From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Query: Stateful parameters Explicitly and Implicitly defined, which is it?
Date: Wed, 21 Oct 2009 12:08:07 +0200 [thread overview]
Message-ID: <4ADEDD87.3020203@chello.at> (raw)
In-Reply-To: <4ADED869.2000200@tssg.org>
netfilter-owner@vger.kernel.org wrote:
> Mart Frauenlob wrote:
>>>
>>>> Usually I normalize TCP traffic, even before it hits the rules for
>>>> the servers, but if i wouldn't do it globally, I'd rather write the
>>>> rule like this:
>>>> iptables -A FORWARD -i eth0 -m tcp --dport 80 --tcp-flags SYN -m
>>>> state --state NEW -j ACCEPT
>>>>
>>> I see your using stateful operators also in the above rule. Why
>>> would there be a need to use the stateless SYN flag operator given
>>> the NEW operaror implicitly handles this?
>>>
>>
>> Because NEW to the connection tracker means any new packet, which is
>> not ESTABLISHED,RELATED, or INVALID.
>> So it's not necessarily a tcp syn packet. Explicitly defining -m tcp
>> --syn makes sure it's a valid tcp connection attempt.
> I understand you now, I hope!
>
> Although, given the protocol is TCP we know explicitly its not a UDP
> new connection attempt. But forcing the syn check ensures that the
> particular TCP packet is the kind we want.
>
> So in all, its a further set of "checks and balances" that provide
> additional security, perhaps from various packet crafting situations
> where a packet may have both the syn and ack for example set.
>
>> That's why I talked about normalizing the tcp traffic. Many rulesets
>> place a rule like this (quite on top) to remove bad tcp packets:
>> iptables -N bad_tcp
>> iptables -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP
>>
>> for c in INPUT FORWARD; do
>> iptables -A $c -p tcp -j bad_tcp
>> done
>>
Yes another common rule that's on top of the bad_tcp chain is:
-p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT
--reject-with tcp-reset
but you can read that in the tutorials ;-)
>> You might check out the iptables tutorial on frozentux, which may
>> answer many of your questions:
>> http://www.frozentux.net/documents/iptables-tutorial/
>>
>> and also read this:
>> http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
>>
> perfect, thanks.
Regards
Mart
prev parent reply other threads:[~2009-10-21 10:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-20 21:07 Query: Stateful parameters Explicitly and Implicitly defined, which is it? William Fitzgerald
2009-10-21 7:21 ` John Lister
2009-10-21 7:59 ` Mart Frauenlob
2009-10-21 8:46 ` William Fitzgerald
2009-10-21 9:33 ` Mart Frauenlob
2009-10-21 9:46 ` William Fitzgerald
2009-10-21 10:08 ` Mart Frauenlob [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ADEDD87.3020203@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.