Re: Input rule to accept new SYN flag set packets

To: debian-firewall@lists.debian.org
Subject: Re: Input rule to accept new SYN flag set packets
From: omega_monk <omega_monk@yahoo.com>
Date: Tue, 9 Nov 2004 10:13:55 -0800 (PST)
Message-id: <20041109181355.86125.qmail@web80103.mail.yahoo.com>
Reply-to: omega_monk@yahoo.com
In-reply-to: <20041108223719.42591.qmail@web11908.mail.yahoo.com>

> > $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
> > -m state --state NEW -j REJECT --reject-with tcp-reset
> What I don't get here is that "--state NEW" will ONLY match when
> "SYN" is
> set, I.E. "--tcp-flags ALL SYN".  If this is wrong then why would you
> not
> fix "-m state" by adding "NEW-SYN" to it's list of states?

>From my understanding '-m state --state NEW' uses the state connection
tracking table to determine whether or not this packet is part of an
existing connection, not whether or not the SYN flag is set. So this is
simply rejecting NEW packets that have the SYN, and ACK flags set,
regardless of what other flags are or are not set.

> > $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
> LOG
> > \
> > --log-prefix "New not syn:"
> > $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
> DROP
> > 
> If we get to these rules SYN and ACK must be set and the other flags
> are
> not tested.  This would mean that this could be a connection accept
> packet, but there is no reason not to treat it as a SYN.
> 
> Would you not be better of using the magle table to clip the ACK
> flag?

Not necessarily would the SYN and ACK flags be set, in fact, if this is
after the other rule, the SYN and ACK flags would not be set because
the last rule stated that NEW packets with SYN/ACK flags set were
responded to with a tcp reset so this cannot have both the SYN/ACK
flags set.

> > # Doesn't match any packets which have the SYN flag set.
> > #
> > $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
> > ACCEPT
> > $IPTABLES -A allowed -p TCP -j DROP
> > 
> Droping in your allowed rules?  Try return instead, then do this drop
> outside this chain.  This is just difficult to follow.

I like to do the DDOS prevention stuff there in my allowed chain, but
outside of that I agree, it does get messy to drop anything else there.

Just my $0.02.


=====
-"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity."-Dennis Ritchie


		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com

Reply to:

References:
- Re: Input rule to accept new SYN flag set packets
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Request Complete
Next by Date: ACK PSH FIN Drops by Netfilter
Previous by thread: Re: Input rule to accept new SYN flag set packets
Next by thread: Request Complete
Index(es):
- Date
- Thread