Le dim 18/05/2003 à 05:27, Christopher Davis a écrit :
> I'm trying to setup an iptables rule to bounce back an icmp error
> message on a firewall if a packet is sent with the syn and fin flags
> only --
>
> A packet with SYN flag set only -- accept
> A packet with FIN flag set only -- accept
> A packet with SYN & FIN flag -- reject Is it possible to choose the
> error code?
Yes of course. See REJECT target :
root@xxxxxxx:~# iptables -j REJECT --help
iptables v1.2.7a
[...]
REJECT options:
--reject-with type drop input packet and send back
a reply packet according to type:
Valid reject types:
icmp-net-unreachable ICMP network unreachable
net-unreach alias
icmp-host-unreachable ICMP host unreachable
host-unreach alias
icmp-proto-unreachable ICMP protocol unreachable
proto-unreach alias
icmp-port-unreachable ICMP port unreachable (default)
port-unreach alias
icmp-net-prohibited ICMP network prohibited
net-prohib alias
icmp-host-prohibited ICMP host prohibited
host-prohib alias
tcp-reset TCP RST packet
tcp-reset alias
Then, you match packets using --tcp-flags and use appropriate reject
type for REJECT target.
--
Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
