said to test, match if none are set.

The old "--syn" match does something different that is not particularly suited to a negated match. That "--syn" matcher is a carryover from the old ipchains syntax, and the main reason for its existence in iptables is to make conversion easier.

I guess you're right, I've been reading from this book which now I realise might be a little bit too old, at least when it comes to this subject, even though it's only from 2009.

So, what would be a correct full command after all to drop new TCPs that don't have SYN flag set?

Is this correct? Or do I need a "!" somewhere before --tcp-flags or SYN?

Looks correct to me. The "--tcp-flags SYN NONE" matches packets that do not have the SYN flag set. You don't need any "!" for that.

Just to explain a bit further, "--syn" matches the flag bits for a valid SYN packet, i.e. a packet with the SYN flag set and none of the (FIN,RST,ACK) flags set. The negation of that would match packets without the SYN flag set, but would also match packets with any of the (FIN,RST,ACK) flags set regardless of the SYN flag. That is not what you stated you were trying to do.

[EDIT]The only difference is the treatment of invalid SYN packets, i.e., packets that have one of (FIN,RST,ACK) set in addition to the SYN flag. "! --syn DROP" would drop those. "--tcp-flags SYN NONE DROP" would not.

This is quite difficult to take in, even if I know I've understood more difficult things than that. It's just that the convention seems a little bit weird. Anyway, I will have to ponder over it for a while :)

Which convention? The one of, "Take a bit field, AND it with a mask, then compare the result to some value?" Seems pretty "conventional" to me.

Ok, I keep messing it up, but now I really think I got it right.

The first list is made up of all the flags that I want to be taken into consideration and the second list is all the flags taken FROM (that's what I hadn't understood) the first list that I want to be matched!

So out of a list of one element (SYN), I want NONE to be matched. Now it really makes sense.

So if I had placed a "!" before SYN NONE, it would have meant that the packet should be dropped if it HAS a SYN in it, right? Which obviously wouldn't have made sense for what I want to do.

Another question: is it correct to write --tcp-flags ACK,FIN,RST ALL? It doesn't need to make sense, but what I'm actually asking is, can you write "ALL" in the second argument so that it tests if all mentioned flags are set?

Yes, that's exactly what it means.

Thanks a lot for your patience. It really helped!