iptables tcp flags scripts
 

I was checking out this link:
http://www.k-state.edu/its/security/...pt_Handout.pdf


There's a line that says:
This is part of the Log-N-Drop chain that is made up of several similar statements.

First of all, I'd like to know what's the difference between --tcp-flags FIN FIN and --tcp-flags FIN,ACK FIN?

Then, there's this:
Which says that all tcp packets form the Log-N-Drop chain that have NO tcp flags set should be dropped.

Of course, there's a bigger context there in the link, but I'd like to take it step by step. How should I interpret this last iptables line? Why should it be necessary? I guess, in this case, it should make sense to drop all packets that have no flags set, right, 'cause they would be invalid? Any valid tcp flag should have at least one flag set, or am I wrong?

The fuller the feedback, the better :)

This looks like a homework assignment. You should read "man iptables" and search for --tcp-flags. I found the answer relatively quickly by reading the man page. Also, I get a connection timeout when I click your link.

This is not a homework assignment :)) I finished college a few years ago, and it wasn't even a technical profile. I am sorry that your connection (or whatever's at fault) is not good enough to see the link, 'cause for me it works perfectly. But never mind that, at least you or someone else could answer this question:

What's the difference between --tcp-flags SIN,ACK SYN and --tcp-flags SYN SYN?

If you point people to man pages, you're basically flipping them off, really. If people went to the man pages and solved their problems in each case, these forums would no longer exist.

I know what man pages say: THAT is what I had already known. But that's NO answer to my question whatsoever, so be reasonable.

Just to help you out on your question.
Lets see. First is FIN FIN. FIN is first argument which makes it the bit that is to be checked on. The second agrument is FIN. So the FIN bit needs to be set. Interpret like: Check the FIN bit of a tcp packet and see if the FIN bit is set. If yes its a match and we log the line.
The other one has FIN,ACK bits as first argument, thus those get checked on. And if the FIN flag is set its a match. The hidden bit (pun intended) is that the ACK bit should not be set. So maybe read it like --tcp-flags FIN,ACK FIN,!ACK. The negation is just left out.

And your right when it come to the ALL NONE thing. Checkk all the flag bits and if none is checked drop it.

I don't appreciate your tone. I don't believe pointing you to the man pages is basically flipping you off. It is a valid reference in which to look up material. Part of the point of this forum is to help people grow. That comes with teaching people how to fish as well as showing other forms of etiquette like presenting what you have tried so far in your question. You did not mention the man pages so it was entirely likely that you did not know man pages exist. So I felt my comment was a point in the right direction. Considering you linked to a handout on a .edu domain I don't think it's absurd to assume you're a student. Students don't grow by being given the answers. Students post on this forum from time to time.

The man page quote you posted does answer part of your question. There is little difference between --tcp-flags FIN,ACK FIN and --tcp-flags FIN FIN. According to the man page you quoted the first field of the --tcp-flags option is what TCP packets should be inspected based on set flags. The second field only selects packets with every flag set which is specified.

--tcp-flags FIN,ACK FIN Means packets with FIN or ACK will be analyzed but only FIN packets are selected.

--tcp-flags FIN FIN Means packets with FIN bit set will be analyzed but only FIN packets will be selected.

The end result is the same from my understanding. The difference is what packets get analyzed.

Well, I don't appreciate your attitude either - you started by accusing me of trying to do my homework here, even though you weren't even able to access the link. If you had, you'd have seen that this is not a homework assignment, but actually a few lines of iptables script that someone has written. And it's quite typical of people who know better on this forum to just point to the man pages when the subject in hand is really slightly more complicated (you saw what I wanted to understand from the very beginning) and it CANNOT be inferred from a list of raw instructions. But I won't linger anymore over that. I don't think it's a very fruitful conversation.

What the man pages said I had already known. So before posting that, I had already known how to match a certain flag out of a list with --tcp-flags and it was all clear. So no, man pages actually didn't answer anything. I was particularly interested in this difference, which you both explained. So I thank you for that.

So basically, it would be more practical (resourcewise) to make the first list as short as possible, right? If you're interested in matching SYN, just write --tcp-flags SYN SYN, right?

Or on the contrary, if you're interested in matching the absence of SYN (for new tcp connections, for instance), write --tcp-flags SYN NONE instead of ! --syn (which I saw that tests all the flags, and write SYN in the second list, and then all is denied by the "!")

In the link I offered, the comments above one of the iptables lines says: "FIN is without the expected accompanying ACK". So I take it that the only reason why you'd place what would a be after all an unnecessary ACK in the first list too, is basically descriptive - so that when you read the line, you can tell what it is about easier. Is this correct?

[later edit]
@zhjim

After all, I seem not to have read your post carefully enough (and neither the man pages for that matter). Only now do I understand it.

FIN,ACK FIN means FIN=1,ACK=0
FIN FIN means FIN=1, and the rest of the flags can be either 0 or 1

So this is actually an essential difference.

Now I don't really agree with what sag47 says, that "--tcp-flags FIN,ACK FIN Means packets with FIN or ACK will be analyzed but only FIN packets are selected.", because in this case, from what I gather from your post, zhjim, ACK must be 0 in order to get a match. And this, of course, makes much more sense, because it offers you much better traffic control. So I am correct to think that way?