iptables -I FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/s --limit-burst 1024 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SYN ATTACK" iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j DROP iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
I am not quiet sure about the seqence of the rules. Usaully, we place the "-m state
--state RELATED,ESTABLISHED"( the connection tracking stuff) is in the top of the list of
rules.... I guess instead of -A it should have been -I.. Read about connection tracking .. might help you.
now i started an FTP session from the host to an FTP server. in thisFTP is one of those peculiar protocols, Again, read about connection tracking. For the protocols like these
session, i turn off the prompt and do an mget * ( multiple files ).
the files are in order of about 4 MB or so. as soon as the first file
is completed, it prints the message SYN ATTACK - with the SRC port as
ftp-data port (20) - no other traffic is coming into the firewall host. TCPDUMP on the firewall machine shows that about 8 or 9 SYN packets having been received by the firewall host.
the connection tracking modules have more work to do. However , this is not very relavent to your problem.
The solution for your problem possilbly is the ordering of the rules, or the sequence.
There is a link from netfilter.org..(docs section).
Hope this helps ...
Narendra.
-------------------------- Narendra Prabhu. B DeepRoot Linux Pvt Ltd.,Bangalore. http://www.deeproot.co.in
