| View previous topic :: View next topic |
| Author |
Message |
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
 Posted: Tue Mar 22, 2005 9:53 am Post subject: Dropping packets with invalid tcp flags |
 |
|
Hi folks,
I'm about to tell my firewall script to discard any tcp packet with invalid flags. I thought this over some while and came up with the following:
1. ACCEPT all packets in state ESTABLISHED and RELATED.
2. Drop all packets in state INVALID
3. Drop all packets with SYN set coming in on the external interface (I don't allow incoming connections)
4. Globally drop any packet with flags !SYN, !SYN/ACK, !ACK stateless (read ! as not)
The problem is that I use fwbuilder for generating the script, so I don't have fine control over the state flags (especially the NEW state). But to me this appears to be a quick and effective solution.
Any thoughts?
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
 |
inode77
Veteran
Joined: 20 Jan 2004
Posts: 1303
Location: Heart of Europe
|
| Posted: Tue Mar 22, 2005 11:37 am Post subject: |
|
|
IMHO 4th step not necessary. Here is my config (lazy handmade iptables ruleset, but does the job just fine)
| Code: | Chain INPUT (policy DROP 26780 packets, 5766K bytes)
num pkts bytes target prot opt in out source destination
1 8945K 12G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 248 14824 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
3 634 215K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp spt:67 dpt:68
4 9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 flags:0x16/0x02
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 373 packets, 49562 bytes)
num pkts bytes target prot opt in out source destination
1 6139K 357M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 248 14824 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 state NEW
3 29958 1797K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x16/0x02
4 1344 85579 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
5 23 1876 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
|
|
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Tue Mar 22, 2005 12:52 pm Post subject: |
|
|
Thanks for your answer,
I wonder what iptables does with ESTABLISHED or RELATED packets that have invalid TCP flags. Imagine some bogus server that sends malformed packets -- whould these be recognized as ESTABLISHED/RELATED or filterd at an earlier stage?
I know, this sounds rather academic -- but I'm just curious. I googled around for several hours but couldn't find a satisfying document on the iptales internals so I ended up with this idea of filtering malformed packets on my own.
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
|
Networking & Security
