iptables tcp flags scripts
I was checking out this link:
http://www.k-state.edu/its/security/...pt_Handout.pdf There's a line that says: Code:
iptables -A Log-N-Drop -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOG --log-prefix "Denied FIN SCAN: " First of all, I'd like to know what's the difference between --tcp-flags FIN FIN and --tcp-flags FIN,ACK FIN? Then, there's this: Code:
iptables -A Log-N-Drop -p tcp -m tcp --tcp-flags ALL NONE -j DROP Of course, there's a bigger context there in the link, but I'd like to take it step by step. How should I interpret this last iptables line? Why should it be necessary? I guess, in this case, it should make sense to drop all packets that have no flags set, right, 'cause they would be invalid? Any valid tcp flag should have at least one flag set, or am I wrong? The fuller the feedback, the better :) |
This looks like a homework assignment. You should read "man iptables" and search for --tcp-flags. I found the answer relatively quickly by reading the man page. Also, I get a connection timeout when I click your link.
|
Quote:
What's the difference between --tcp-flags SIN,ACK SYN and --tcp-flags SYN SYN? If you point people to man pages, you're basically flipping them off, really. If people went to the man pages and solved their problems in each case, these forums would no longer exist. I know what man pages say: Quote:
|
Just to help you out on your question.
Quote:
The other one has FIN,ACK bits as first argument, thus those get checked on. And if the FIN flag is set its a match. The hidden bit (pun intended) is that the ACK bit should not be set. So maybe read it like --tcp-flags FIN,ACK FIN,!ACK. The negation is just left out. And your right when it come to the ALL NONE thing. Checkk all the flag bits and if none is checked drop it. |
Quote:
The man page quote you posted does answer part of your question. There is little difference between --tcp-flags FIN,ACK FIN and --tcp-flags FIN FIN. According to the man page you quoted the first field of the --tcp-flags option is what TCP packets should be inspected based on set flags. The second field only selects packets with every flag set which is specified. --tcp-flags FIN,ACK FIN Means packets with FIN or ACK will be analyzed but only FIN packets are selected. --tcp-flags FIN FIN Means packets with FIN bit set will be analyzed but only FIN packets will be selected. The end result is the same from my understanding. The difference is what packets get analyzed. |
Well, I don't appreciate your attitude either - you started by accusing me of trying to do my homework here, even though you weren't even able to access the link. If you had, you'd have seen that this is not a homework assignment, but actually a few lines of iptables script that someone has written. And it's quite typical of people who know better on this forum to just point to the man pages when the subject in hand is really slightly more complicated (you saw what I wanted to understand from the very beginning) and it CANNOT be inferred from a list of raw instructions. But I won't linger anymore over that. I don't think it's a very fruitful conversation.
What the man pages said I had already known. So before posting that, I had already known how to match a certain flag out of a list with --tcp-flags and it was all clear. So no, man pages actually didn't answer anything. I was particularly interested in this difference, which you both explained. So I thank you for that. So basically, it would be more practical (resourcewise) to make the first list as short as possible, right? If you're interested in matching SYN, just write --tcp-flags SYN SYN, right? Or on the contrary, if you're interested in matching the absence of SYN (for new tcp connections, for instance), write --tcp-flags SYN NONE instead of ! --syn (which I saw that tests all the flags, and write SYN in the second list, and then all is denied by the "!") In the link I offered, the comments above one of the iptables lines says: "FIN is without the expected accompanying ACK". So I take it that the only reason why you'd place what would a be after all an unnecessary ACK in the first list too, is basically descriptive - so that when you read the line, you can tell what it is about easier. Is this correct? [later edit] @zhjim After all, I seem not to have read your post carefully enough (and neither the man pages for that matter). Only now do I understand it. FIN,ACK FIN means FIN=1,ACK=0 FIN FIN means FIN=1, and the rest of the flags can be either 0 or 1 So this is actually an essential difference. Now I don't really agree with what sag47 says, that "--tcp-flags FIN,ACK FIN Means packets with FIN or ACK will be analyzed but only FIN packets are selected.", because in this case, from what I gather from your post, zhjim, ACK must be 0 in order to get a match. And this, of course, makes much more sense, because it offers you much better traffic control. So I am correct to think that way? |
All times are GMT -5. The time now is 12:49 PM. |