bad tcp packets
frank at der-frank.org
Tue Nov 23 14:59:10 CET 2004
* hamals at infinito.it <hamals at infinito.it> 23. Nov 04:
> Hello to everyone
> I'm reading "Iptables Tutorial 1.1.19" by Oskar
> Andreasoon, and I cant understand these bad packets rules
Well choosen. Please, don't wrap commands. I'll fix in quoting.
> $IPTABLES -N bad_tcp_packets
> # bad_tcp_packets chain
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset
Conntrack treats a packet as state NEW, if it hits netfilter the first
time. The first packet of a TCP stream will never have set both of SYN
and ACK. This is the correct answer after a connection request (SYN)
from your network, but then it wouldn't be the first packet in stream.
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
> --log-prefix "New not syn:"
Same goes here: NEW in conntrack, but synflag not set should never
occure. So LOG...
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
... and DROP it.
> someone could explain me why that are bad tcp packets?
More information about the netfilter