LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-14-2005, 02:43 PM   #1
TheLinuxDuck
Member
 
Registered: Sep 2002
Location: Tulsa, OK
Distribution: Slack, baby!
Posts: 349

Rep: Reputation: 33
iptables; ACK/SYN/etc; understand the bits, and potential firewall entries


I am pretty new to firewalling and have recently been having a bit of good luck in setting up a firewall on a domain I run. I started from a base setup of rules, and have been slowly modifying it for my needs.

Now, I'm curious to know more about the bits used in a TCP header, namely the URG, ACK, PSH, RST, SYN, and FIN bits (Info taken from here).

Some questions I have are:
1* Is SYN always set when accepting a new connection?
2* Will any other bits be set when accepting a new connection?
3* Is RST or FIN always set when ending a connection?
4* Will any other bits be set when ending a connection?
5* Can SYN, RST, or FIN be set in a packet that is neither a new connection, nor an ending connection?

I assume that 1 and 3 are always true, and 5 is always false. Is this correct?

If that is correct, my thinking is that I could set up firewall rules that are something like:
* Accept TCP packet with new connection and SYN.
* Drop TCP packet with new connection and without SYN.
* Accept TCP packet with ending connection and (RST or FIN)
* Drop TCP packet with ending connection and without (RST OR FIN)

Which of course begs the question, is it worth it? Do I gain anything by this? Will this help prevent attacks against my system?

For anyone with any helpful info, I'd sure appreciate you input!!
 
Old 03-14-2005, 06:33 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Re: iptables; ACK/SYN/etc; understand the bits, and potential firewall entries

Quote:
Originally posted by TheLinuxDuck
Drop TCP packet with new connection and without SYN
this is an important and quite common check... example:

Code:
iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
just my two cents...



PS: here's some other checks... they are from a script posted here at LQ... i can't remember who was the original poster for these, though:

Code:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP       #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP       #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP               #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP               #DROP ALL/ALL SCANS
i'm sure if you google you can find more rules for checking weird bit combinations... if you do, please go ahead and share them here on this thread...

=)


Last edited by win32sux; 03-14-2005 at 06:44 PM.
 
Old 10-18-2011, 09:17 PM   #3
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
I know this thread is older, however I am interested in the syn, ack and other rules in your ip chains.


Does this affect any traffic in the way of slowing down incoming connections?

I put in rate limiting rules to the email ports and they work GREAT, once the limit is reached it blocks malicious traffic.

Any expert advice would be great.

Last edited by rhbegin; 10-18-2011 at 09:28 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
want to understand iptables mjl3434 Linux - Newbie 3 09-10-2005 03:53 PM
Differences between NEW and --syn in iptables lord_zoo Linux - Security 4 09-02-2005 02:29 PM
TCP packet flags (SYN, FIN, ACK, etc) and firewall rules TheLinuxDuck Linux - Security 12 04-28-2005 11:30 PM
Need to understand Firestarter/firewall flashl Linux - Security 6 03-02-2005 06:30 AM
iptables - I added a second nic and cannot ssh to it. Log shows a potential problem. ForumKid Linux - Security 12 01-18-2002 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration