Network Security: Detailed info on handle different TCP Flags

Subject:	handle different TCP Flags
Date:	Tue, 17 Oct 2006 09:03:37 +0200

To whom it may concern

In my quest to understand TCP/IP and iptables more, ive been researching on 
google and the netfilter mailinglist, to come up with some
rules to handle different TCP Flags.

If possible would someone please overlook / proof read my ruleset and please 
share some comment / critism.

I would be most greatful.

Kind Regards
Brent Clark

# Limit 12 connections per second (burst to 24)
 $IPT -N syn-flood
 $IPT -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN
 $IPT -A syn-flood -j LOG --log-level info --log-prefix '#### Syn Flood ####'
 $IPT -A syn-flood -j DROP

 $IPT -N bad_tcp_packets
 $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix 
"New not syn:"
 $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
 ###$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit 
--limit 5/m -j LOG --log-level info --log-prefix '#### Stealth Scan ####'
 ###$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 
5/m -j LOG --log-level info --log-prefix '#### XMAS Scan ####'
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -m limit --limit 5/m -j 
LOG --log-level info --log-prefix '#### NULL Scan ####'
 $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 
5/m -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####'
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 
5/m -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####'
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state 
NEW -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/ACK 
Scan ####'
 $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state 
NEW -j REJECT --reject-with tcp-reset

 $IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Checking for naughty packets
 $IPT -A FORWARD -p tcp --syn -j syn-flood

 $IPT -A FORWARD -p tcp -j bad_tcp_packets

<Prev in Thread]	Current Thread	[Next in Thread>
handle different TCP Flags, Brent Clark <=

Previous by Date:	Re: IPTables default/template rule database, Dhruv Soi
Next by Date:	Re: IPTables default/template rule database, Leif Hardison
Previous by Thread:	IPTables default/template rule database, Serg B.
Next by Thread:	PIX Source NAT, Ryan Greenier
Indexes:	[Date] [Thread] [Top] [All Lists]