question about --tcp-flags

question about --tcp-flags

[Lopsch]

[-- Attachment #1: Type: text/plain, Size: 638 bytes --]

I only want to know how iptables uses this option. For example 
--tpc-flags SYN,ACK,RST SYN  how is it then used? Am I right that the 
flags SYN,ACK,RST are inspected and only the SYN flag is allowed to be 
set? Or is it so that SYN,ACK,RST are inspected and the SYN flag must be 
set but the other are optional so that all can be set but only SYN has 
to be set? I´m a little confused :). And another question what flags 
cobos are allowed/not allowed. I only know about a few so SYN,RST set is 
an illegal set also SYN,FIN. Or SYN,ACK when initiating a connection.

Thank´s in advance for replies.

-- 

PGP-ID 0xF8EAF138

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 825 bytes --]

Re: question about --tcp-flags

[Lopsch]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Jason Opperisano schrieb:
> i've seen this list pop up here and there:
> 
>   http://www.stearns.org/modwall/sample/tcpchk-sample
> 
> seems pretty complete to me.
> 
> the most common ones you see people creating DROP rules for are:
> 
>   ALL		ALL
>   ALL		NONE
>   SYN,FIN	SYN,FIN
>   ALL		FIN,URG,PSH
>   SYN,RST 	SYN,RST
>   FIN,RST 	FIN,RST
>   FIN,ACK 	FIN
> 
> -j
> 
> --
Thank´s will take look at that list :). But a last question. --syn is 
the same as --tcp-flags ALL SYN?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 825 bytes --]

Re: question about --tcp-flags

[Jason Opperisano]

On Thu, 2004-12-02 at 17:34, Lopsch wrote:
> Thank´s will take look at that list :). But a last question. --syn is 
> the same as --tcp-flags ALL SYN?

no.  "--syn" is the example you asked about:

  --tcp-flags SYN,RST,ACK SYN

this is clearly explained in 'man iptables' btw...

-j

--
"Fame was like a drug. But what was even more like a drug were
 the drugs."
	--The Simpsons

Re: question about --tcp-flags

[Jason Opperisano]

On Thu, Dec 02, 2004 at 11:08:21PM +0100, Lopsch wrote:
> I only want to know how iptables uses this option. For example 
> --tpc-flags SYN,ACK,RST SYN  how is it then used? Am I right that the 
> flags SYN,ACK,RST are inspected and only the SYN flag is allowed to be 
> set?

yes.  "--tcp-flags SYN,ACK,RST SYN" means:

out of the flags SYN, ACK, RST:

  SYN is set
  ACK is not set
  RST is not set

the flags FIN, URG, PSH are not examined and may be either set or not
set.

> Or is it so that SYN,ACK,RST are inspected and the SYN flag must be 
> set but the other are optional so that all can be set but only SYN has 
> to be set? I´m a little confused :). And another question what flags 
> cobos are allowed/not allowed. I only know about a few so SYN,RST set is 
> an illegal set also SYN,FIN. Or SYN,ACK when initiating a connection.

i've seen this list pop up here and there:

  http://www.stearns.org/modwall/sample/tcpchk-sample

seems pretty complete to me.

the most common ones you see people creating DROP rules for are:

  ALL		ALL
  ALL		NONE
  SYN,FIN	SYN,FIN
  ALL		FIN,URG,PSH
  SYN,RST 	SYN,RST
  FIN,RST 	FIN,RST
  FIN,ACK 	FIN

-j

--
"I have been shot eight times this year, and as a result, I almost
 missed work."
        --The Simpsons

Re: question about --tcp-flags

[Lopsch]

[-- Attachment #1: Type: text/plain, Size: 890 bytes --]

Jason Opperisano schrieb:
> On Thu, 2004-12-02 at 17:34, Lopsch wrote:
> 
>>Thank´s will take look at that list :). But a last question. --syn is 
>>the same as --tcp-flags ALL SYN?
> 
> 
> no.  "--syn" is the example you asked about:
> 
>   --tcp-flags SYN,RST,ACK SYN
> 
> this is clearly explained in 'man iptables' btw...
> 
> -j
> 
> --
> "Fame was like a drug. But what was even more like a drug were
>  the drugs."
> 	--The Simpsons
Yes I know but the manpages don´t work here don´t know why. Hmm but then 
it´s better to explicit drop packets like ... --tcp-flags SYN,FIN 
SYN,FIN before using a line like this ... --syn -m state --state NEW ... 
because this would also allow the usage of SYN,FIN for new connections. 
And that´s not a legal set. Or isn´t it necessary to drop those packets 
because TCP will take care of that and send RST for them?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 825 bytes --]

Re: question about --tcp-flags

[Jason Opperisano]

On Thu, 2004-12-02 at 18:44, Lopsch wrote:
> Yes I know but the manpages don´t work here don´t know why.

you may want to look into that...

> Hmm but then 
> it´s better to explicit drop packets like ... --tcp-flags SYN,FIN 
> SYN,FIN before using a line like this ... --syn -m state --state NEW ... 
> because this would also allow the usage of SYN,FIN for new connections.

yeah--if you want to drop flag combinations, you would normally do that
first, before accepting any connections.
 
> And that´s not a legal set. Or isn´t it necessary to drop those packets 
> because TCP will take care of that and send RST for them?

no.  the point is not to allow TCP to do its thing--that's how scanners
like nmap work, by processing a host's response to weird flag
combinations...

-j

--
"When I grow up, I'm going to Bovine University!"
	--The Simpsons