Re: Iptables + Squid

To: debian-firewall@lists.debian.org
Subject: Re: Iptables + Squid
From: Franck Joncourt <franck.joncourt@wanadoo.fr>
Date: Fri, 3 Aug 2007 18:00:13 +0200
Message-id: <[🔎] 20070803160013.GA7815@sid.toystory.lan>
In-reply-to: <[🔎] 20070803110552.GA30299@mail.planetcobalt.net>
References: <[🔎] 6c55e0a40708020957g31d2e8a1nf17c2a6dabac4c2d@mail.gmail.com> <[🔎] 20070802170900.GB13454@mail.planetcobalt.net> <[🔎] 6c55e0a40708021026o2fd23af1h81b7e9d431f210bd@mail.gmail.com> <[🔎] 20070802182754.GA13253@toystory.lan> <[🔎] 20070802192230.GB13253@toystory.lan> <[🔎] 20070802204951.GA21418@mail.planetcobalt.net> <[🔎] 20070802215830.GD26059@sid.toystory.lan> <[🔎] 20070803110552.GA30299@mail.planetcobalt.net>

On Fri, Aug 03, 2007 at 01:05:52PM +0200, Ansgar -59cobalt- Wiechers wrote:
> On 2007-08-02 Franck Joncourt wrote:
> > On Thu, Aug 02, 2007 at 10:49:51PM +0200, Ansgar -59cobalt- Wiechers wrote:
> >> On 2007-08-02 Franck Joncourt wrote:
> >>> -m state --state NEW --syn rather than --syn
> >> 
> >> "--syn" is kinda redundant when using "--state NEW". ;)
> > 
> > You are wrong. Try to send a packet with the ACK flag sets and the
> > others cleared ; therefore you will be able to match those packets with
> > this rule :
> > 
> > iptables -A INPUT -p tcp -m state --state NEW \
> > 	--tcp-falgs SYN,FIN,RST,ACK ACK -j RETURN
> > 
> > http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW
> 
> Instead of adding a --syn to the ACCEPT rule I'd rather add a REJECT
> rule as described in the article you mentioned to protect against
> spoofing.
> 

The above link discribes protection against spoofing in the
"SYN/ACK and NEW packets" section.
As a matter of fact sending a SYN/ACK packet to my server is known to be
in the INVALID state and not in the NEW state as they mention. However,
I do not know anything about sequence number.
Assuming it works on the NEW state, it is fine to prevent our ip from being
spoofed.

In the other section, just above the last one (State NEW packets but no
SYN bit set), they talk about :

iptables -A INPUT ! --syn -m state NEW -j DROP

So, packets with only the ACK flag set will match the rule, and
therefore will be dropped (or rejected).

As you said, it would be better to work this way, rather than using the
_--syn_ option for every NEW TCP connection I want to allow.
I do not do this because I did not want to play with flags before,
except with the syn option, but I will do :p!

So we put the syn option into the bin, and add a new rule to drop NEW
not SYN packets, avoiding useless processing. It looks good !

-- 
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Iptables + Squid
  - From: "Harlei Liguori" <hliguori@gmail.com>
- Re: Iptables + Squid
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Iptables + Squid
  - From: "Harlei Liguori" <hliguori@gmail.com>
- Re: Iptables + Squid
  - From: Franck Joncourt <franck.joncourt@wanadoo.fr>
- Re: Iptables + Squid
  - From: Franck Joncourt <franck.joncourt@wanadoo.fr>
- Re: Iptables + Squid
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Iptables + Squid
  - From: Franck Joncourt <franck.joncourt@wanadoo.fr>
- Re: Iptables + Squid
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

Prev by Date: Re: Iptables + Squid
Next by Date: Linux and Inter-vlan Routing
Previous by thread: Re: Iptables + Squid
Next by thread: Re: Iptables + Squid
Index(es):
- Date
- Thread