Re: iptables blocking eth0 .. why ?

To: Blair Strang <bls@nanocorp.net.nz>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables blocking eth0 .. why ?
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Fri, 7 Jan 2005 03:54:47 +0100
Message-id: <20050107025447.GA23035@lina.inka.de>
In-reply-to: <41DDD566.7090702@nanocorp.net.nz>
References: <20050106233923.GA5164@paradise.net.nz> <41DDD566.7090702@nanocorp.net.nz>

On Fri, Jan 07, 2005 at 01:18:46PM +1300, Blair Strang wrote:
> | iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> | iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> | SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> | iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> | -j DROP

> 3) INPUT/OUTPUT: All the rules which would allow established connections to 
> proceed are
> ~   commented out.  No packets in state NEW will be accepted because there 
> are no rules to
> ~   allow them.  So no-one should be able to connect to you, and you should 
> not be able to
> ~   establish any outbound connections.  Except for those ICMP messages 
> again.

the NEW Syn,Ack is most likely used to make sure netfiter will not
(re)establich sessions  from intermediate packets belonging to a established
session. I think the "! --syn" has more or less the same function (besides
RST)


Greetings
Bernd

Reply to:

Follow-Ups:
- Re: iptables blocking eth0 .. why ?
  - From: Blair Strang <bls@totalinfosecurity.com>

References:
- iptables blocking eth0 .. why ?
  - From: Adam Bogacki <afb@paradise.net.nz>
- Re: iptables blocking eth0 .. why ?
  - From: Blair Strang <bls@nanocorp.net.nz>

Prev by Date: Re: iptables blocking eth0 .. why ?
Next by Date: Re: ipfilter on debian
Previous by thread: Re: iptables blocking eth0 .. why ?
Next by thread: Re: iptables blocking eth0 .. why ?
Index(es):
- Date
- Thread