iptables; ACK/SYN/etc; understand the bits, and potential firewall entries

TheLinuxDuck · 03-14-2005, 02:43 PM

I am pretty new to firewalling and have recently been having a bit of good luck in setting up a firewall on a domain I run. I started from a base setup of rules, and have been slowly modifying it for my needs.

Now, I'm curious to know more about the bits used in a TCP header, namely the URG, ACK, PSH, RST, SYN, and FIN bits (Info taken from here).

Some questions I have are:
1* Is SYN always set when accepting a new connection?
2* Will any other bits be set when accepting a new connection?
3* Is RST or FIN always set when ending a connection?
4* Will any other bits be set when ending a connection?
5* Can SYN, RST, or FIN be set in a packet that is neither a new connection, nor an ending connection?

I assume that 1 and 3 are always true, and 5 is always false. Is this correct?

If that is correct, my thinking is that I could set up firewall rules that are something like:
* Accept TCP packet with new connection and SYN.
* Drop TCP packet with new connection and without SYN.
* Accept TCP packet with ending connection and (RST or FIN)
* Drop TCP packet with ending connection and without (RST OR FIN)

Which of course begs the question, is it worth it? Do I gain anything by this? Will this help prevent attacks against my system?

For anyone with any helpful info, I'd sure appreciate you input!!

win32sux · 03-14-2005, 06:33 PM

Quote:

Originally posted by TheLinuxDuck
Drop TCP packet with new connection and without SYN

this is an important and quite common check... example:

Code:

iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP

just my two cents...

PS: here's some other checks... they are from a script posted here at LQ... i can't remember who was the original poster for these, though:

Code:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP       #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP       #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP               #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP               #DROP ALL/ALL SCANS

i'm sure if you google you can find more rules for checking weird bit combinations... if you do, please go ahead and share them here on this thread...

=)

rhbegin · 10-18-2011, 09:17 PM

I know this thread is older, however I am interested in the syn, ack and other rules in your ip chains.

Does this affect any traffic in the way of slowing down incoming connections?

I put in rate limiting rules to the email ports and they work GREAT, once the limit is reached it blocks malicious traffic.

Any expert advice would be great.