LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-01-2005, 10:10 AM   #1
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Rep: Reputation: 15
Differences between NEW and --syn in iptables


Can somebody explain this to me, or at least, point me where I can read it?

I tried with the man pages, but, sincerely, didn't understand it completely.

Thanks.
 
Old 09-01-2005, 01:00 PM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
--syn means a SYN packet (--tcp-flags SYN,ACK,RST SYN)
You know SYNs create new TCP connections...

--state NEW may apply to non-SYN packets...
ie, non-SYN packets may create NEW entries in netfilter's state table

So you must make sure that only SYN's create NEW entries in the state table

Bonus:
Some scanners use SYN/FIN's for portscanning and OS fingerprinting.

These 3 rules alone protect against all invalid combinations:
Code:
iptables -A tcp-in -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A tcp-in -p tcp -m state --state NEW ! --syn -j DROP
iptables -A tcp-in -p tcp -m state --state INVALID -j DROP

Note: We SYN/FIN rule before the check for --syn. There was a bug in the iptables manpage that stated that --syn "only match TCP packets with the SYN bit set and the ACK and FIN bits cleared", which isn't true.

Last edited by primo; 09-01-2005 at 01:04 PM.
 
Old 09-01-2005, 01:38 PM   #3
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Original Poster
Rep: Reputation: 15
Thanks!

The idea was to try to avoid syn floods, but never was sure if the NEW option includes the whole connection process (syn, syn/ack, ack), and the --syn, only the syn bit to start a new connection.

I'm still a little confused with it, but now, at least have a better idea.

Do you know if can be posible to do this? avoid syn floods. Since a can't figure out how to discriminate packets with only the syn flag that doesn't belong to any connection process.

I hope you understand the question (English is not my usual language). ge!

Thanks.
 
Old 09-01-2005, 01:46 PM   #4
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
There's "-m limit" which setups limits on packet matched by the rule. There's syn cookies protection which is usually on by default, and there are various sysctl's that increase the size of many buffers related to TCP

The best tutorials on iptables and ip sysctl's are here:
http://www.frozentux.net/
 
Old 09-02-2005, 02:29 PM   #5
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Original Poster
Rep: Reputation: 15
Thanks, I have downloaded the tutorials and i'm ready to read them.

Thanks a lot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables; ACK/SYN/etc; understand the bits, and potential firewall entries TheLinuxDuck Linux - Security 2 10-18-2011 09:17 PM
SYN flood 98steve600 Linux - General 1 03-28-2005 03:27 AM
SYN flood with Game Empowerer Linux - Networking 3 07-25-2004 04:36 PM
syn packets badlya Linux - Security 3 04-24-2004 04:07 PM
ipchains vs iptables differences? tarballed Linux - Security 3 12-14-2002 02:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration