Re: Iptables SYN and NEW packets

From: Baho Utot (baho-utot_at_philippines-island.org)
Date: 11/23/04 

Date: Tue, 23 Nov 2004 16:32:20 GMT

On Tue, 23 Nov 2004 13:35:23 +0000, Tim Haynes wrote:

> mark_3094@yahoo.com (Luke Robertson) writes:
>
> [snip]
>>> # Connection state bypass
>>> #
>>> $IPATBLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>>> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> What does the SYNC bit do?
>
> The SYN flag is only applicable to TCP connections; its presence in a
> packet denotes a request for a new incoming connection, or in
> conjunction with an ACK going outbound, acceptance of said connection.
>
>> Why in your first iptables line do you match a new connection that is
>> not SYN? Is it not a good idea to block SYN?
>
> You shouldn't need to differentiate between SYN and non-SYN packets: it
> suffices to know whether they're NEW or not. The only reason you'd treat
> non-SYN NEW separately is if debugging a lot of dropped connections, or
> checking for weird scans. The rest of the time,
 
[putulin]

Not exactly, see my prevous post. If you don't look for NEW without a SYN
flag then connections will get thru the firewall as they are NEW (not in
iptables tables) but they do not have a SYN flag set.

Try it with nmap, it will find the open ports and get thru to the
firewall box, then add the rule:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
and then nmap won't find them.

Relevant Pages

  • Re: Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters
    ... pending SYN connections that a Windows computer or other device can keep in ... connections takes more memory and performance from the device or computer, ... but it's probably more effective to have a device [e.g. a firewall] ...
    (microsoft.public.inetserver.iis.security)
  • Re: Iptables SYN and NEW packets
    ... The SYN flag is only applicable to TCP connections; ... packet denotes a request for a new incoming connection, ... > SYN? ... suffices to know whether they're NEW or not. ...
    (comp.os.linux.security)
  • Re: shooting up a FreeBSD Server
    ... FreeBSD has methods to reduce the inpact of Syn flooding. ... > more TCP port open is to send a bunch of SYN packets. ... > a new TCP connection, and your computer must keep the information ... you can't accept legitimate TCP connections. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: A problem about iptables SNAT
    ... connections from 172.16.22.*. ... The later SYN ... packet 1, through packet 6, indicates within one tcp connection, a ... You can connect from the same port to different ...
    (comp.os.linux.networking)
  • Re: SYN Flooding
    ... In order to understand what SYN flooding is, ... HostB processes this packet, and sends back a packet with a SYN flag, ... A common solution to the SYN flood attack are randomly dropping ...
    (comp.security.firewalls)
Loading