Re: Various Questions on Dropping SYN Pkts

From: Tim Haynes (usenet@stirfried.vegetable.org.uk)
Date: 12/29/02 

From: Tim Haynes <usenet@stirfried.vegetable.org.uk>
Date: Sun, 29 Dec 2002 13:21:22 +0000

Allen Kistler <ackistler@yahoo.com> writes:

> Fritz Foetzl wrote:
>> By default, iptables includes the following rules for dropping SYN
>> packets from the input chain (output from "iptables -L"):
>> [snip]
>
> "By default" varies with distribution, I think.

Agreed. iptables has no defaults other than netfilter's ACCEPT on all
chains. Anything else you ask for.

> BTW, iptables has a better mechanism for tracking ftp data connections.
> These iptables rules look like translated ipchains rules.

Indeed. Iptables is a better mechanism for tracking *all* connections.
People should stop pratting around with "SYN" and some half-baked
kludged-up mess of port-numbers as though it indicated newness of
connection, and say what they meant to say all along:
  -m state --state NEW|INVALID|ESTABLISHED|RELATED

>> 2. Would DROP be a better target than REJECT, so as to provide no
>> information at all back to the sender?
>
> Probably a matter of preference. If you reset a connection, the box
> sending you packets knows not to send any more and chew up your
> bandwidth. OTOH, the box sending you packets can use you for a reflected
> DoS attack against someone else.

This is only a matter of preference now that reject with tcp-reset is an
option for TCP packets being rejected. Do *NOT* confuse other box's IP
stacks by sending icmp port-unreachable errors for tcp; that is a UDP
thing.

~Tim 

-- 
   13:18:18  up 9 days, 22:04,  1 user,  load average: 0.04, 0.06, 0.01
piglet@stirfried.vegetable.org.uk |There's a shrine on the Assynt hillside
http://piglet.is.dreaming.org     |Made of earth and salt and rain

Relevant Pages

  • IPTables Established connection problem.
    ... I posted a couple weeks ago about IPTables possibly losing state. ... My established connections still freeze if I have firewalling ... $IPT -F OUTPUT ... #Log martians (packets with impossible addresses) ...
    (comp.os.linux.security)
  • Iptables - attack - please help
    ... incoming packets discarded ... ICMP messages received ... 36 active connections openings ... iptables -N specific-rule-set ...
    (comp.os.linux.security)
  • Re: IPTables Port Forwarding
    ... ESTABLISHED and RELATED connections: ... packets will go back through your firewall). ... Then the client gets an answer from "192.168.1.50", ... iptables -t nat -F ...
    (Debian-User)
  • Re: iptables dropping legitimate packets?
    ... There's nothing wrong with the iptables file, ... now that the PC is running FC3 I am seeing dropped packets ... The packets, however, are not inbound sessions. ... > many concurrent connections, the state table is getting too large. ...
    (Fedora)
  • Re: iptable in fc5
    ... I have a question about iptables in fc5. ... and rquotad to fixed ports ... Once a connection table entry is established all subsequent packets will be accepted when the ESTABLISHED,RELATED... ... If you allow all state NEW packets you are not acting like a firewall because you are allowing any and all connections. ...
    (Fedora)