valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[seberino]

Please explain these:

$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN   -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH   -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG   -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ALL     NONE  -j DROP

Do first 3 imply you must send ACK when you send a FIN, PSH or URG?

And does last mean you must set *some* TCP flag always?

CS

Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[Lopsch]

[-- Attachment #1: Type: text/plain, Size: 906 bytes --]

seberino@spawar.navy.mil schrieb:
> Please explain these:
>
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN   -j DROP
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH   -j DROP
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG   -j DROP
> $IPTABLES -t filter -A INPUT -p tcp --tcp-flags ALL     NONE  -j DROP
>
> Do first 3 imply you must send ACK when you send a FIN, PSH or URG?
>
> And does last mean you must set *some* TCP flag always?
>
> CS
>
>
Exactly. The first 3 rules are used for dropping packets which have set
FIN, PSH and URG but without a set ACK-flag. The last one prevents empty
packets (none flag set) to enter your network.
As often such packets are used by portscans it is useful to drop them.
Jason posted a link some time ago with a list of rules to perform tcp
checks http://www.stearns.org/modwall/sample/tcpchk-sample

--

PGP-ID 0xF8EAF138

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[seberino]

Lopsch

Thanks for your email.  I know a little about TCP flags.
IIRC, ACK means 'Acknowlegement'
and FIN means 'Finish Connection'.

Why would TCP want everyone to turn on ACK when they
want to finish a connection with FIN?

I assume that TCP was written to do 2 errands in one
TCP datagram?...1. acknowledge last datagram received
                2. terminate connection

It seems odd you can't terminate a connection (FIN)
without also acknowledging something to me.

Chris

On Wed, Jan 26, 2005 at 01:37:57AM +0100, Lopsch wrote:
> seberino@spawar.navy.mil schrieb:
> >Please explain these:
> >
> >$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN   -j DROP
> >$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH   -j DROP
> >$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG   -j DROP
> >$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ALL     NONE  -j DROP
> >
> >Do first 3 imply you must send ACK when you send a FIN, PSH or URG?
> >
> >And does last mean you must set *some* TCP flag always?
> >
> >CS
> >
> >
> Exactly. The first 3 rules are used for dropping packets which have set
> FIN, PSH and URG but without a set ACK-flag. The last one prevents empty
> packets (none flag set) to enter your network.
> As often such packets are used by portscans it is useful to drop them.
> Jason posted a link some time ago with a list of rules to perform tcp
> checks http://www.stearns.org/modwall/sample/tcpchk-sample
>
> --
>
> PGP-ID 0xF8EAF138



--
_______________________________________

Christian Seberino, Ph.D.
SPAWAR Systems Center San Diego
Code 2872
49258 Mills Street, Room 158
San Diego, CA 92152-5385
U.S.A.

Phone: (619) 553-9973
Fax  : (619) 553-6521
Email: seberino@spawar.navy.mil
_______________________________________

Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[Jason Opperisano]

On Tue, Jan 25, 2005 at 09:26:58PM -0800, seberino@spawar.navy.mil wrote:
> Lopsch
> 
> Thanks for your email.  I know a little about TCP flags.
> IIRC, ACK means 'Acknowlegement'
> and FIN means 'Finish Connection'.
> 
> Why would TCP want everyone to turn on ACK when they
> want to finish a connection with FIN?
> 
> I assume that TCP was written to do 2 errands in one
> TCP datagram?...1. acknowledge last datagram received
>                 2. terminate connection
> 
> It seems odd you can't terminate a connection (FIN)
> without also acknowledging something to me.
> 
> Chris

read:
  http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh.htm

and:
  http://www.tcpipguide.com/free/t_TCPConnectionTermination.htm

if you want a better understanding of TCP connection setup and
termination and the flags set during each phase.

the quick answer to your question is that an actual OS TCP/IP stack will
always set the ACK bit when sending a FIN, URG, or PSH packet.  FIN,
URG, and PSH packets that are sent without the ACK bit set were probably
generated by some scanner tool (nmap, hping) or by somebody's custom
code (perl script).

-j

--
"Operator! Give me the number for 911!"
        --The Simpsons

Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[seberino]

Jason

Thanks.  That helped.  I was looking at your TCP flags iptables rules.
No maybe I can understand why you chose them.

Chris

On Wed, Jan 26, 2005 at 02:08:15PM -0500, Jason Opperisano wrote:
> On Tue, Jan 25, 2005 at 09:26:58PM -0800, seberino@spawar.navy.mil wrote:
> > Lopsch
> >
> > Thanks for your email.  I know a little about TCP flags.
> > IIRC, ACK means 'Acknowlegement'
> > and FIN means 'Finish Connection'.
> >
> > Why would TCP want everyone to turn on ACK when they
> > want to finish a connection with FIN?
> >
> > I assume that TCP was written to do 2 errands in one
> > TCP datagram?...1. acknowledge last datagram received
> >                 2. terminate connection
> >
> > It seems odd you can't terminate a connection (FIN)
> > without also acknowledging something to me.
> >
> > Chris
>
> read:
>   http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh.htm
>
> and:
>   http://www.tcpipguide.com/free/t_TCPConnectionTermination.htm
>
> if you want a better understanding of TCP connection setup and
> termination and the flags set during each phase.
>
> the quick answer to your question is that an actual OS TCP/IP stack will
> always set the ACK bit when sending a FIN, URG, or PSH packet.  FIN,
> URG, and PSH packets that are sent without the ACK bit set were probably
> generated by some scanner tool (nmap, hping) or by somebody's custom
> code (perl script).
>
> -j
>
> --
> "Operator! Give me the number for 911!"
>         --The Simpsons
>

--
_______________________________________

Christian Seberino, Ph.D.
SPAWAR Systems Center San Diego
Code 2872
49258 Mills Street, Room 158
San Diego, CA 92152-5385
U.S.A.

Phone: (619) 553-9973
Fax  : (619) 553-6521
Email: seberino@spawar.navy.mil
_______________________________________

Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[seberino]

Jason

Thanks for your 2 links.  I really did read both of them carefully.
They explained SYN, ACK and FIN but not URG, PSH and RST.
Do you have another great link to explain these last 3 flags? :)

Chris
On Wed, Jan 26, 2005 at 02:08:15PM -0500, Jason Opperisano wrote:
> On Tue, Jan 25, 2005 at 09:26:58PM -0800, seberino@spawar.navy.mil wrote:
> > Lopsch
> >
> > Thanks for your email.  I know a little about TCP flags.
> > IIRC, ACK means 'Acknowlegement'
> > and FIN means 'Finish Connection'.
> >
> > Why would TCP want everyone to turn on ACK when they
> > want to finish a connection with FIN?
> >
> > I assume that TCP was written to do 2 errands in one
> > TCP datagram?...1. acknowledge last datagram received
> >                 2. terminate connection
> >
> > It seems odd you can't terminate a connection (FIN)
> > without also acknowledging something to me.
> >
> > Chris
>
> read:
>   http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh.htm
>
> and:
>   http://www.tcpipguide.com/free/t_TCPConnectionTermination.htm
>
> if you want a better understanding of TCP connection setup and
> termination and the flags set during each phase.
>
> the quick answer to your question is that an actual OS TCP/IP stack will
> always set the ACK bit when sending a FIN, URG, or PSH packet.  FIN,
> URG, and PSH packets that are sent without the ACK bit set were probably
> generated by some scanner tool (nmap, hping) or by somebody's custom
> code (perl script).
>
> -j
>
> --
> "Operator! Give me the number for 911!"
>         --The Simpsons
>

--
_______________________________________

Christian Seberino, Ph.D.
SPAWAR Systems Center San Diego
Code 2872
49258 Mills Street, Room 158
San Diego, CA 92152-5385
U.S.A.

Phone: (619) 553-9973
Fax  : (619) 553-6521
Email: seberino@spawar.navy.mil
_______________________________________

Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

[Jason Opperisano]

On Mon, Jan 31, 2005 at 12:42:17PM -0800, seberino@spawar.navy.mil wrote:
> Thanks for your 2 links.  I really did read both of them carefully.
> They explained SYN, ACK and FIN but not URG, PSH and RST.
> Do you have another great link to explain these last 3 flags? :)

yeah--they're all within "The TCP/IP Guide" which I linked to;
specifically:

PSH:
http://www.tcpipguide.com/free/t_TCPImmediateDataTransferPushFunction.htm

URG:
http://www.tcpipguide.com/free/t_TCPPriorityDataTransferUrgentFunction.htm

RST:
http://www.tcpipguide.com/free/t_TCPConnectionManagementandProblemHandlingtheConnec.htm

you can also read some/all of RFC 793--TRANSMISSION CONTROL PROTOCOL:

http://www.faqs.org/rfcs/rfc793.html

specifically--the section on page 35 titled "Reset Generation" explains
all three states that would lead to the generation of a RST packet, and
all three specify the calculation of an acknowledgment number, whether
the packet that leads to the state had the ACK bit set or not.

this plus observation of real OS's in the real world sending real RST
packets leads me to believe that a real RST packet should have the ACK
bit set.  note; however, that more often than not--i have been proven
to be wrong on these types of things--so take what i say with a grain
of salt.

-j

--
"When will I learn? The answer to life's problems aren't at the bottom
 of a bottle, they're on TV!"
        --The Simpsons