bad tcp packets

bad tcp packets

[hamals]

Hello to everyone

I'm reading "Iptables Tutorial 1.1.19" by Oskar 
Andreasoon, and I cant understand these bad packets rules


$IPTABLES -N bad_tcp_packets
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK 
SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
--state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
--state NEW -j DROP

someone could explain me why that are bad tcp packets?

Thanks

_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti 
i nostri servizi!

http://www.infinito.it/xmail

Re: bad tcp packets

[Miguel Angel Amador L]

El mar, 23-11-2004 a las 09:18, hamals@infinito.it escribió:
> Hello to everyone
> 
> I'm reading "Iptables Tutorial 1.1.19" by Oskar 
> Andreasoon, and I cant understand these bad packets rules
> 
> 
> $IPTABLES -N bad_tcp_packets
> #
> #
> # bad_tcp_packets chain
> #
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK 
> SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset

May be that you can't got the three flags on, in the same packet


> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
> --state NEW -j LOG \
> --log-prefix "New not syn:"

> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
> --state NEW -j DROP

May be, if the packet haven't the syn flags on, the packet is not new

> someone could explain me why that are bad tcp packets?
I don't secure, but i thing that is this.
regards

 Miguel Amador

> Thanks
> 
> _______________________________________
> Connessione ed e-mail gratuita da 10 mb
> consultabile tramite web e tramite pop.
> www.infinito.it vieni a scoprire tutti 
> i nostri servizi!
> 
> http://www.infinito.it/xmail
> 
> 

RE: bad tcp packets

[Scott Knake]

The problem here is that a new (-m new) tcp packet is always a SYN. Read
on the 3 way TCP connection handshake. It originates with a SYN packet.
I've compiled a list of TCP Packet headers but they must be put in to
their own custom chain since I use the -j RETURN (exits that chain and
returns to the calling chain).

If you know anymore please post them or email me. Thanks.

${IPTABLES} -N tcpchk
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL ACK -m state --state
ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL ACK -m state --state
NEW,RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state
ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state
NEW -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL PSH,ACK -m state --state
RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN,PSH -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ACK,FIN FIN -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ACK,PSH PSH -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ACK,URG URG -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL RST -m state --state
ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL RST -m state --state
NEW,RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags SYN,ACK NONE -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state NEW -j
RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state
RELATED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN -m state --state
ESTABLISHED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state --state
ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL SYN,ACK -m state --state
NEW,RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state --state
ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL FIN,ACK -m state --state
NEW,RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state
ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state
NEW -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL RST,ACK -m state --state
RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m state
--state ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL ACK,PSH,RST -m state
--state NEW,RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m state
--state ESTABLISHED -j RETURN
${IPTABLES} -A tcpchk -p tcp --tcp-flags ALL FIN,PSH,ACK -m state
--state NEW,RELATED -j DROP
${IPTABLES} -A tcpchk -p tcp -m state --state INVALID -j DROP


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
hamals@infinito.it
Sent: Tuesday, November 23, 2004 7:18 AM
To: netfilter@lists.netfilter.org
Cc: franco.riggi@tiscali.it
Subject: bad tcp packets


Hello to everyone

I'm reading "Iptables Tutorial 1.1.19" by Oskar 
Andreasoon, and I cant understand these bad packets rules


$IPTABLES -N bad_tcp_packets
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK 
SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
--state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
--state NEW -j DROP

someone could explain me why that are bad tcp packets?

Thanks

_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti 
i nostri servizi!

http://www.infinito.it/xmail

Re: bad tcp packets

[Jason Opperisano]

On Tue, 2004-11-23 at 07:18, hamals@infinito.it wrote:
> Hello to everyone
> 
> I'm reading "Iptables Tutorial 1.1.19" by Oskar 
> Andreasoon, and I cant understand these bad packets rules
> 
> 
> $IPTABLES -N bad_tcp_packets
> #
> #
> # bad_tcp_packets chain
> #
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK 
> SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset

SYN-ACK packets are step 2 in the TCP Three Way Handshake, and are
always replies to SYN packets (which are step 1).  as a reminder, the
TCP Three Way Handshake is:

client	server
---------------
SYN   ->
     <- SYN-ACK
ACK   ->

also as a reminder, "-m state --state NEW" packets are packets that do
not match an entry in conntrack.

if your are tracking the state of your connections:

"-p tcp -m state --state NEW" packets should only ever be SYN packets
(as they come first)

the above rule sends a TCP RST to any SYN-ACK packet that is NEW; i.e, a
response to a connection request that we never saw.

> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
> --state NEW -j LOG \
> --log-prefix "New not syn:"
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state 
> --state NEW -j DROP

this drops and logs NEW packets that are anything besides a SYN packet.

-j

--
"I've figured out an alternative to giving up my beer. Basically,
 we become a family of traveling acrobats!"
	--The Simpsons

Re: bad tcp packets

[Frank Gruellich]

* hamals@infinito.it <hamals@infinito.it> 23. Nov 04:
> Hello to everyone

Hi,

> I'm reading "Iptables Tutorial 1.1.19" by Oskar 
> Andreasoon, and I cant understand these bad packets rules

Well choosen.  Please, don't wrap commands.  I'll fix in quoting.

> $IPTABLES -N bad_tcp_packets
> #
> #
> # bad_tcp_packets chain
> #
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset

Conntrack treats a packet as state NEW, if it hits netfilter the first
time.  The first packet of a TCP stream will never have set both of SYN
and ACK.  This is the correct answer after a connection request (SYN)
from your network, but then it wouldn't be the first packet in stream.

> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
> --log-prefix "New not syn:"

Same goes here: NEW in conntrack, but synflag not set should never
occure.  So LOG...

> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

... and DROP it.

> someone could explain me why that are bad tcp packets?

HTH,
 regards, Frank.
-- 
Sigmentation fault